#%PAM-1.0
#
# Authentication router (Systemd dynamic mode).
# Directs authentication flow, accounting for systemd dynamic users (not in
# /etc/passwd). UID < 65536 is the threshold for systemd dynamic users.
#
# Process:
# 1. Check if user exists locally (pam_localuser.so).
#    - Exists: Proceed to the next line in parent stack -> 'local-only' substack.
#    - Does not exist: Continue to step 2.
#
# 2. Check UID >= 65536 (pam_succeed_if.so).
#    - UID >= 65536: Skip two lines in parent -> 'method-only' substack.
#    - UID < 65536: Proceed to next line in parent -> 'local-only' substack.
#
# Summary for parent stack:
#
# Condition                                      | Path in Parent Stack
# ---------------------------------------------------------------------
# User exists in /etc/passwd                     | -> 'local-only'
# User not in /etc/passwd, UID >= 65536          | -> 'method-only'
# User not in /etc/passwd, UID < 65536 (dynamic) | -> 'local-only'

auth		[success=1 perm_denied=ignore default=die]	pam_localuser.so
auth		[success=2 auth_err=ignore default=bad]	pam_succeed_if.so uid >= 65536 quiet

account		[success=1 perm_denied=ignore default=die]	pam_localuser.so
account		[success=2 auth_err=ignore default=bad]	pam_succeed_if.so uid >= 65536 quiet

password	[success=1 perm_denied=ignore default=die]	pam_localuser.so
password	[success=2 auth_err=ignore default=bad]	pam_succeed_if.so uid >= 65536 quiet

session		[success=1 perm_denied=ignore default=die]	pam_localuser.so
session		[success=2 auth_err=ignore default=bad]	pam_succeed_if.so uid >= 65536 quiet
