Starting with my original pam.d/login file :
auth include system-local-login account include system-local-login password include system-local-login session optional pam_lastlog.so session include system-local-login I need, as an option, the service of additional MODULE (let's say pam_kwallet5.so as an example)
auth include system-local-login auth optional MODULE account include system-local-login password include system-local-login session optional pam_lastlog.so session include system-local-login session optional MODULE PARAMs This achieves the goal as expected.
However, I now would lik to restrict this option to non-root users.
(let's say for example that, as root will never ever start kde, launching the kwalletd5 daemon at login serves no purpose)
I tried to find my way via the pam_listfile.so module but in vain.
EDIT 1 : Wondering wether creating a pseudo-conditionnal entry thanks to pam_exec.so in the way described here could be an acceptable solution.
EDIT 2 : Before discovering muru's better solution, I had managed to find a way thanks to pam_succeed_if.so used as follows :
auth include system-local-login auth [default=1 success=ignore] pam_succeed_if.so uid > 0 auth optional MODULE account include system-local-login password include system-local-login session optional pam_lastlog.so session include system-local-login session [default=1 success=ignore] pam_succeed_if.so uid > 0 session optional MODULE PARAMs muru's solution, based on the same principle of ignoring a given number of following rules is however nicer in that it uses a more dedicated module : pam_rootok.so
