# /etc/pam.d/system-local-login

#%PAM-1.0

# Skip the next module for specific services (sudo, su, su-l) or unknown TTYs.
# For standard local login, this typically defaults to 'ignore' and proceeds.
auth [success=1 default=ignore] pam_succeed_if.so service in sudo:su:su-l tty in :unknown

# 1. PASSWORD FIRST: Try password authentication as the primary method.
#    - sufficient: If correct password is provided, authentication succeeds immediately
#                  and fingerprint is skipped entirely.
#    - If password is incorrect OR user just presses Enter (empty input),
#      this module fails and PAM continues to fingerprint.
#    - try_first_pass: Uses any pre-existing password input.
#    - nullok: Allows accounts with empty passwords (if configured).
auth sufficient pam_unix.so try_first_pass nullok

# 2. FINGERPRINT FALLBACK: If password failed/was empty, try fingerprint.
#    - sufficient: If fingerprint succeeds, authentication passes.
#    - If fingerprint fails or times out, this module fails and PAM continues.
auth sufficient pam_fprintd.so

# 3. FINAL FALLBACK: If both password and fingerprint failed, include system-login
#    as a required step. This ensures proper faillock handling and forces
#    password authentication if no other method succeeded.
auth include system-login

# Standard includes for account management, password changes, and session setup
account include system-login
password include system-login
session include system-login