32 lines
1.5 KiB
Plaintext
32 lines
1.5 KiB
Plaintext
# /etc/pam.d/system-local-login
|
|
|
|
#%PAM-1.0
|
|
|
|
# Skip the next module for specific services (sudo, su, su-l) or unknown TTYs.
|
|
# For standard local login, this typically defaults to 'ignore' and proceeds.
|
|
auth [success=1 default=ignore] pam_succeed_if.so service in sudo:su:su-l tty in :unknown
|
|
|
|
# 1. PASSWORD FIRST: Try password authentication as the primary method.
|
|
# - sufficient: If correct password is provided, authentication succeeds immediately
|
|
# and fingerprint is skipped entirely.
|
|
# - If password is incorrect OR user just presses Enter (empty input),
|
|
# this module fails and PAM continues to fingerprint.
|
|
# - try_first_pass: Uses any pre-existing password input.
|
|
# - nullok: Allows accounts with empty passwords (if configured).
|
|
auth sufficient pam_unix.so try_first_pass nullok
|
|
|
|
# 2. FINGERPRINT FALLBACK: If password failed/was empty, try fingerprint.
|
|
# - sufficient: If fingerprint succeeds, authentication passes.
|
|
# - If fingerprint fails or times out, this module fails and PAM continues.
|
|
auth sufficient pam_fprintd.so
|
|
|
|
# 3. FINAL FALLBACK: If both password and fingerprint failed, include system-login
|
|
# as a required step. This ensures proper faillock handling and forces
|
|
# password authentication if no other method succeeded.
|
|
auth include system-login
|
|
|
|
# Standard includes for account management, password changes, and session setup
|
|
account include system-login
|
|
password include system-login
|
|
session include system-login
|