#%PAM-1.0
#
# Authentication router (Legacy mode).
# Directs authentication flow based on user existence in /etc/passwd and UID.
# UID >= 1000 is the threshold for "regular" non-local users.
#
# Process:
# 1. Check if user exists locally (pam_localuser.so).
#    - Exists: Proceed to the next line in parent stack -> 'local-only' substack.
#    - Does not exist: Continue to step 2.
#
# 2. Check UID >= 1000 (pam_succeed_if.so).
#    - UID >= 1000: Skip two lines in parent -> 'method-only' substack.
#    - UID < 1000: Return 'bad' -> Authentication fails.
#
# Summary for parent stack:
#
# Condition                            | Path in Parent Stack
# -----------------------------------------------------------
# User exists in /etc/passwd           | -> 'local-only'
# User not in /etc/passwd, UID >= 1000 | -> 'method-only'
# User not in /etc/passwd, UID < 1000  | -> FAIL (bad)

auth		[success=1 perm_denied=ignore default=die]	pam_localuser.so
auth		[success=2 default=bad]	pam_succeed_if.so uid >= 1000 quiet

account		[success=1 perm_denied=ignore default=die]	pam_localuser.so
account		[success=2 default=bad]	pam_succeed_if.so uid >= 1000 quiet

password	[success=1 perm_denied=ignore default=die]	pam_localuser.so
password	[success=2 default=bad]	pam_succeed_if.so uid >= 1000 quiet

session		[success=1 perm_denied=ignore default=die]	pam_localuser.so
session		[success=2 default=bad]	pam_succeed_if.so uid >= 1000 quiet
