In sudo_pam_begin_session() and sudo_pam_end_session() return

AUTH_FATAL on error, not AUTH_FAILURE.  In sudo_auth_begin_session()
treat anything other than AUTH_SUCCESS as a fatal error.

plugins/sudoers/auth/pam.c

@@ -279,7 +279,7 @@ sudo_pam_begin_session(struct passwd *pw, char **user_envp[], sudo_auth *auth)
 		    "pam_end: %s", errstr ? errstr : "unknown error");
 	    }
 	    pamh = NULL;
-	    status = AUTH_FAILURE;
+	    status = AUTH_FATAL;
 	    goto done;
 	}
     }
@@ -295,7 +295,7 @@ sudo_pam_begin_session(struct passwd *pw, char **user_envp[], sudo_auth *auth)
 	if (pam_envp != NULL) {
 	    /* Merge pam env with user env. */
 	    if (!env_init(*user_envp) || !env_merge(pam_envp))
-		status = AUTH_FAILURE;
+		status = AUTH_FATAL;
 	    *user_envp = env_get();
 	    (void)env_init(NULL);
 	    free(pam_envp);
@@ -348,7 +348,7 @@ sudo_pam_end_session(struct passwd *pw, sudo_auth *auth)
 	    const char *errstr = pam_strerror(pamh, rc);
 	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
 		"pam_end: %s", errstr ? errstr : "unknown error");
-	    status = AUTH_FAILURE;
+	    status = AUTH_FATAL;
 	}
 	pamh = NULL;
     }

plugins/sudoers/auth/sudo_auth.c

@@ -342,11 +342,11 @@ sudo_auth_begin_session(struct passwd *pw, char **user_env[])
     for (auth = auth_switch; auth->name; auth++) {
 	if (auth->begin_session && !IS_DISABLED(auth)) {
 	    status = (auth->begin_session)(pw, user_env, auth);
-	    if (status == AUTH_FATAL)
+	    if (status != AUTH_SUCCESS)
 		break;		/* assume error msg already printed */
 	}
     }
-    debug_return_int(status == AUTH_FATAL ? -1 : 1);
+    debug_return_int(status == AUTH_SUCCESS ? 1 : -1);
 }
 
 bool