pam_gdm uses first cached password from systemd-cryptsetup, should probably use last
systemd-cryptsetup's password querying logic actually stores a NUL-separated list of passwords in the keyring, of which pam_gdm uses the first one, as I understand its code. It either should use all of them in turn (which I understand isn#t really comaptible with PAM's model though), or at least use the last listed instead of the first. That's because password caching happens at time of entry, not of first use. That means if the user types in an incorrect pw, it will be cached, and the corrected pw later on too. Hence, to increase the chance to acquire the most "correct" of the available passwords it would probably to use the last and ignore all others ones instead of using the first and ignoring the rest.
Longer story: