From ffdb64f327e4282cfe9534dbd1ce6e780de30e5d Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Tue, 5 Jul 2016 06:26:17 +0000
Subject: [PATCH] Disable the password: fallback on token failure

There is nothing in system-auth that we don't have in the pam module,
so this should allow us to remove pam_unix just fine.
Currently only for stg.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 files/2fa/sudo.pam | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/files/2fa/sudo.pam b/files/2fa/sudo.pam
index aa59ebf7a7..ae846a7665 100644
--- a/files/2fa/sudo.pam
+++ b/files/2fa/sudo.pam
@@ -4,7 +4,10 @@ auth       sufficient   pam_url.so config=/etc/pam_url.conf
 auth       requisite    pam_succeed_if.so uid >= 500 quiet
 auth       required     pam_deny.so
 
+{% if env == "production" %}
 auth       include      system-auth
+{% endif %}
+
 account    include      system-auth
 password   include      system-auth
 session    optional     pam_keyinit.so revoke