diff --git a/factory/etc/pam.d/system-auth b/factory/etc/pam.d/system-auth
index cb4e5703616..60e657eb4b0 100644
--- a/factory/etc/pam.d/system-auth
+++ b/factory/etc/pam.d/system-auth
@@ -3,14 +3,13 @@
# You really want to adjust this to your local distribution. If you use this
# unmodified you are not building systems safely and securely.
+-auth [success=done authtok_err=bad perm_denied=bad maxtries=bad default=ignore] pam_systemd_home.so
auth sufficient pam_unix.so
--auth sufficient pam_systemd_home.so
auth required pam_deny.so
account required pam_nologin.so
--account sufficient pam_systemd_home.so
-account sufficient pam_unix.so
-account required pam_permit.so
+-account [success=done authtok_expired=bad new_authtok_reqd=bad maxtries=bad acct_expired=bad default=ignore] pam_systemd_home.so
+account required pam_unix.so
-password sufficient pam_systemd_home.so
password sufficient pam_unix.so sha512 shadow try_first_pass
diff --git a/man/pam_systemd.xml b/man/pam_systemd.xml
index f240cc755a9..c488e5bec4b 100644
--- a/man/pam_systemd.xml
+++ b/man/pam_systemd.xml
@@ -476,14 +476,13 @@ pam_set_data(handle, "systemd.runtime_max_sec", (void *)"3600", cleanup);
systemd-logind.service:
#%PAM-1.0
+-auth [success=done authtok_err=bad perm_denied=bad maxtries=bad default=ignore] pam_systemd_home.so
auth sufficient pam_unix.so
--auth sufficient pam_systemd_home.so
auth required pam_deny.so
account required pam_nologin.so
--account sufficient pam_systemd_home.so
-account sufficient pam_unix.so
-account required pam_permit.so
+-account [success=done authtok_expired=bad new_authtok_reqd=bad maxtries=bad acct_expired=bad default=ignore] pam_systemd_home.so
+account required pam_unix.so
-password sufficient pam_systemd_home.so
password sufficient pam_unix.so sha512 shadow try_first_pass
diff --git a/man/pam_systemd_home.xml b/man/pam_systemd_home.xml
index ed117cfed22..066a0386555 100644
--- a/man/pam_systemd_home.xml
+++ b/man/pam_systemd_home.xml
@@ -195,14 +195,13 @@ lennart@zeta$ cp -av /etc/skel ~/Areas/versuch1
systemd-homed.service to log in:
#%PAM-1.0
+ -auth [success=done authtok_err=bad perm_denied=bad maxtries=bad default=ignore] pam_systemd_home.so
auth sufficient pam_unix.so
--auth sufficient pam_systemd_home.so
auth required pam_deny.so
account required pam_nologin.so
--account sufficient pam_systemd_home.so
-account sufficient pam_unix.so
-account required pam_permit.so
+-account [success=done authtok_expired=bad new_authtok_reqd=bad maxtries=bad acct_expired=bad default=ignore] pam_systemd_home.so
+account required pam_unix.so
-password sufficient pam_systemd_home.so
password sufficient pam_unix.so sha512 shadow try_first_pass
diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in
index 8a3c9e0165f..ce227445017 100644
--- a/src/login/systemd-user.in
+++ b/src/login/systemd-user.in
@@ -4,10 +4,9 @@
# Used by systemd --user instances.
{% if ENABLE_HOMED %}
--account sufficient pam_systemd_home.so
+-account [success=done authtok_expired=bad new_authtok_reqd=bad maxtries=bad acct_expired=bad default=ignore] pam_systemd_home.so
{% endif %}
-account sufficient pam_unix.so no_pass_expiry
-account required pam_permit.so
+account required pam_unix.so no_pass_expiry
{% if HAVE_SELINUX %}
session required pam_selinux.so close
diff --git a/src/run/systemd-run0.in b/src/run/systemd-run0.in
index 11f830b7b08..c628ef237d7 100644
--- a/src/run/systemd-run0.in
+++ b/src/run/systemd-run0.in
@@ -4,7 +4,7 @@
# Used by run0 sessions
{% if ENABLE_HOMED %}
--account sufficient pam_systemd_home.so
+-account [success=done authtok_expired=bad new_authtok_reqd=bad maxtries=bad acct_expired=bad default=ignore] pam_systemd_home.so
{% endif %}
account required pam_unix.so
diff --git a/test/units/TEST-46-HOMED.sh b/test/units/TEST-46-HOMED.sh
index 5d9799211e1..78bfefa48d7 100755
--- a/test/units/TEST-46-HOMED.sh
+++ b/test/units/TEST-46-HOMED.sh
@@ -576,12 +576,11 @@ if command -v ssh &>/dev/null && command -v sshd &>/dev/null && ! [[ -v ASAN_OPT
if [[ -f "$dir/pam.d/sshd" ]]; then
mv "$dir/pam.d/sshd" "$dir/pam.d/sshd.bak"
cat >"$dir/pam.d/sshd" <