pam.d + pam_google_authenticator, per user configuration
Nagy László Zsolt
gandalf at shopzeus.com
Mon May 9 11:23:38 UTC 2016
> auth sufficient pam_opie.so no_warn
> auth requisite pam_opieaccess.so no_warn allow_local
> auth required pam_unix.so no_warn
> auth required /usr/local/lib/pam_google_authenticator.so
Somebody coming from Linux has suggested that I use pam_listfile with
sense=deny option, but pam_listfile does not exist in FreeBSD.
This would be ideal:
auth sufficient pam_user.so not_target=root
auth required /usr/local/pam_google_authenticator.so
The imaginary "not_target" parameter of the imaginary "pam_user.so"
module would succeed, if the target user is not equal to the specified
user. Combined with the "scufficient" control-flag, it would break the
chain and succeed without asking for a google auth code. Otherwise the
chain would continue to the google authenticator.
I have tried to come up with a version that uses pam_group, but I
couldn't. It is possible to give "group=wheel" to pam_group, but it is
not possible to give "target user is not root".
More information about the freebsd-questions