New pambase era

pambase was simplified and rewritten in python

Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>

23 files changed, 252 insertions, 365 deletions

diff --git a/.gitignore b/.gitignore
index 2c63905..844c82f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,10 +1,2 @@
-login
-passwd
-su
-system-auth
-system-login
-system-local-login
-system-remote-login
-system-services
-other
-pambase-*.tar.bz2
+stack/
+.idea/
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..6e891ee
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,23 @@
+MIT License
+
+Copyright (c) 2020 Mikhail Koliada
+Copyright (c) 2020 Sam James
+Copyright (c) 2020 Gentoo Authors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/Makefile b/Makefile
deleted file mode 100644
index 941edfb..0000000
--- a/Makefile
+++ /dev/null
@@ -1,96 +0,0 @@
-# Reset this to 'cpp' so it gets traditional syntax; cc -E will not work
-# properly.
-CPP=cpp
-
-# The pam.d file to create
-PAMD=login passwd su system-auth system-login system-local-login system-remote-login system-services other
-
-# command for git (the DVCS); set this to "true" to ignore GIT support
-# (i.e.: in the ebuild)
-GIT=git
-
-PAMFLAGS = -include linux-pam-conf -include basic-conf -DLINUX_PAM_VERSION=$(LINUX_PAM_VERSION)
-
-ifeq "$(PASSWDQC)" "yes"
-PAMFLAGS += -DHAVE_PASSWDQC=1
-endif
-
-ifeq "$(CONSOLEKIT)" "yes"
-PAMFLAGS += -DHAVE_CONSOLEKIT=1
-endif
-
-ifeq "$(SYSTEMD)" "yes"
-PAMFLAGS += -DHAVE_SYSTEMD=1
-endif
-
-ifeq "$(ELOGIND)" "yes"
-PAMFLAGS += -DHAVE_ELOGIND=1
-endif
-
-ifeq "$(GNOME_KEYRING)" "yes"
-PAMFLAGS += -DHAVE_GNOME_KEYRING=1
-endif
-
-ifeq "$(SECURETTY)" "yes"
-PAMFLAGS += -DHAVE_SECURETTY=1
-endif
-
-ifeq "$(SELINUX)" "yes"
-PAMFLAGS += -DHAVE_SELINUX=1
-endif
-
-ifeq "$(MKTEMP)" "yes"
-PAMFLAGS += -DHAVE_MKTEMP=1
-endif
-
-ifeq "$(PAM_SSH)" "yes"
-PAMFLAGS += -DHAVE_PAM_SSH=1
-endif
-
-ifeq "$(KRB5)" "yes"
-PAMFLAGS += -DHAVE_KRB5=1
-endif
-
-ifeq "$(NULLOK)" "yes"
-PAMFLAGS += -DWANT_NULLOK=1
-endif
-
-ifeq "$(SHA512)" "yes"
-PAMFLAGS += -DWANT_SHA512=1
-endif
-
-ifeq "$(DEBUG)" "yes"
-PAMFLAGS += -DDEBUG=debug
-endif
-
-ifeq "$(MINIMAL)" "yes"
-PAMFLAGS += -DMINIMAL
-endif
-
-ifeq "$(LIBCAP)" "yes"
-PAMFLAGS += -DHAVE_LIBCAP=1
-endif
-
-all: $(PAMD)
-
-install: $(PAMD)
-	install -d "$(DESTDIR)/etc/pam.d"
-	install -m0644 $(PAMD) "$(DESTDIR)/etc/pam.d"
-
-PACKAGE=pambase
-ifeq "$(VERSION)" ""
-VERSION = $(shell date +"%Y%m%d")
-endif
-
-dist: $(PACKAGE)-$(VERSION).tar.xz
-
-$(PACKAGE)-$(VERSION).tar.xz: $(shell $(GIT) ls-files)
-	$(GIT) tag $(PACKAGE)-$(VERSION)
-	$(GIT) archive --format=tar --prefix=$(PACKAGE)-$(VERSION)/ HEAD | xz > $@
-
-$(PAMD): %: %.in
-	$(CPP) -traditional-cpp -P $(PAMFLAGS) $< -o $@
-	sed -i -e '/^$$/d' -e '/^\/\//d' $@
-
-clean:
-	rm -f $(PAMD) *~
diff --git a/README b/README
deleted file mode 100644
index 20f2e5e..0000000
--- a/README
+++ /dev/null
@@ -1,8 +0,0 @@
-This repository contains the PAM configuration base for Gentoo Linux
-and Gentoo FreeBSD, this mostly means the system-auth and system-login
-configuration file that provides the basic support for generical
-authentication for services, and console login (on tty or on various
-desktop managers).
-
-The Makefile manages the choice of optional features that will be
-enabled in the final file.
diff --git a/basic-conf b/basic-conf
deleted file mode 100644
index 7b1bf00..0000000
--- a/basic-conf
+++ /dev/null
@@ -1,52 +0,0 @@
-// Only use_authtok (authentication token) when using passwdqc or some other module
-// that checks for passwords, or pam_krb5
-#define AUTHTOK use_authtok
-
-#if HAVE_PASSWDQC
-# define PASSWORD_STRENGTH 1
-#endif
-
-#if HAVE_KRB5 && PASSWORD_STRENGTH
-# define KRB5_AUTHTOK AUTHTOK
-#endif
-
-#if HAVE_KRB5 || PASSWORD_STRENGTH
-# define UNIX_AUTHTOK AUTHTOK
-#else
-# define UNIX_AUTHTOK
-#endif
-
-// Define DEBUG to an empty string unless it was required by the user
-#ifndef DEBUG
-#define DEBUG
-#endif
-
-#ifndef UNIX_EXTENDED_ENCRYPTION
-#define UNIX_EXTENDED_ENCRYPTION
-#endif
-
-#ifndef LIKEAUTH
-#define LIKEAUTH
-#endif
-
-#if WANT_NULLOK
-#define NULLOK nullok
-#else
-#define NULLOK
-#endif
-
-#define KRB5_PARAMS DEBUG ignore_root try_first_pass
-
-/* By using the extended Linux-PAM syntax for this, it is possible to
-   fine-tune the Kerberos handling so that it works out of hte box on
-   most desktop systems.
-
-   What this control operation does is ignore failures and errors from
-   Kerberos (falling back on local pam_unix auth), but if it's good,
-   it'll skip over the following module (pam_unix) with an accepted
-   status.
-
-   IMPORTANT! Make sure that the only thing that comes right after
-   pam_krb5 with KRB5_CONTROL is pam_unix!
- */
-#define KRB5_CONTROL [success=1 default=ignore]
diff --git a/linux-pam-conf b/linux-pam-conf
deleted file mode 100644
index 962b2eb..0000000
--- a/linux-pam-conf
+++ /dev/null
@@ -1,26 +0,0 @@
-#define HAVE_LIMITS			1
-#define HAVE_ENV			1
-#define HAVE_ACCESS			1
-#define HAVE_SHELLS			1
-#define HAVE_LOGINUID			1
-
-#define SUPPORT_UNIX_SESSION		1
-#define SUPPORT_NOLOGIN_ACCOUNT		1
-#define SUPPORT_NOLOGIN_AUTH		1
-
-#if !MINIMAL
-# define HAVE_MOTD			1
-# define HAVE_MAIL			1
-# define HAVE_LASTLOG                   1
-# define HAVE_FAILLOCK			1
-
-#endif
-
-#if WANT_SHA512
-# define UNIX_EXTENDED_ENCRYPTION	sha512 shadow
-#else
-# define UNIX_EXTENDED_ENCRYPTION	md5 shadow
-#endif
-
-#define LIKEAUTH likeauth
-#define DEBUG_NOLOGIN
diff --git a/login.in b/login.in
deleted file mode 100644
index 5067bc7..0000000
--- a/login.in
+++ /dev/null
@@ -1,10 +0,0 @@
-#if HAVE_SECURETTY
-auth       required	pam_securetty.so
-#endif
-auth       include	system-local-login
-
-account    include	system-local-login
-password   include	system-local-login
-
-session    optional pam_lastlog.so DEBUG
-session    include	system-local-login
diff --git a/other.in b/other.in
deleted file mode 100644
index d8cb1fe..0000000
--- a/other.in
+++ /dev/null
@@ -1,4 +0,0 @@
-auth       required	pam_deny.so
-account    required	pam_deny.so
-password   required	pam_deny.so
-session    required	pam_deny.so
diff --git a/pambase.py b/pambase.py
new file mode 100755
index 0000000..1ebafbe
--- /dev/null
+++ b/pambase.py
@@ -0,0 +1,95 @@
+#!/usr/bin/env python3
+
+import argparse
+from jinja2 import Template, Environment, FileSystemLoader
+import pathlib
+
+
+def main():
+	parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files')
+	parser.add_argument('--libcap', action="store_true", help='enable pam_caps.so module')
+	parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module')
+	parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module')
+	parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module')
+	parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module')
+	parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module')
+	parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module')
+	parser.add_argument('--securetty', action="store_true", help='enable pam_securetty.so module')
+	parser.add_argument('--sha512', action="store_true", help='enable sha512 option for pam_unix.so module')
+	parser.add_argument('--krb5', action="store_true", help='enable pam_krb5.so module')
+	parser.add_argument('--minimal', action="store_true", help='install minimalistic PAM stack')
+	parser.add_argument('--debug', action="store_true", help='enable debug for selected modules')
+	parser.add_argument('--nullok', action="store_true", help='enable nullok option for pam_unix.so module')
+
+	parsed_args = parser.parse_args()
+	processed = process_args(parsed_args)
+
+	parse_templates(processed)
+
+
+def process_args(args):
+	# make sure that output directory exists
+	pathlib.Path("stack").mkdir(parents=True, exist_ok=True)
+
+	blank_variables = [
+		"krb5_authtok",
+		"unix_authtok",
+		"unix_extended_encryption",
+		"likeauth",
+		"nullok"
+	]
+
+	# create a blank dictionary
+	# then add in our parsed args
+	output = dict.fromkeys(blank_variables, "")
+	output.update(vars(args))
+
+	# unconditional variables
+	output["likeauth"] = "likeauth"
+	output["unix_authtok"] = "use_authtok"
+
+	if args.debug:
+		output["debug"] = "debug"
+
+	if args.nullok:
+		output["nullok"] = "nullok"
+
+	if args.krb5:
+		output["krb5_params"] = "{0} ignore_root try_first_pass".format("debug").strip()
+
+	if args.sha512:
+		output["unix_extended_encryption"] = "sha512 shadow"
+	else:
+		output["unix_extended_encryption"] = "md5 shadow"
+
+	return output
+
+
+def parse_templates(processed_args):
+	load = FileSystemLoader('')
+	env = Environment(loader=load)
+
+	templates = [
+		"login",
+		"other",
+		"passwd",
+		"system-local-login",
+		"system-remote-login",
+		"su",
+		"system-auth",
+		"system-login",
+		"system-service"
+	]
+
+	for template_name in templates:
+		template = env.get_template('templates/{0}.tpl'.format(template_name))
+
+		with open('stack/{0}'.format(template_name), "w+") as output:
+			rendered_template = template.render(processed_args)
+
+			if rendered_template:
+				output.write(rendered_template + "\n")
+
+
+if __name__ == "__main__":
+	main()
diff --git a/su.in b/su.in
deleted file mode 100644
index 889ecfe..0000000
--- a/su.in
+++ /dev/null
@@ -1,11 +0,0 @@
-auth       sufficient	pam_rootok.so
-auth       required     pam_wheel.so use_uid
-auth       include		system-auth
-
-account    include		system-auth
-
-password   include		system-auth
-
-session    include		system-auth
-session    required     pam_env.so
-session    optional		pam_xauth.so
diff --git a/system-auth.in b/system-auth.in
deleted file mode 100644
index 9ae09e4..0000000
--- a/system-auth.in
+++ /dev/null
@@ -1,57 +0,0 @@
-#if HAVE_ENV
-auth		required	pam_env.so DEBUG
-#endif
-
-#if HAVE_PAM_SSH
-auth		sufficient	pam_ssh.so
-#endif
-#if HAVE_KRB5
-auth		KRB5_CONTROL	pam_krb5.so KRB5_PARAMS
-#endif
-auth		required	pam_unix.so try_first_pass LIKEAUTH NULLOK DEBUG
-/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
-auth		optional	pam_permit.so
-
-#if HAVE_FAILLOCK
-auth            required        pam_faillock.so preauth silent audit deny=3 unlock_time=600
-auth            sufficient      pam_unix.so nullok try_first_pass
-auth            [default=die]   pam_faillock.so authfail audit deny=3 unlock_time=600
-#endif
-
-#if HAVE_KRB5
-account		KRB5_CONTROL	pam_krb5.so KRB5_PARAMS
-#endif
-account		required	pam_unix.so DEBUG
-/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
-account		optional	pam_permit.so
-
-#if HAVE_FAILLOCK
-account         required        pam_faillock.so
-#endif
-
-#if HAVE_PASSWDQC
-password	required	pam_passwdqc.so min=8,8,8,8,8 retry=3
-#endif
-#if HAVE_KRB5
-password	KRB5_CONTROL	pam_krb5.so KRB5_PARAMS
-#endif
-password	required	pam_unix.so try_first_pass UNIX_AUTHTOK NULLOK UNIX_EXTENDED_ENCRYPTION DEBUG
-/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
-password	optional	pam_permit.so
-
-#if HAVE_PAM_SSH
-session		optional	pam_ssh.so
-#endif
-
-#if HAVE_SYSTEMD
--session        optional        pam_systemd.so
-#endif
-
-#if HAVE_ELOGIND
--session        optional        pam_elogind.so
-#endif
-
-#if HAVE_LIBCAP
-auth		optional	pam_cap.so
-#endif
-#include "system-session.inc"
diff --git a/system-login.in b/system-login.in
deleted file mode 100644
index ee03613..0000000
--- a/system-login.in
+++ /dev/null
@@ -1,58 +0,0 @@
-
-#if HAVE_SHELLS
-auth		required	pam_shells.so DEBUG
-#endif
-#if SUPPORT_NOLOGIN_AUTH
-auth		required	pam_nologin.so DEBUG_NOLOGIN
-#endif
-auth		include		system-auth
-
-#if HAVE_FAILLOCK
-auth            required        pam_faillock.so preauth silent audit deny=3 unlock_time=600
-auth            sufficient      pam_unix.so nullok try_first_pass
-auth            [default=die]   pam_faillock.so authfail audit deny=3 unlock_time=600
-#endif
-
-#if HAVE_ACCESS
-account		required	pam_access.so DEBUG
-#endif
-#if HAVE_LOGIN_ACCESS
-account		required	pam_login_access.so
-#endif
-#if SUPPORT_NOLOGIN_ACCOUNT
-account		required	pam_nologin.so DEBUG_NOLOGIN
-#endif
-account		include		system-auth
-
-#if HAVE_FAILLOCK
-account         required        pam_faillock.so
-#endif
-
-password	include		system-auth
-
-#if HAVE_LOGINUID
-session         optional        pam_loginuid.so
-#endif
-#if HAVE_SELINUX
-session		required	pam_selinux.so close
-#endif
-#if HAVE_ENV
-session		required	pam_env.so envfile=/etc/profile.env DEBUG
-#endif
-#if HAVE_LASTLOG
-session		optional	pam_lastlog.so silent DEBUG
-#endif
-session		include		system-auth
-#if HAVE_CONSOLEKIT
-session		optional	pam_ck_connector.so nox11
-#endif
-#if HAVE_SELINUX
- # Note: modules that run in the user's context must come after this line.
-session		required	pam_selinux.so multiple open
-#endif
-#if HAVE_MOTD
-session		optional	pam_motd.so motd=/etc/motd
-#endif
-#if HAVE_MAIL
-session		optional	pam_mail.so
-#endif
diff --git a/system-session.inc b/system-session.inc
deleted file mode 100644
index 2ba6964..0000000
--- a/system-session.inc
+++ /dev/null
@@ -1,25 +0,0 @@
-#if HAVE_LIMITS
-session		required	pam_limits.so DEBUG
-#endif
-#if HAVE_ENV
-session		required	pam_env.so DEBUG
-#endif
-#if HAVE_MKTEMP
-session		optional	pam_mktemp.so
-#endif
-
-/* Only Linux-PAM supports session chain for pam_unix; but if it were
-   to not support it for whatever reason, still execute pam_krb5, with
-   sufficient level instead. */
-#if SUPPORT_UNIX_SESSION
-# if HAVE_KRB5
-session		KRB5_CONTROL	pam_krb5.so KRB5_PARAMS
-# endif
-session		required	pam_unix.so DEBUG
-#else
-# if HAVE_KRB5
-session		sufficient	pam_krb5.so KRB5_PARAMS
-# endif
-#endif
-
-session		optional	pam_permit.so
diff --git a/templates/login.tpl b/templates/login.tpl
new file mode 100644
index 0000000..7476cb7
--- /dev/null
+++ b/templates/login.tpl
@@ -0,0 +1,9 @@
+{% if securetty -%}
+auth		required	pam_securetty.so
+{% endif -%}
+
+auth		include		system-local-login
+account		include		system-local-login
+password	include		system-local-login
+session		optional 	pam_lastlog.so {{ debug|default('', true) }}
+session		include		system-local-login
diff --git a/templates/other.tpl b/templates/other.tpl
new file mode 100644
index 0000000..f3b7198
--- /dev/null
+++ b/templates/other.tpl
@@ -0,0 +1,4 @@
+auth		required	pam_deny.so
+account		required	pam_deny.so
+password   	required	pam_deny.so
+session    	required	pam_deny.so
diff --git a/passwd.in b/templates/passwd.tpl
index 248bb7c..5f4f739 100644
--- a/passwd.in
+++ b/templates/passwd.tpl
@@ -1,7 +1,5 @@
 auth		sufficient	pam_rootok.so
 auth		include		system-auth
-
 account		include		system-auth
-
 password	include		system-auth
--password	optional	pam_gnome_keyring.so UNIX_AUTHTOK
+-password	optional	pam_gnome_keyring.so {{ unix_authtok }}
diff --git a/templates/su.tpl b/templates/su.tpl
new file mode 100644
index 0000000..a36b633
--- /dev/null
+++ b/templates/su.tpl
@@ -0,0 +1,8 @@
+auth		sufficient	pam_rootok.so
+auth		required	pam_wheel.so use_uid
+auth		include		system-auth
+account		include		system-auth
+password	include		system-auth
+session		include		system-auth
+session		required	pam_env.so
+session		optional	pam_xauth.so
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
new file mode 100644
index 0000000..13f5c0d
--- /dev/null
+++ b/templates/system-auth.tpl
@@ -0,0 +1,54 @@
+auth		required	pam_env.so {{ debug|default('', true) }}
+{% if pam_ssh -%}
+auth		sufficient	pam_ssh.so
+{% endif -%}
+
+{% if krb5 -%}
+auth        [success=1 default=ignore]      pam_krb5.so {{ krb5_params }}
+{% endif -%}
+
+auth		required	pam_unix.so try_first_pass {{ likeauth }} {{ nullok|default('', true) }} {{ debug|default('', true) }}
+auth		optional	pam_permit.so
+{% if not minimal -%}
+auth            required        pam_faillock.so preauth silent audit deny=3 unlock_time=600
+auth            sufficient      pam_unix.so {{ nullok|default('', true) }} try_first_pass
+auth            [default=die]   pam_faillock.so authfail audit deny=3 unlock_time=600
+{% endif -%}
+
+{% if krb5 -%}
+account		[success=1 default=ignore]	pam_krb5.so {{ krb5_params }}
+{% endif -%}
+account		required	pam_unix.so {{ debug|default('', true) }}
+account		optional	pam_permit.so
+{% if not minimal -%}
+account         required        pam_faillock.so
+{% endif -%}
+
+{% if passwdqc -%}
+password	required	pam_passwdqc.so min=8,8,8,8,8 retry=3
+{% endif -%}
+
+{% if krb5 -%}
+password	[success=1 default=ignore]	pam_krb5.so {{ krb5_params }}
+{% endif -%}
+
+password	required	pam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
+password	optional	pam_permit.so
+
+{%- if pam_ssh -%}
+session		optional	pam_ssh.so
+{% endif -%}
+
+{% if systemd -%}
+-session        optional        pam_systemd.so
+{% endif -%}
+
+{% if elogind -%}
+-session        optional        pam_elogind.so
+{% endif -%}
+
+{% if libcap -%}
+-session        optional        pam_libcap.so
+{% endif -%}
+
+{% include "templates/system-session.tpl" %}
diff --git a/system-local-login.in b/templates/system-local-login.tpl
index 2f415ed..2f415ed 100644
--- a/system-local-login.in
+++ b/templates/system-local-login.tpl
diff --git a/templates/system-login.tpl b/templates/system-login.tpl
new file mode 100644
index 0000000..2f404bc
--- /dev/null
+++ b/templates/system-login.tpl
@@ -0,0 +1,39 @@
+auth		required	pam_shells.so {{ debug|default('', true) }}
+auth		required	pam_nologin.so
+auth		include		system-auth
+{% if not minimal -%}
+auth            required        pam_faillock.so preauth silent audit deny=3 unlock_time=600
+auth            sufficient      pam_unix.so nullok try_first_pass
+auth            [default=die]   pam_faillock.so authfail audit deny=3 unlock_time=600
+{% endif -%}
+
+account		required	pam_access.so {{ debug|default('', true) }}
+account		required	pam_nologin.so
+account		include		system-auth
+{% if not minimal -%}
+account         required        pam_faillock.so
+{% endif -%}
+
+password	include		system-auth
+session         optional        pam_loginuid.so
+{% if selinux -%}
+session		required	pam_selinux.so close
+{% endif -%}
+
+session		required	pam_env.so envfile=/etc/profile.env {{ debug|default('', true) }}
+{% if not miniaml -%}
+session		optional	pam_lastlog.so silent {{ debug|default('', true) }}
+{% endif -%}
+session		include		system-auth
+{% if selinux -%}
+ # Note: modules that run in the user's context must come after this line.
+session		required	pam_selinux.so multiple open
+{% endif -%}
+
+{% if not minimal -%}
+session		optional	pam_motd.so motd=/etc/motd
+{% endif -%}
+
+{% if not minimal -%}
+session		optional	pam_mail.so
+{% endif -%}
diff --git a/system-remote-login.in b/templates/system-remote-login.tpl
index 2f415ed..2f415ed 100644
--- a/system-remote-login.in
+++ b/templates/system-remote-login.tpl
diff --git a/system-services.in b/templates/system-service.tpl
index 989267f..cbfab6f 100644
--- a/system-services.in
+++ b/templates/system-service.tpl
@@ -1,8 +1,4 @@
 auth		sufficient	pam_permit.so
-
 account		include		system-auth
-
-#if HAVE_LOGINUID
 session         optional        pam_loginuid.so
-#endif
-#include "system-session.inc"
+{% include "templates/system-session.tpl" %}
diff --git a/templates/system-session.tpl b/templates/system-session.tpl
new file mode 100644
index 0000000..f2622a8
--- /dev/null
+++ b/templates/system-session.tpl
@@ -0,0 +1,16 @@
+session		required	pam_limits.so {{ debug|default('', true) }}
+session		required	pam_env.so {{ debug|default('', true) }}
+{% if mktemp -%}
+session		optional	pam_mktemp.so
+{% endif -%}
+
+{%if krb5 -%}
+session		[success=1 default=ignore] {{ krb5_params }}
+{% endif -%}
+
+session		required	pam_unix.so {{ debug|default('', true) }}
+{%if krb5 -%}
+session         [success=1 default=ignore] {{ krb5_params }}
+{% endif -%}
+
+session		optional	pam_permit.so