pam.d + pam_google_authenticator, per user configuration
Nagy László Zsolt
gandalf at shopzeus.com
Mon May 9 12:14:14 UTC 2016
Finally, I have found a solution. Followed the guide here:
http://blather.michaelwlucas.com/archives/2573
Shell script to /usr/sbin/pam_not_root.sh:
#!/bin/sh
if [ $PAM_USER != "root" ]
then
exit 0
else
exit 1
fi
Last auth line of /etc/pam.d/su and /etc/pam.d/login:
auth include system
And here are the last two lines of /etc/pam.d/system:
# google auth
auth sufficient pam_exec.so /usr/sbin/pam_not_root.sh
auth required /usr/local/lib/pam_google_authenticator.so
How it works: If the target user is "root", then pam_not_root.sh return
1, and the chain breaks with success. If the target user is "root", then
pam_not_root.sh return 0, the chain continues with
pam_google_authenticator.so, and the chain succeeds only if
pam_google_authenticator.so succeeds.
I wonder why don't we have pam_listfile.so compiled by default in
FreeBSD? It is also true, that a 7 line shell script solves the problem...
More information about the freebsd-questions
mailing list