diff --git a/src/opnsense/service/templates/OPNsense/Auth/+TARGETS b/src/opnsense/service/templates/OPNsense/Auth/+TARGETS
index 080a260ac..303d04bb0 100644
--- a/src/opnsense/service/templates/OPNsense/Auth/+TARGETS
+++ b/src/opnsense/service/templates/OPNsense/Auth/+TARGETS
@@ -1,3 +1,4 @@
 motd:/etc/motd
 sshd.pam:/etc/pam.d/sshd
+system.pam:/etc/pam.d/system
 sudoers:/usr/local/etc/sudoers.d/opnsense
diff --git a/src/opnsense/service/templates/OPNsense/Auth/system.pam b/src/opnsense/service/templates/OPNsense/Auth/system.pam
new file mode 100644
index 000000000..5936047d9
--- /dev/null
+++ b/src/opnsense/service/templates/OPNsense/Auth/system.pam
@@ -0,0 +1,31 @@
+#
+# $FreeBSD$
+#
+# System-wide defaults
+#
+
+# auth
+auth		sufficient	pam_opie.so		no_warn no_fake_prompts
+auth		requisite	pam_opieaccess.so	no_warn allow_local
+#auth		sufficient	pam_krb5.so		no_warn try_first_pass
+#auth		sufficient	pam_ssh.so		no_warn try_first_pass
+{% if system.disableintegratedauth|default('0') == '0' %}
+auth		sufficient	pam_opnsense.so
+{% endif %}
+auth		required	pam_unix.so		no_warn try_first_pass nullok
+
+# account
+#account	required	pam_krb5.so
+account		required	pam_login_access.so
+{% if system.disableintegratedauth|default('0') == '0' %}
+account		sufficient	pam_opnsense.so
+{% endif %}
+account		required	pam_unix.so
+
+# session
+#session	optional	pam_ssh.so		want_agent
+session		required	pam_lastlog.so		no_fail
+
+# password
+#password	sufficient	pam_krb5.so		no_warn try_first_pass
+password	required	pam_unix.so		no_warn try_first_pass