Date: Mon, 9 May 2016 11:45:32 +0200 From: =?UTF-8?Q?Nagy_L=c3=a1szl=c3=b3_Zsolt?= <gandalf@shopzeus.com> To: freebsd-questions@freebsd.org Subject: pam.d + pam_google_authenticator, per user configuration Message-ID: <47a8a432-639b-98d4-c2bc-bd7f95cd1d03@shopzeus.com>
next in thread | raw e-mail | index | archive | help
Hi! I would like to use pam google authenticator for the root user only. Here is how it should work: * from ssh, root login is not permitted * only users in the wheel groups are allowed to gain root access with the "su" command * the policy for the su command should be able to configured so that it adds additional authentication modules for the root user My problem: /etc/pam.d/su file can be configured as follows: auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_loc= al auth required pam_unix.so no_warn try_first_pass auth required /usr/local/lib/pam_google_authenticator.s= o This will check google authentication codes for *all* users. There is no way to turn it on for a single user, or for a group of users. In theory, this could be possible, because by the time pam_google_authenticator is used, PAM already knows the name of the user that needs to be logged in. But I see no way for conditionally using an auth module. Another possible option would be to rewrite the su command to use a different policy for the root user (but that does not seem like a good idea). So the question is: how can I enable an authentication module for a selected user? Thanks, Laszlo
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47a8a432-639b-98d4-c2bc-bd7f95cd1d03>