# /etc/pam.d/system-auth -- PAM configuration for all services.
#
# This file is included from other service-specific PAM config files on
# Red Hat, and should define common default PAM actions for all services.
#
# Try local authentication first and then Kerberos.  Run pam_afs_session
# from both the auth and session groups.  program could also be set while
# building pam_afs_session or in /etc/krb5.conf (if built with Kerberos
# support).
#
# Copyright 2008
#     The Board of Trustees of the Leland Stanford Junior University
#
# Copying and distribution of this file, with or without modification, are
# permitted in any medium without royalty provided the copyright notice
# and this notice are preserved.  This file is offered as-is, without any
# warranty.

auth      required    /lib/security/$ISA/pam_env.so
auth      sufficient  /lib/security/$ISA/pam_unix.so likeauth nullok
auth      [success=ok default=1] /lib/security/$ISA/pam_krb5.so 
auth      [default=done] /lib/security/$ISA/pam_afs_session.so program=/usr/bin/aklog
auth      required    /lib/security/$ISA/pam_deny.so

account   required    /lib/security/$ISA/pam_krb5.so 
account   required    /lib/security/$ISA/pam_unix.so

session   optional    /lib/security/$ISA/pam_krb5.so
session   required    /lib/security/$ISA/pam_afs_session.so program=/usr/bin/aklog
session   required    /lib/security/$ISA/pam_limits.so
session   required    /lib/security/$ISA/pam_unix.so

# No Kerberos or AFS bits here at all, although you could use pam_krb5 to
# do password changes through Kerberos.
password  required    /lib/security/$ISA/pam_cracklib.so retry=3 type=
password  sufficient  /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password  required    /lib/security/$ISA/pam_deny.so