[PR #12137/5d62edc6 backport][stable-13] pamd: handle non-PAM lines in authselect profile files (#12145)

pamd: handle non-PAM lines in authselect profile files (#12137)

* fix(pamd): handle non-PAM lines in authselect profile files



* test(pamd): add test for authselect directive lines



* feat(changelog): add fragment for PR 12137



---------


(cherry picked from commit 5d62edc673)

Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

tests/unit/plugins/modules/test_pamd.py

@@ -142,6 +142,13 @@ session    required pam_unix.so"""
 auth       sufficient pam_unix.so nullok try_first_pass
 auth       requisite pam_succeed_if.so uid
 auth       required pam_deny.so
+"""
+
+        self.authselect_system_auth_string = """{imply "with-smartcard" if "with-smartcard-required"}
+auth        required                                     pam_env.so
+auth        required                                     pam_faildelay.so delay=2000000
+password    sufficient                                   pam_unix.so yescrypt shadow use_authtok
+password    required                                     pam_deny.so
 """
 
         self.pamd = PamdService(self.system_auth_string)
@@ -158,6 +165,11 @@ auth       required pam_deny.so
     def test_doesnt_have_rule(self):
         self.assertFalse(self.pamd.has_rule("account", "requisite", "pam_permit.so"))
 
+    def test_authselect_directive_line_does_not_crash(self):
+        pamd = PamdService(self.authselect_system_auth_string)
+        self.assertTrue(pamd.has_rule("password", "sufficient", "pam_unix.so"))
+        self.assertIn('{imply "with-smartcard" if "with-smartcard-required"}', str(pamd))
+
     # Test Update
     def test_update_rule_type(self):
         self.assertTrue(self.pamd.update_rule("session", "optional", "pam_keyinit.so", new_type="account"))