// Only use_authtok (authentication token) when using cracklib or some other module
// that checks for passwords, or pam_krb5
#define AUTHTOK use_authtok

#if HAVE_CRACKLIB || HAVE_PASSWDQC
# define PASSWORD_STRENGTH 1
#endif

#if HAVE_KRB5 && PASSWORD_STRENGTH
# define KRB5_AUTHTOK AUTHTOK
#endif

#if HAVE_KRB5 || PASSWORD_STRENGTH
# define UNIX_AUTHTOK AUTHTOK
#else
# define UNIX_AUTHTOK
#endif

// Define DEBUG to an empty string unless it was required by the user
#ifndef DEBUG
#define DEBUG
#endif

#ifndef UNIX_EXTENDED_ENCRYPTION
#define UNIX_EXTENDED_ENCRYPTION
#endif

#ifndef LIKEAUTH
#define LIKEAUTH
#endif

#define KRB5_PARAMS DEBUG ignore_root try_first_pass

/* By using the extended Linux-PAM syntax for this, it is possible to
   fine-tune the Kerberos handling so that it works out of hte box on
   most desktop systems.

   What this control operation does is ignore failures and errors from
   Kerberos (falling back on local pam_unix auth), but if it's good,
   it'll skip over the following module (pam_unix) with an accepted
   status.

   IMPORTANT! Make sure that the only thing that comes right after
   pam_krb5 with KRB5_CONTROL is pam_unix!
 */
#define KRB5_CONTROL [success=1 default=ignore]