pam.d + pam_google_authenticator, per user configuration
Nagy László Zsolt
gandalf at shopzeus.com
Mon May 9 09:54:28 UTC 2016
Hi!
I would like to use pam google authenticator for the root user only.
Here is how it should work:
* from ssh, root login is not permitted
* only users in the wheel groups are allowed to gain root access with
the "su" command
* the policy for the su command should be able to configured so that it
adds additional authentication modules for the root user
My problem:
/etc/pam.d/su file can be configured as follows:
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth required pam_unix.so no_warn
try_first_pass
auth required /usr/local/lib/pam_google_authenticator.so
This will check google authentication codes for *all* users. There is no
way to turn it on for a single user, or for a group of users. In theory,
this could be possible, because by the time pam_google_authenticator is
used, PAM already knows the name of the user that needs to be logged in.
But I see no way for conditionally using an auth module.
Another possible option would be to rewrite the su command to use a
different policy for the root user (but that does not seem like a good
idea).
So the question is: how can I enable an authentication module for a
selected user?
Thanks,
Laszlo
More information about the freebsd-questions
mailing list