auth [default=5 ignore=ignore]                   pam_jc_pki.so has_cert                            #0 if (user has binded cert): goto #1; else: auth by default;
auth [default=2 success=ignore]                  pam_succeed_if.so user ingroup jc_local_pin       #1 if (in group 'jc_local_pin'): goto #2; else: goto #4;
auth [default=ignore success=2]                  pam_succeed_if.so user ingroup jc_local_pass      #2 if (in group 'jc_local_pass'): goto #5; else: goto #3;
auth [default=die success=done]                  pam_jc_pki.so applet=-1                           #3 user only in 'jc_local_pin' group, so auth by pam_jc_pki or die, but if user hasn't cert auth by default
auth [default=ignore success=1]                  pam_succeed_if.so user ingroup jc_local_pass      #4 if (in group 'jc_local_pass'): auth by default; else: goto #5;
auth [default=die ignore=ignore success=done]    pam_jc_pki.so applet=-1                           #5 user in both groups, so try auth by pam_jc_pki if has token or auth by default
