(pam) switch normal console to pam, because we lock accounts locally now, console login should be switched at the same time

src/opnsense/service/templates/OPNsense/Auth/+TARGETS

@@ -1,3 +1,4 @@
 motd:/etc/motd
 sshd.pam:/etc/pam.d/sshd
+system.pam:/etc/pam.d/system
 sudoers:/usr/local/etc/sudoers.d/opnsense

src/opnsense/service/templates/OPNsense/Auth/system.pam

@@ -0,0 +1,31 @@
+#
+# $FreeBSD$
+#
+# System-wide defaults
+#
+
+# auth
+auth		sufficient	pam_opie.so		no_warn no_fake_prompts
+auth		requisite	pam_opieaccess.so	no_warn allow_local
+#auth		sufficient	pam_krb5.so		no_warn try_first_pass
+#auth		sufficient	pam_ssh.so		no_warn try_first_pass
+{% if system.disableintegratedauth|default('0') == '0' %}
+auth		sufficient	pam_opnsense.so
+{% endif %}
+auth		required	pam_unix.so		no_warn try_first_pass nullok
+
+# account
+#account	required	pam_krb5.so
+account		required	pam_login_access.so
+{% if system.disableintegratedauth|default('0') == '0' %}
+account		sufficient	pam_opnsense.so
+{% endif %}
+account		required	pam_unix.so
+
+# session
+#session	optional	pam_ssh.so		want_agent
+session		required	pam_lastlog.so		no_fail
+
+# password
+#password	sufficient	pam_krb5.so		no_warn try_first_pass
+password	required	pam_unix.so		no_warn try_first_pass