#%PAM-1.0

auth       [success=3 new_authtok_reqd=3 default=ignore]  pam_unix.so          try_first_pass nullok
-auth      [success=2 new_authtok_reqd=2 default=ignore]  pam_systemd_home.so
# if nobody set the user to anything, set the user to literally nobody
# before killing stack
auth       [default=bad]               pam_permit.so
auth       [default=die]               pam_faillock.so      authfail
auth       required                    pam_faillock.so      authsucc
auth       required                    pam_env.so
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

account    [success=2 new_authtok_reqd=2 default=ignore]  pam_unix.so
-account   [success=1 new_authtok_reqd=1 default=ignore]  pam_systemd_home.so
account    required                    pam_deny.so
account    required                    pam_time.so

password   [success=2 new_authtok_reqd=2 default=ignore] pam_unix.so          try_first_pass nullok shadow
-password  [success=1 new_authtok_reqd=1 default=ignore]  pam_systemd_home.so
password   required                    pam_deny.so

session    required                    pam_limits.so
-session   optional                    pam_systemd_home.so
session    required                    pam_unix.so
session    optional                    pam_permit.so