aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMikle Kolyada <zlogene@gentoo.org>2020-08-04 14:20:43 +0300
committerMikle Kolyada <zlogene@gentoo.org>2020-08-04 14:20:43 +0300
commit405452a4aa5a9ae06169b0aa1c394a4cae9c1c5c (patch)
tree8791729ab9f640415ed529dd654fe439bd318a66
parentmove faillock last in auth (diff)
downloadpambase-405452a4aa5a9ae06169b0aa1c394a4cae9c1c5c.tar.gz
pambase-405452a4aa5a9ae06169b0aa1c394a4cae9c1c5c.tar.bz2
pambase-405452a4aa5a9ae06169b0aa1c394a4cae9c1c5c.zip
New pambase era
pambase was simplified and rewritten in python Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
-rw-r--r--.gitignore12
-rw-r--r--LICENSE23
-rw-r--r--Makefile96
-rw-r--r--README8
-rw-r--r--basic-conf52
-rw-r--r--linux-pam-conf26
-rw-r--r--login.in10
-rw-r--r--other.in4
-rwxr-xr-xpambase.py95
-rw-r--r--su.in11
-rw-r--r--system-auth.in57
-rw-r--r--system-login.in58
-rw-r--r--system-session.inc25
-rw-r--r--templates/login.tpl9
-rw-r--r--templates/other.tpl4
-rw-r--r--templates/passwd.tpl (renamed from passwd.in)4
-rw-r--r--templates/su.tpl8
-rw-r--r--templates/system-auth.tpl54
-rw-r--r--templates/system-local-login.tpl (renamed from system-local-login.in)0
-rw-r--r--templates/system-login.tpl39
-rw-r--r--templates/system-remote-login.tpl (renamed from system-remote-login.in)0
-rw-r--r--templates/system-service.tpl (renamed from system-services.in)6
-rw-r--r--templates/system-session.tpl16
23 files changed, 252 insertions, 365 deletions
diff --git a/.gitignore b/.gitignore
index 2c63905..844c82f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,10 +1,2 @@
-login
-passwd
-su
-system-auth
-system-login
-system-local-login
-system-remote-login
-system-services
-other
-pambase-*.tar.bz2
+stack/
+.idea/
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..6e891ee
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,23 @@
+MIT License
+
+Copyright (c) 2020 Mikhail Koliada
+Copyright (c) 2020 Sam James
+Copyright (c) 2020 Gentoo Authors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/Makefile b/Makefile
deleted file mode 100644
index 941edfb..0000000
--- a/Makefile
+++ /dev/null
@@ -1,96 +0,0 @@
-# Reset this to 'cpp' so it gets traditional syntax; cc -E will not work
-# properly.
-CPP=cpp
-
-# The pam.d file to create
-PAMD=login passwd su system-auth system-login system-local-login system-remote-login system-services other
-
-# command for git (the DVCS); set this to "true" to ignore GIT support
-# (i.e.: in the ebuild)
-GIT=git
-
-PAMFLAGS = -include linux-pam-conf -include basic-conf -DLINUX_PAM_VERSION=$(LINUX_PAM_VERSION)
-
-ifeq "$(PASSWDQC)" "yes"
-PAMFLAGS += -DHAVE_PASSWDQC=1
-endif
-
-ifeq "$(CONSOLEKIT)" "yes"
-PAMFLAGS += -DHAVE_CONSOLEKIT=1
-endif
-
-ifeq "$(SYSTEMD)" "yes"
-PAMFLAGS += -DHAVE_SYSTEMD=1
-endif
-
-ifeq "$(ELOGIND)" "yes"
-PAMFLAGS += -DHAVE_ELOGIND=1
-endif
-
-ifeq "$(GNOME_KEYRING)" "yes"
-PAMFLAGS += -DHAVE_GNOME_KEYRING=1
-endif
-
-ifeq "$(SECURETTY)" "yes"
-PAMFLAGS += -DHAVE_SECURETTY=1
-endif
-
-ifeq "$(SELINUX)" "yes"
-PAMFLAGS += -DHAVE_SELINUX=1
-endif
-
-ifeq "$(MKTEMP)" "yes"
-PAMFLAGS += -DHAVE_MKTEMP=1
-endif
-
-ifeq "$(PAM_SSH)" "yes"
-PAMFLAGS += -DHAVE_PAM_SSH=1
-endif
-
-ifeq "$(KRB5)" "yes"
-PAMFLAGS += -DHAVE_KRB5=1
-endif
-
-ifeq "$(NULLOK)" "yes"
-PAMFLAGS += -DWANT_NULLOK=1
-endif
-
-ifeq "$(SHA512)" "yes"
-PAMFLAGS += -DWANT_SHA512=1
-endif
-
-ifeq "$(DEBUG)" "yes"
-PAMFLAGS += -DDEBUG=debug
-endif
-
-ifeq "$(MINIMAL)" "yes"
-PAMFLAGS += -DMINIMAL
-endif
-
-ifeq "$(LIBCAP)" "yes"
-PAMFLAGS += -DHAVE_LIBCAP=1
-endif
-
-all: $(PAMD)
-
-install: $(PAMD)
- install -d "$(DESTDIR)/etc/pam.d"
- install -m0644 $(PAMD) "$(DESTDIR)/etc/pam.d"
-
-PACKAGE=pambase
-ifeq "$(VERSION)" ""
-VERSION = $(shell date +"%Y%m%d")
-endif
-
-dist: $(PACKAGE)-$(VERSION).tar.xz
-
-$(PACKAGE)-$(VERSION).tar.xz: $(shell $(GIT) ls-files)
- $(GIT) tag $(PACKAGE)-$(VERSION)
- $(GIT) archive --format=tar --prefix=$(PACKAGE)-$(VERSION)/ HEAD | xz > $@
-
-$(PAMD): %: %.in
- $(CPP) -traditional-cpp -P $(PAMFLAGS) $< -o $@
- sed -i -e '/^$$/d' -e '/^\/\//d' $@
-
-clean:
- rm -f $(PAMD) *~
diff --git a/README b/README
deleted file mode 100644
index 20f2e5e..0000000
--- a/README
+++ /dev/null
@@ -1,8 +0,0 @@
-This repository contains the PAM configuration base for Gentoo Linux
-and Gentoo FreeBSD, this mostly means the system-auth and system-login
-configuration file that provides the basic support for generical
-authentication for services, and console login (on tty or on various
-desktop managers).
-
-The Makefile manages the choice of optional features that will be
-enabled in the final file.
diff --git a/basic-conf b/basic-conf
deleted file mode 100644
index 7b1bf00..0000000
--- a/basic-conf
+++ /dev/null
@@ -1,52 +0,0 @@
-// Only use_authtok (authentication token) when using passwdqc or some other module
-// that checks for passwords, or pam_krb5
-#define AUTHTOK use_authtok
-
-#if HAVE_PASSWDQC
-# define PASSWORD_STRENGTH 1
-#endif
-
-#if HAVE_KRB5 && PASSWORD_STRENGTH
-# define KRB5_AUTHTOK AUTHTOK
-#endif
-
-#if HAVE_KRB5 || PASSWORD_STRENGTH
-# define UNIX_AUTHTOK AUTHTOK
-#else
-# define UNIX_AUTHTOK
-#endif
-
-// Define DEBUG to an empty string unless it was required by the user
-#ifndef DEBUG
-#define DEBUG
-#endif
-
-#ifndef UNIX_EXTENDED_ENCRYPTION
-#define UNIX_EXTENDED_ENCRYPTION
-#endif
-
-#ifndef LIKEAUTH
-#define LIKEAUTH
-#endif
-
-#if WANT_NULLOK
-#define NULLOK nullok
-#else
-#define NULLOK
-#endif
-
-#define KRB5_PARAMS DEBUG ignore_root try_first_pass
-
-/* By using the extended Linux-PAM syntax for this, it is possible to
- fine-tune the Kerberos handling so that it works out of hte box on
- most desktop systems.
-
- What this control operation does is ignore failures and errors from
- Kerberos (falling back on local pam_unix auth), but if it's good,
- it'll skip over the following module (pam_unix) with an accepted
- status.
-
- IMPORTANT! Make sure that the only thing that comes right after
- pam_krb5 with KRB5_CONTROL is pam_unix!
- */
-#define KRB5_CONTROL [success=1 default=ignore]
diff --git a/linux-pam-conf b/linux-pam-conf
deleted file mode 100644
index 962b2eb..0000000
--- a/linux-pam-conf
+++ /dev/null
@@ -1,26 +0,0 @@
-#define HAVE_LIMITS 1
-#define HAVE_ENV 1
-#define HAVE_ACCESS 1
-#define HAVE_SHELLS 1
-#define HAVE_LOGINUID 1
-
-#define SUPPORT_UNIX_SESSION 1
-#define SUPPORT_NOLOGIN_ACCOUNT 1
-#define SUPPORT_NOLOGIN_AUTH 1
-
-#if !MINIMAL
-# define HAVE_MOTD 1
-# define HAVE_MAIL 1
-# define HAVE_LASTLOG 1
-# define HAVE_FAILLOCK 1
-
-#endif
-
-#if WANT_SHA512
-# define UNIX_EXTENDED_ENCRYPTION sha512 shadow
-#else
-# define UNIX_EXTENDED_ENCRYPTION md5 shadow
-#endif
-
-#define LIKEAUTH likeauth
-#define DEBUG_NOLOGIN
diff --git a/login.in b/login.in
deleted file mode 100644
index 5067bc7..0000000
--- a/login.in
+++ /dev/null
@@ -1,10 +0,0 @@
-#if HAVE_SECURETTY
-auth required pam_securetty.so
-#endif
-auth include system-local-login
-
-account include system-local-login
-password include system-local-login
-
-session optional pam_lastlog.so DEBUG
-session include system-local-login
diff --git a/other.in b/other.in
deleted file mode 100644
index d8cb1fe..0000000
--- a/other.in
+++ /dev/null
@@ -1,4 +0,0 @@
-auth required pam_deny.so
-account required pam_deny.so
-password required pam_deny.so
-session required pam_deny.so
diff --git a/pambase.py b/pambase.py
new file mode 100755
index 0000000..1ebafbe
--- /dev/null
+++ b/pambase.py
@@ -0,0 +1,95 @@
+#!/usr/bin/env python3
+
+import argparse
+from jinja2 import Template, Environment, FileSystemLoader
+import pathlib
+
+
+def main():
+ parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files')
+ parser.add_argument('--libcap', action="store_true", help='enable pam_caps.so module')
+ parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module')
+ parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module')
+ parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module')
+ parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module')
+ parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module')
+ parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module')
+ parser.add_argument('--securetty', action="store_true", help='enable pam_securetty.so module')
+ parser.add_argument('--sha512', action="store_true", help='enable sha512 option for pam_unix.so module')
+ parser.add_argument('--krb5', action="store_true", help='enable pam_krb5.so module')
+ parser.add_argument('--minimal', action="store_true", help='install minimalistic PAM stack')
+ parser.add_argument('--debug', action="store_true", help='enable debug for selected modules')
+ parser.add_argument('--nullok', action="store_true", help='enable nullok option for pam_unix.so module')
+
+ parsed_args = parser.parse_args()
+ processed = process_args(parsed_args)
+
+ parse_templates(processed)
+
+
+def process_args(args):
+ # make sure that output directory exists
+ pathlib.Path("stack").mkdir(parents=True, exist_ok=True)
+
+ blank_variables = [
+ "krb5_authtok",
+ "unix_authtok",
+ "unix_extended_encryption",
+ "likeauth",
+ "nullok"
+ ]
+
+ # create a blank dictionary
+ # then add in our parsed args
+ output = dict.fromkeys(blank_variables, "")
+ output.update(vars(args))
+
+ # unconditional variables
+ output["likeauth"] = "likeauth"
+ output["unix_authtok"] = "use_authtok"
+
+ if args.debug:
+ output["debug"] = "debug"
+
+ if args.nullok:
+ output["nullok"] = "nullok"
+
+ if args.krb5:
+ output["krb5_params"] = "{0} ignore_root try_first_pass".format("debug").strip()
+
+ if args.sha512:
+ output["unix_extended_encryption"] = "sha512 shadow"
+ else:
+ output["unix_extended_encryption"] = "md5 shadow"
+
+ return output
+
+
+def parse_templates(processed_args):
+ load = FileSystemLoader('')
+ env = Environment(loader=load)
+
+ templates = [
+ "login",
+ "other",
+ "passwd",
+ "system-local-login",
+ "system-remote-login",
+ "su",
+ "system-auth",
+ "system-login",
+ "system-service"
+ ]
+
+ for template_name in templates:
+ template = env.get_template('templates/{0}.tpl'.format(template_name))
+
+ with open('stack/{0}'.format(template_name), "w+") as output:
+ rendered_template = template.render(processed_args)
+
+ if rendered_template:
+ output.write(rendered_template + "\n")
+
+
+if __name__ == "__main__":
+ main()
diff --git a/su.in b/su.in
deleted file mode 100644
index 889ecfe..0000000
--- a/su.in
+++ /dev/null
@@ -1,11 +0,0 @@
-auth sufficient pam_rootok.so
-auth required pam_wheel.so use_uid
-auth include system-auth
-
-account include system-auth
-
-password include system-auth
-
-session include system-auth
-session required pam_env.so
-session optional pam_xauth.so
diff --git a/system-auth.in b/system-auth.in
deleted file mode 100644
index 9ae09e4..0000000
--- a/system-auth.in
+++ /dev/null
@@ -1,57 +0,0 @@
-#if HAVE_ENV
-auth required pam_env.so DEBUG
-#endif
-
-#if HAVE_PAM_SSH
-auth sufficient pam_ssh.so
-#endif
-#if HAVE_KRB5
-auth KRB5_CONTROL pam_krb5.so KRB5_PARAMS
-#endif
-auth required pam_unix.so try_first_pass LIKEAUTH NULLOK DEBUG
-/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
-auth optional pam_permit.so
-
-#if HAVE_FAILLOCK
-auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
-auth sufficient pam_unix.so nullok try_first_pass
-auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
-#endif
-
-#if HAVE_KRB5
-account KRB5_CONTROL pam_krb5.so KRB5_PARAMS
-#endif
-account required pam_unix.so DEBUG
-/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
-account optional pam_permit.so
-
-#if HAVE_FAILLOCK
-account required pam_faillock.so
-#endif
-
-#if HAVE_PASSWDQC
-password required pam_passwdqc.so min=8,8,8,8,8 retry=3
-#endif
-#if HAVE_KRB5
-password KRB5_CONTROL pam_krb5.so KRB5_PARAMS
-#endif
-password required pam_unix.so try_first_pass UNIX_AUTHTOK NULLOK UNIX_EXTENDED_ENCRYPTION DEBUG
-/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
-password optional pam_permit.so
-
-#if HAVE_PAM_SSH
-session optional pam_ssh.so
-#endif
-
-#if HAVE_SYSTEMD
--session optional pam_systemd.so
-#endif
-
-#if HAVE_ELOGIND
--session optional pam_elogind.so
-#endif
-
-#if HAVE_LIBCAP
-auth optional pam_cap.so
-#endif
-#include "system-session.inc"
diff --git a/system-login.in b/system-login.in
deleted file mode 100644
index ee03613..0000000
--- a/system-login.in
+++ /dev/null
@@ -1,58 +0,0 @@
-
-#if HAVE_SHELLS
-auth required pam_shells.so DEBUG
-#endif
-#if SUPPORT_NOLOGIN_AUTH
-auth required pam_nologin.so DEBUG_NOLOGIN
-#endif
-auth include system-auth
-
-#if HAVE_FAILLOCK
-auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
-auth sufficient pam_unix.so nullok try_first_pass
-auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
-#endif
-
-#if HAVE_ACCESS
-account required pam_access.so DEBUG
-#endif
-#if HAVE_LOGIN_ACCESS
-account required pam_login_access.so
-#endif
-#if SUPPORT_NOLOGIN_ACCOUNT
-account required pam_nologin.so DEBUG_NOLOGIN
-#endif
-account include system-auth
-
-#if HAVE_FAILLOCK
-account required pam_faillock.so
-#endif
-
-password include system-auth
-
-#if HAVE_LOGINUID
-session optional pam_loginuid.so
-#endif
-#if HAVE_SELINUX
-session required pam_selinux.so close
-#endif
-#if HAVE_ENV
-session required pam_env.so envfile=/etc/profile.env DEBUG
-#endif
-#if HAVE_LASTLOG
-session optional pam_lastlog.so silent DEBUG
-#endif
-session include system-auth
-#if HAVE_CONSOLEKIT
-session optional pam_ck_connector.so nox11
-#endif
-#if HAVE_SELINUX
- # Note: modules that run in the user's context must come after this line.
-session required pam_selinux.so multiple open
-#endif
-#if HAVE_MOTD
-session optional pam_motd.so motd=/etc/motd
-#endif
-#if HAVE_MAIL
-session optional pam_mail.so
-#endif
diff --git a/system-session.inc b/system-session.inc
deleted file mode 100644
index 2ba6964..0000000
--- a/system-session.inc
+++ /dev/null
@@ -1,25 +0,0 @@
-#if HAVE_LIMITS
-session required pam_limits.so DEBUG
-#endif
-#if HAVE_ENV
-session required pam_env.so DEBUG
-#endif
-#if HAVE_MKTEMP
-session optional pam_mktemp.so
-#endif
-
-/* Only Linux-PAM supports session chain for pam_unix; but if it were
- to not support it for whatever reason, still execute pam_krb5, with
- sufficient level instead. */
-#if SUPPORT_UNIX_SESSION
-# if HAVE_KRB5
-session KRB5_CONTROL pam_krb5.so KRB5_PARAMS
-# endif
-session required pam_unix.so DEBUG
-#else
-# if HAVE_KRB5
-session sufficient pam_krb5.so KRB5_PARAMS
-# endif
-#endif
-
-session optional pam_permit.so
diff --git a/templates/login.tpl b/templates/login.tpl
new file mode 100644
index 0000000..7476cb7
--- /dev/null
+++ b/templates/login.tpl
@@ -0,0 +1,9 @@
+{% if securetty -%}
+auth required pam_securetty.so
+{% endif -%}
+
+auth include system-local-login
+account include system-local-login
+password include system-local-login
+session optional pam_lastlog.so {{ debug|default('', true) }}
+session include system-local-login
diff --git a/templates/other.tpl b/templates/other.tpl
new file mode 100644
index 0000000..f3b7198
--- /dev/null
+++ b/templates/other.tpl
@@ -0,0 +1,4 @@
+auth required pam_deny.so
+account required pam_deny.so
+password required pam_deny.so
+session required pam_deny.so
diff --git a/passwd.in b/templates/passwd.tpl
index 248bb7c..5f4f739 100644
--- a/passwd.in
+++ b/templates/passwd.tpl
@@ -1,7 +1,5 @@
auth sufficient pam_rootok.so
auth include system-auth
-
account include system-auth
-
password include system-auth
--password optional pam_gnome_keyring.so UNIX_AUTHTOK
+-password optional pam_gnome_keyring.so {{ unix_authtok }}
diff --git a/templates/su.tpl b/templates/su.tpl
new file mode 100644
index 0000000..a36b633
--- /dev/null
+++ b/templates/su.tpl
@@ -0,0 +1,8 @@
+auth sufficient pam_rootok.so
+auth required pam_wheel.so use_uid
+auth include system-auth
+account include system-auth
+password include system-auth
+session include system-auth
+session required pam_env.so
+session optional pam_xauth.so
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
new file mode 100644
index 0000000..13f5c0d
--- /dev/null
+++ b/templates/system-auth.tpl
@@ -0,0 +1,54 @@
+auth required pam_env.so {{ debug|default('', true) }}
+{% if pam_ssh -%}
+auth sufficient pam_ssh.so
+{% endif -%}
+
+{% if krb5 -%}
+auth [success=1 default=ignore] pam_krb5.so {{ krb5_params }}
+{% endif -%}
+
+auth required pam_unix.so try_first_pass {{ likeauth }} {{ nullok|default('', true) }} {{ debug|default('', true) }}
+auth optional pam_permit.so
+{% if not minimal -%}
+auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
+auth sufficient pam_unix.so {{ nullok|default('', true) }} try_first_pass
+auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
+{% endif -%}
+
+{% if krb5 -%}
+account [success=1 default=ignore] pam_krb5.so {{ krb5_params }}
+{% endif -%}
+account required pam_unix.so {{ debug|default('', true) }}
+account optional pam_permit.so
+{% if not minimal -%}
+account required pam_faillock.so
+{% endif -%}
+
+{% if passwdqc -%}
+password required pam_passwdqc.so min=8,8,8,8,8 retry=3
+{% endif -%}
+
+{% if krb5 -%}
+password [success=1 default=ignore] pam_krb5.so {{ krb5_params }}
+{% endif -%}
+
+password required pam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
+password optional pam_permit.so
+
+{%- if pam_ssh -%}
+session optional pam_ssh.so
+{% endif -%}
+
+{% if systemd -%}
+-session optional pam_systemd.so
+{% endif -%}
+
+{% if elogind -%}
+-session optional pam_elogind.so
+{% endif -%}
+
+{% if libcap -%}
+-session optional pam_libcap.so
+{% endif -%}
+
+{% include "templates/system-session.tpl" %}
diff --git a/system-local-login.in b/templates/system-local-login.tpl
index 2f415ed..2f415ed 100644
--- a/system-local-login.in
+++ b/templates/system-local-login.tpl
diff --git a/templates/system-login.tpl b/templates/system-login.tpl
new file mode 100644
index 0000000..2f404bc
--- /dev/null
+++ b/templates/system-login.tpl
@@ -0,0 +1,39 @@
+auth required pam_shells.so {{ debug|default('', true) }}
+auth required pam_nologin.so
+auth include system-auth
+{% if not minimal -%}
+auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
+auth sufficient pam_unix.so nullok try_first_pass
+auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
+{% endif -%}
+
+account required pam_access.so {{ debug|default('', true) }}
+account required pam_nologin.so
+account include system-auth
+{% if not minimal -%}
+account required pam_faillock.so
+{% endif -%}
+
+password include system-auth
+session optional pam_loginuid.so
+{% if selinux -%}
+session required pam_selinux.so close
+{% endif -%}
+
+session required pam_env.so envfile=/etc/profile.env {{ debug|default('', true) }}
+{% if not miniaml -%}
+session optional pam_lastlog.so silent {{ debug|default('', true) }}
+{% endif -%}
+session include system-auth
+{% if selinux -%}
+ # Note: modules that run in the user's context must come after this line.
+session required pam_selinux.so multiple open
+{% endif -%}
+
+{% if not minimal -%}
+session optional pam_motd.so motd=/etc/motd
+{% endif -%}
+
+{% if not minimal -%}
+session optional pam_mail.so
+{% endif -%}
diff --git a/system-remote-login.in b/templates/system-remote-login.tpl
index 2f415ed..2f415ed 100644
--- a/system-remote-login.in
+++ b/templates/system-remote-login.tpl
diff --git a/system-services.in b/templates/system-service.tpl
index 989267f..cbfab6f 100644
--- a/system-services.in
+++ b/templates/system-service.tpl
@@ -1,8 +1,4 @@
auth sufficient pam_permit.so
-
account include system-auth
-
-#if HAVE_LOGINUID
session optional pam_loginuid.so
-#endif
-#include "system-session.inc"
+{% include "templates/system-session.tpl" %}
diff --git a/templates/system-session.tpl b/templates/system-session.tpl
new file mode 100644
index 0000000..f2622a8
--- /dev/null
+++ b/templates/system-session.tpl
@@ -0,0 +1,16 @@
+session required pam_limits.so {{ debug|default('', true) }}
+session required pam_env.so {{ debug|default('', true) }}
+{% if mktemp -%}
+session optional pam_mktemp.so
+{% endif -%}
+
+{%if krb5 -%}
+session [success=1 default=ignore] {{ krb5_params }}
+{% endif -%}
+
+session required pam_unix.so {{ debug|default('', true) }}
+{%if krb5 -%}
+session [success=1 default=ignore] {{ krb5_params }}
+{% endif -%}
+
+session optional pam_permit.so