#%PAM-1.0

auth       requisite pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth      [success=2 default=ignore]  pam_systemd_home.so
auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
auth       [default=die]               pam_faillock.so      authfail
auth       optional   pam_fscrypt.so try_first_pass
#to use two-factor authentication for auth tasks such as sudo and unlocking most screensavers, install libpam-google-authenticator, run this as your target user and uncomment the following line once all users have been set up, note that users that have not been set up for two-factor authentication *will not be able to authenticate at all!*: google-authenticator --secret=/var/auth/`whoami`.google-authenticator
#auth required pam_google_authenticator.so secret=/var/auth/${USER}.google-authenticator
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

-account   [success=1 default=ignore]  pam_systemd_home.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

-password  [success=1 default=ignore]  pam_systemd_home.so
password   required                    pam_unix.so          try_first_pass nullok shadow
password optional pam_fscrypt.so try_first_pass
password   optional                    pam_permit.so

-session   optional                    pam_systemd_home.so
session    required                    pam_limits.so
session    required                    pam_unix.so
session optional pam_fscrypt.so
session    optional                    pam_permit.so
