The regex used in PAM controls does not support complex bracket syntax

[jrbeilke]

The regex used in the PAM controls works well with simple PAM syntax like so: password sufficient pam_unix.so sha512

But fails with the more complicated bracket syntax: password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512

Per http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html

For the more complicated syntax valid control values have the following form:

  [value1=action1 value2=action2 ...]

Where valueN corresponds to the return code from the function invoked in the module for which the line is defined. It is selected from one of these: success, open_err, symbol_err, service_err, system_err, buf_err, perm_denied, auth_err, cred_insufficient, authinfo_unavail, user_unknown, maxtries, new_authtok_reqd, acct_expired, session_err, cred_unavail, cred_expired, cred_err, no_module_data, conv_err, authtok_err, authtok_recover_err, authtok_lock_busy, authtok_disable_aging, try_again, ignore, abort, authtok_expired, module_unknown, bad_item, conv_again, incomplete, and default.