It appears that there are some cases where PAM configs to pam_cap.so might benefit from successful (pass through) authentication, and only useful action as part of the setcred function. An example of this was discussed in this Q&A: https://unix.stackexchange.com/questions/650400/granting-capabilities-to-a-user-through-pam-doesnt-apply-to-ssh It is not clear to me why we can't support this. As such, I plan to add an "autoauth" module arg feature which will cause the module to return PAM_SUCCESS when it is executed as pam_sm_authenticate(). The pam_sm_setcred() invocation will ignore this argument, and apply the inheritable capabilities associated with the user.
Fixed with: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=071efa09e906a3d6928b49778b1a28ad7c0db5be