Name of the PAM service.

Contents of the PAM service file.

Enable unlocking and mounting of encrypted ZFS home dataset at login.

If set, root doesn't need to authenticate (e.g. for the useradd service).

Whether to show the message of the day.

If set, the OATH Toolkit will be used.

If set, the OTPW system will be used (if ~/.otpw exists).

Whether to enable this PAM service.

Whether users can log in with passwords defined in /etc/shadow.

Enable PAM mount (pam_mount) system to mount filesystems on user login.

If set, keys listed in ~/.ssh/authorized_keys and ~/.eid/authorized_certificates can be used to log in with the associated PKCS#11 tokens.

If set, the pam_mysql module will be used to authenticate users against a MySQL/MariaDB database.

Whether to update /var/log/wtmp.

Whether to try to create home directories for users with $HOMEs pointing to nonexistent locations on session login.

If enabled, the pam_umask module will be loaded.

Whether the delay after typing a wrong password should be disabled.

If set, fingerprint reader will be used (if exists and your fingerprints are enrolled).

If set, the calling user's SSH agent is used to authenticate against the configured keys

Attribute set describing resource limits

If set, users listed in ~/.yubico/authorized_yubikeys are able to log in with the associated Yubikey tokens.

If set, users listed in $XDG_CONFIG_HOME/Yubico/u2f_keys (or $HOME/.config/Yubico/u2f_keys if XDG variable is not set) are able to log in with the associated U2F key

If set, users with an SSH certificate containing an authorized principal in their SSH agent are able to log in

If set, the calling user's SSH agent is used to authenticate against the keys in the calling user's ~/.ssh/authorized_keys

Set the login uid of the process (/proc/self/loginuid) for auditing purposes

Whether to permit root access only to members of group wheel.

enforce sssd access control

Whether X authentication keys should be passed from the calling user to the target user (e.g. for su)

Whether to log authentication failures in /var/log/faillog.

Enable support for attaching AppArmor profiles at the user/group level, e.g., as part of a role based access control scheme.

If set, the service will register a new session with systemd's login manager

If enabled, pam_gnome_keyring will attempt to automatically unlock the user's default Gnome keyring upon login

Whether the service should set the environment variables listed in environment.sessionVariables using pam_env.so.

Whether to allow logging into accounts that have no password set (i.e., have an empty password field in /etc/passwd or /etc/group)

If set, will use the Google OS Login PAM modules (pam_oslogin_login, pam_oslogin_admin) to verify possible OS Login users and set sudoers configuration accordingly

If set, will use the pam_oslogin_login's user authentication methods to authenticate users using 2FA