pam.d + pam_google_authenticator, per user configuration

Nagy László Zsolt gandalf at
Mon May 9 12:14:14 UTC 2016

Finally, I have found a solution. Followed the guide here:

Shell script to /usr/sbin/

if [ $PAM_USER != "root" ]
    exit 0
    exit 1

Last auth line of /etc/pam.d/su and /etc/pam.d/login:

auth            include         system

And here are the last two lines of /etc/pam.d/system:

# google auth
auth            sufficient /usr/sbin/
auth            required        /usr/local/lib/

How it works: If the target user is "root", then return
1, and the chain breaks with success. If the target user is "root", then return 0, the chain continues with, and the chain succeeds only if succeeds.

I wonder why don't we have compiled by default in
FreeBSD? It is also true, that a 7 line shell script solves the problem...

More information about the freebsd-questions mailing list