# PAM configuration for SSH with 2FA
# Standard Un*x authentication
@include common-auth

# Google Authenticator 2FA
auth required pam_google_authenticator.so nullok

# Standard Un*x authorization
@include common-account

# SELinux needs to be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so

# Standard Un*x session setup and teardown
@include common-session

# Print the message of the day upon successful login
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate

# Print the status of the user's mailbox upon successful login
session optional pam_mail.so standard noenv

# Set up user limits from /etc/security/limits.conf
session required pam_limits.so

# SELinux needs to intervene at login time
session required pam_selinux.so open

# Standard Un*x password updating
@include common-password
