44 lines
1.8 KiB
Django/Jinja
44 lines
1.8 KiB
Django/Jinja
#%PAM-1.0 -*- mode: conf-space; tab-width: 10 -*-
|
|
|
|
auth requisite pam_faillock.so preauth
|
|
|
|
{% if uses_passkey_auth %}
|
|
auth [success=ignore default=6] pam_access.so accessfile=/etc/security/passkey-users.access.conf
|
|
auth [success=5 default=ignore] pam_rootok.so
|
|
auth [success=1 default=ignore] pam_u2f.so cue origin=pam://{{ ansible_nodename }} appid=pam://{{ ansible_nodename }} userpresence=0 pinverification=1
|
|
auth requisite pam_faillock.so authfail
|
|
auth optional pam_permit.so
|
|
auth required pam_env.so
|
|
auth required pam_faillock.so authsucc
|
|
{% endif %}
|
|
{% if sso_type == "native" %}
|
|
auth [success=1 default=ignore] pam_localuser.so
|
|
auth [success=3 default=2] pam_kanidm.so
|
|
{% elif sso_type == "ldap" %}
|
|
auth [success=1 default=ignore] pam_localuser.so
|
|
auth [success=3 default=2] pam_ldap.so try_first_pass
|
|
{% endif %}
|
|
auth [sucesss=2 default=ignore] pam_unix.so try_first_pass nullok
|
|
-auth [success=1 default=ignore] pam_systemd_home.so
|
|
auth [default=die] pam_faillock.so authfail
|
|
{% if uses_passkey_2fa %}
|
|
auth [success=ignore default=4] pam_access.so accessfile=/etc/security/remote-switch.access.conf
|
|
auth [success=ok default=3] pam_u2f.so cue origin=pam://{{ ansible_nodename }} appid=pam://{{ ansible_nodename }} userpresence=1
|
|
auth optional pam_permit.so
|
|
auth requisite pam_env.so
|
|
auth sufficient pam_faillock.so authsucc
|
|
{% endif %}
|
|
{% if uses_totp_2fa %}
|
|
auth [success=ok default=3] pam_google_authenticator.so {{ totp_2fa_nullok | ternary("nullok", "") }} echo_verification_code
|
|
auth optional pam_permit.so
|
|
auth requisite pam_env.so
|
|
auth sufficient pam_faillock.so authsucc
|
|
{% endif %}
|
|
{% if (uses_passkey_2fa) or (uses_totp_2fa) %}
|
|
auth [default=die] pam_deny.so
|
|
{% else %}
|
|
auth optional pam_permit.so
|
|
auth required pam_env.so
|
|
auth required pam_faillock.so authsucc
|
|
{% endif %}
|