#
# $FreeBSD$
#
# System-wide defaults
#

# auth
auth		sufficient	pam_opie.so		no_warn no_fake_prompts
auth		requisite	pam_opieaccess.so	no_warn allow_local
#auth		sufficient	pam_krb5.so		no_warn try_first_pass
#auth		sufficient	pam_ssh.so		no_warn try_first_pass
{% if system.disableintegratedauth|default('0') == '0' %}
auth		sufficient	pam_opnsense.so
{% endif %}
auth		required	pam_unix.so		no_warn try_first_pass nullok

# account
#account	required	pam_krb5.so
account		required	pam_login_access.so
{% if system.disableintegratedauth|default('0') == '0' %}
account		sufficient	pam_opnsense.so
{% endif %}
account		required	pam_unix.so

# session
#session	optional	pam_ssh.so		want_agent
session		required	pam_lastlog.so		no_fail

# password
#password	sufficient	pam_krb5.so		no_warn try_first_pass
password	required	pam_unix.so		no_warn try_first_pass