Only rarely should error information be directed to the user.
Usually, this is to be limited to
“sorry you cannot login now”
type messages. Information concerning errors in the configuration
file, /etc/pam.conf, or due to some system
failure encountered by the module, should be written to
syslog(3) with facility-type
LOG_AUTHPRIV.
With a few exceptions, the level of logging is, at the discretion of the module developer. Here is the recommended usage of different logging levels:
As a general rule, errors encountered by a module should be
logged at the LOG_ERR level. However,
information regarding an unrecognized argument, passed to a
module from an entry in the /etc/pam.conf
file, is required to be logged at the
LOG_ERR level.
Debugging information, as activated by the
debug argument to the module in
/etc/pam.conf, should be logged
at the LOG_DEBUG level.
If a module discovers that its personal configuration file or some system file it uses for information is corrupted or somehow unusable, it should indicate this by logging messages at level, LOG_ALERT.
Shortages of system resources, such as a failure to
manipulate a file or malloc() failures
should be logged at level LOG_CRIT.
Authentication failures, associated with an incorrectly typed password should be logged at level, LOG_NOTICE.