#%PAM-1.0
#
# Hybrid authentication with conditional branching.
# The 'system-check-localuser' module determines the authentication path:
# - Local users (in /etc/passwd) are processed by the 'local-only' substack.
# - Non-local users with UID meeting a specific threshold are processed by the
#   'krb5_ccreds-only' substack.
# - Other cases are handled according to the router's mode (legacy or systemd).
#
# Post-condition stack summary:
#
# Condition                        | Action                    | Rule
# ----------------------------------------------------------------------------
# Local user (or treated as local) | Proceeds to the next line | 'local-only'
# Specific non-local user          | Jumps over two lines      | 'method-only'
# Critical failure (default=bad)   | Marks the stack as failed | 'local-only'
# Termination (default=die)        | Entire authentication stack terminates.

auth		include		system-check-localuser
auth		substack	system-auth-use_first_pass-local-only
auth		[default=1]	pam_permit.so
auth		substack	system-auth-use_first_pass-krb5_ccreds-only
auth		substack	system-auth-common

password	include		system-check-localuser
password	substack	system-auth-use_first_pass-local-only
password	[default=1]	pam_permit.so
password	substack	system-auth-use_first_pass-krb5_ccreds-only
password	substack	system-auth-common
