auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        sufficient                                   pam_fprintd.so
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        required      pam_faillock.so preauth silent deny=3 fail_interval=900 even_deny_root unlock_time=0
auth        sufficient                                   pam_unix.so  try_first_pass
auth        [default=die] pam_faillock.so authfail deny=3 fail_interval=900 even_deny_root unlock_time=0
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so

account     required      pam_faillock.so
account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_usertype.so issystem
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

password    requisite                                    pam_pwquality.so try_first_pass local_users_only retry=3
password    sufficient                                   pam_unix.so sha512 shadow  try_first_pass use_authtok remember=5
password    sufficient                                   pam_sss.so use_authtok
password    required   pam_pwhistory.so use_authtok remember=5 retry=3
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so
