#%PAM-1.0 # this MUST be first in the "auth" stack as it sets PAM_USER # user_unknown is definitive, so die instead of ignore to avoid subsequent modules mess up the error code -auth [success=done new_authtok_reqd=done user_unknown=die default=ignore] pam_cockpit_cert.so #auth required pam_sepermit.so auth substack system-auth auth include postlogin auth optional pam_ssh_add.so account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule #session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context #session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session optional pam_ssh_add.so session include system-auth session include postlogin