Attached is an alternate solution for this issue, following Colin's suggestion of a 'missingok' option.
I'm not altogether happy with this as a solution because up until now the module option list has been entirely pass-through by libpam, but the previous fix I proposed is also inadequate because all logging that uses the 'auth' facility, including debug logging, is written to /var/log/auth.log by default, so lowering the log severity of these messages is insufficient to reduce the log spam; and dropping all such log messages for all 'optional' modules would be a significant hindrance to debugging.
So I think we should go ahead with this second patch under the circumstances, and solve this problem correctly for intrepid using module hooks.
Attached is an alternate solution for this issue, following Colin's suggestion of a 'missingok' option.
I'm not altogether happy with this as a solution because up until now the module option list has been entirely pass-through by libpam, but the previous fix I proposed is also inadequate because all logging that uses the 'auth' facility, including debug logging, is written to /var/log/auth.log by default, so lowering the log severity of these messages is insufficient to reduce the log spam; and dropping all such log messages for all 'optional' modules would be a significant hindrance to debugging.
So I think we should go ahead with this second patch under the circumstances, and solve this problem correctly for intrepid using module hooks.