Setting try_first_pass on pam_unix.so does nothing

[jonesmz]

Used here:

pambase/templates/system-auth.tpl

Line 24 in f6e52e5

auth [success=1 new_authtok_reqd=1 ignore=ignore default=bad] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass

pambase/templates/system-auth.tpl

Line 74 in f6e52e5

password {{ 'sufficient' if sssd else 'required' }} pam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}

See answer here:
https://unix.stackexchange.com/questions/687772/whats-the-difference-between-use-authtok-and-try-first-pass-or-use-first-pass-i

Copied below:

Here's what I've been able to figure out thanks to Andrew's comment, Tomáš Mráz's explanation, and an examination of the source code:

Despite what the documentation implies, try_first_pass does absolutely nothing when applied to pam_unix.so.

use_authtok does exactly the same thing as use_first_pass when applied to pam_unix.so: It uses the previously entered password if there was a previously entered password AND that password meets the previous modules' password quality requirements. Otherwise, it strictly fails.

If neither use_first_pass nor use_authtok is applied to pam_unix.so, behavior depends on whether a password was previously entered. If there was not a previously entered password, pam_unix.so graciously prompts for one. If there was, pam_unix.so behaves as if use_first_pass or use_authtok was set.

This is all for pam_unix.so. Beware that try_first_pass, use_first_pass, and use_authtok work differently in other PAM modules.

[jonesmz]

This appears to still be relevant in the latest version of the system-auth template.