pam.d + pam_google_authenticator, per user configuration

Nagy László Zsolt gandalf at
Mon May 9 09:54:28 UTC 2016


I would like to use pam google authenticator for the root user only.
Here is how it should work:

* from ssh, root login is not permitted

* only users in the wheel groups are allowed to gain root access with
the "su" command

* the policy for the su command should be able to configured so that it
adds additional authentication modules for the root user

My problem:

/etc/pam.d/su file can be configured as follows:

auth            sufficient             no_warn
auth            requisite       no_warn allow_local
auth            required             no_warn
auth            required        /usr/local/lib/

This will check google authentication codes for *all* users. There is no
way to turn it on for a single user, or for a group of users. In theory,
this could be possible, because by the time pam_google_authenticator is
used, PAM already knows the name of the user that needs to be logged in.
But I see no way for conditionally using an auth module.

Another possible option would be to rewrite the su command to use a
different policy for the root user (but that does not seem like a good

So the question is: how can I enable an authentication module for a
selected user?



More information about the freebsd-questions mailing list