#%PAM-1.0 auth [success=3 ignore=1 user_unknown=1 default=bad] pam_unix.so try_first_pass nullok auth [default=1] pam_permit.so -auth [success=1 ignore=ignore default=bad] pam_systemd_home.so auth [default=die] pam_faillock.so authfail auth optional pam_permit.so auth required pam_faillock.so authsucc auth required pam_env.so account [success=ok new_authtok_reqd=ok ignore=1 user_unknown=1 default=bad] pam_unix.so account [default=1] pam_permit.so # if reached here due to user_unknown, this will return success. # but an actual unknown user is the fault of the application. # account expects the user to be already authenticated and it is impossible # that an user is already authenticated but is unknown to both account # modules. -account required pam_systemd_home.so account required pam_time.so password [success=ok ignore=1 user_unknown=1 default=bad] pam_unix.so try_first_pass nullok shadow password [default=1] pam_permit.so -password required pam_systemd_home.so session required pam_limits.so -session optional pam_systemd_home.so session required pam_unix.so