#%PAM-1.0

# optionally call: auth requisite pam_faillock.so preauth
# to display the message about account being locked
auth       [success=3 ignore=1 user_unknown=1 default=bad]  pam_systemd_home.so
auth       [default=1]                 pam_permit.so
auth       [success=1 ignore=ignore default=bad]  pam_unix.so          try_first_pass nullok
auth       [default=die]               pam_faillock.so      authfail
# success=N has the side effect of ignore, this fixes that with success=ok
auth       optional                    pam_permit.so
auth       required                    pam_faillock.so      authsucc
auth       required                    pam_env.so

# success can be due to user_unknown or actually succeeding. don't trust it
account    [success=1 new_authtok_reqd=ok ignore=1 default=bad]  pam_systemd_home.so
account    [default=1]                 pam_permit.so
# authinfo_unavail can be either due to a homed user, or a genuine authinfo_unavail
account    [success=ok new_authtok_reqd=ok authinfo_unavail=ignore ignore=1 default=bad]  pam_unix.so
# turn authinfo_unavail=ignore to success=ok. user should be already
# authenticated, so we don't care if this success is incorrect
account    optional                    pam_permit.so
account    required                    pam_time.so

password   [success=ok ignore=1 user_unknown=1 default=bad]  pam_systemd_home.so
password   [default=1]                 pam_permit.so
password   required                    pam_unix.so          try_first_pass nullok shadow

session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_systemd_home.so

# note: no need to put '-' in front of pam_systemd_home.so. the module
# exists even when systemd-homed is disabled