# -*- mode: python; coding: utf-8 -*-

include("pam")

header("""
/etc/pam.d/common-auth - authentication settings common to all services

This file is included from other service-specific PAM config files,
and should contain a list of the authentication modules that define
the central authentication scheme for use on the system
(e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
traditional Unix authentication mechanisms.

As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
To take advantage of this, it is recommended that you configure any
local modules either before or after the default block, and use
pam-auth-update to manage selection of other modules.  See
pam-auth-update(8) for details.
""")

if not has('wheezy'):
    print "auth sufficient %s" % pam_module
    print "auth required   pam_unix.so nullok_secure use_first_pass"

else:
    @# here are the per-package modules (the "Primary" block)
    if has('ldap'):
        print "auth   [success=2 default=ignore]      pam_unix.so nullok_secure"
        print "auth   [success=1 default=ignore]      %s minimum_uid=1000 use_first_pass" % pam_module
    else:
        print "auth   [success=1 default=ignore]      pam_unix.so nullok_secure"
    @# here's the fallback if no module succeeds
    @auth    requisite                       pam_deny.so
    @# prime the stack with a positive return value if there isn't one already;
    @# this avoids us returning an error just because nothing sets a success code
    @# since the modules above will each just jump around
    @auth    required                        pam_permit.so
    @# and here are more per-package modules (the "Additional" block)
    @# end of pam-auth-update config