auth [default=3 success=ignore]         pam_succeed_if.so user ingroup jc_local_pin             #0 if (in group 'jc_local_pin'): goto #1; else: goto #4;
auth [default=ignore success=3]         pam_succeed_if.so user ingroup jc_local_pass            #1 if (in group 'jc_local_pass'): goto #5; else: goto #2;
auth [default=die success=ok]           pam_jc_nopki.so applet=-1                               #2 user only in 'jc_local_pin' group, so read password from pam_jc_nopki or die
auth [default=die success=done]         pam_unix.so nullok shadow use_first_pass                #3 auth in system or die
auth [default=ignore success=2]         pam_succeed_if.so user ingroup jc_local_pass            #4 if (in group 'jc_local_pass'): auth by default; else: goto #5;
auth [default=die ignore=1 success=ok]  pam_jc_nopki.so applet=-1                               #5 user in both groups (or have no one), so try auth by pam_jc_nopki if has token or auth by default
auth [default=die success=done]         pam_unix.so nullok shadow use_first_pass                #6 auth in system or die

password [default=ignore success=1]     pam_succeed_if.so user ingroup jc_local_pin             #0 if (in group 'jc_local_pin'): goto #2; else: goto #1;
password [default=2 success=ignore]     pam_succeed_if.so user ingroup jc_local_pass            #1 if (in group 'jc_local_pass'): goto #2; else: passwd by default;
password [default=die success=ok]       pam_jc_nopki.so applet=-1                               #2 user only in 'jc_local_pin' group, so passwd by pam_jc_nopki or die
password sufficient                     pam_unix.so audit sha512 shadow nullok use_first_pass   #3 write changes to shadow
