#%PAM-1.0

auth       [success=3 ignore=1 user_unknown=1 default=bad]  pam_unix.so          try_first_pass nullok
auth       [default=1]                 pam_permit.so
-auth      [success=1 ignore=ignore default=bad]  pam_systemd_home.so
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_faillock.so      authsucc
auth       required                    pam_env.so

account    [success=ok new_authtok_reqd=ok ignore=1 user_unknown=1 default=bad]  pam_unix.so
account    [default=1]                 pam_permit.so
# if reached here due to user_unknown, this will return success.
# but an actual unknown user is the fault of the application.
# account expects the user to be already authenticated and it is impossible
# that an user is already authenticated but is unknown to both account
# modules.
-account   required                    pam_systemd_home.so
account    required                    pam_time.so

password   [success=ok ignore=1 user_unknown=1 default=bad]  pam_unix.so          try_first_pass nullok shadow
password   [default=1]                 pam_permit.so
-password  required                    pam_systemd_home.so

session    required                    pam_limits.so
-session   optional                    pam_systemd_home.so
session    required                    pam_unix.so