pam.d + pam_google_authenticator, per user configuration

Nagy László Zsolt gandalf at shopzeus.com
Mon May 9 09:54:28 UTC 2016


  Hi!

I would like to use pam google authenticator for the root user only.
Here is how it should work:

* from ssh, root login is not permitted

* only users in the wheel groups are allowed to gain root access with
the "su" command

* the policy for the su command should be able to configured so that it
adds additional authentication modules for the root user

My problem:

/etc/pam.d/su file can be configured as follows:

auth            sufficient      pam_opie.so             no_warn
no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            required        pam_unix.so             no_warn
try_first_pass
auth            required        /usr/local/lib/pam_google_authenticator.so

This will check google authentication codes for *all* users. There is no
way to turn it on for a single user, or for a group of users. In theory,
this could be possible, because by the time pam_google_authenticator is
used, PAM already knows the name of the user that needs to be logged in.
But I see no way for conditionally using an auth module.

Another possible option would be to rewrite the su command to use a
different policy for the root user (but that does not seem like a good
idea).

So the question is: how can I enable an authentication module for a
selected user?

Thanks,

   Laszlo





More information about the freebsd-questions mailing list