Apparently PAM reacts differently on different systems (?) and if no
authoritative matching module is found might either succeed/fail,
depending on the system.
Let's lock this down explicitly, by hooking in pam_deny.so.
Of course, these PAM files are just examples, and no distro in its right
mind would ship these unmodified, but let's default to something safe.
Fixes: #12950
# This file is part of systemd.
auth sufficient pam_unix.so nullok try_first_pass
+auth required pam_deny.so
account required pam_nologin.so
account sufficient pam_unix.so
+account required pam_permit.so
password sufficient pam_unix.so nullok sha512 shadow try_first_pass try_authtok
+password required pam_deny.so
-session optional pam_loginuid.so
-session optional pam_systemd.so