pam.d + pam_google_authenticator, per user configuration

Nagy László Zsolt gandalf at
Mon May 9 11:23:38 UTC 2016

> auth            sufficient             no_warn
> no_fake_prompts
> auth            requisite       no_warn allow_local
> auth            required             no_warn
> try_first_pass
> auth            required        /usr/local/lib/
Somebody coming from Linux has suggested that I use pam_listfile with
sense=deny option, but pam_listfile does not exist in FreeBSD.

This would be ideal:

auth sufficient not_target=root
auth required /usr/local/

The imaginary "not_target" parameter of the imaginary ""
module would succeed, if the target user is not equal to the specified
user. Combined with the "scufficient" control-flag, it would break the
chain and succeed without asking for a google auth code. Otherwise the
chain would continue to the google authenticator.

I have tried to come up with a version that uses pam_group, but I
couldn't. It is possible to give "group=wheel" to pam_group, but it is
not possible to give "target user is not root".

More information about the freebsd-questions mailing list