| # If we're not in dev-mode, skip to the system password stack. |
| auth [success=ignore default=4] pam_exec.so \ |
| quiet seteuid \ |
| /usr/bin/crossystem cros_debug?1 |
| |
| # Check if a custom devmode password file exists and prefer it. |
| auth [success=ignore default=1] pam_exec.so \ |
| quiet seteuid \ |
| /usr/bin/test -f /mnt/stateful_partition/etc/devmode.passwd |
| |
| # If we get to pwdfile, use it or bypass the password-less login. |
| auth [success=done default=2] pam_pwdfile.so \ |
| pwdfile /mnt/stateful_partition/etc/devmode.passwd |
| |
| # See if the account exists in /etc and does not yet have a system password |
| # set. Only then will we allow password-less login access (see below). |
| # For accounts not listed in /etc, or that have a password, we do not want |
| # to allow them to log in. |
| auth [success=ignore default=1] pam_exec.so \ |
| quiet seteuid \ |
| /usr/bin/awk -F: [ \ |
| BEGIN { ret = 1 } \ |
| $1 == ENVIRON["PAM_USER"\] && $2 == "*" { ret = 0 } \ |
| END { exit ret }] /etc/shadow |
| |
| # If we get here, allow password-less access |
| auth sufficient pam_exec.so \ |
| quiet seteuid \ |
| /usr/bin/crossystem cros_debug?1 |
| |
| # Fallback to a system password if one was stamped in after initial build. |