> I'm assuming that the stuff that goes into /etc/pam.d/common-session-pc is one > line, not two, right? Yes. See also the man page pam_succeed_if(8) or http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html You can of course also omit the second condition-triplet if you want, and for testing purposes, you can omit "quiet" so you have detailed information about the condition matching in your syslog.