From owner-freebsd-questions@freebsd.org Mon May 9 09:54:28 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9B53BB326B3 for ; Mon, 9 May 2016 09:54:28 +0000 (UTC) (envelope-from gandalf@shopzeus.com) Received: from shopzeus.com (shopzeus.com [87.229.70.149]) by mx1.freebsd.org (Postfix) with ESMTP id 616C110C9 for ; Mon, 9 May 2016 09:54:28 +0000 (UTC) (envelope-from gandalf@shopzeus.com) Received: from [127.127.127.127] (localhost [127.127.127.127]) (Authenticated sender: gandalf) by shopzeus.com (Postfix) with ESMTPSA id 99107889CA08 for ; Mon, 9 May 2016 05:45:32 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shopzeus.com; s=shopzeus_com; t=1462787132; bh=2snkJAq8QUJiX0QIp8WxpkTvh1PqlcIg7wl+fsN6uEA=; h=To:From:Subject:Date:From; b=I1yxK2Q+fzh80kPqMls5pzfutr02I1Zn+WDd7uBeOV+/WVHXC4HIjrORnG/ii3281 mW2plqmsx7aiQr7VJ3XoCnfR/SYWGtpg6ahCitoTEwNaCAkgcyzNTGW8mnR4DWUJmq O4ROILGJQG9v+oSmmKRDXPIhl+FSEN2HT8S1HMXtRy4XzZ7Yv4zVxnzrz6ygrC9USD SoNAAkzA/7SqOgxSjIkK+EkjwCmcbAd5s0vrcCfxMAtrvdAKr3wHJ3bQPUawpedN5Q aP4qlKpa7fIjV90bK5Rx2m9SV//T1FRHluT6a70owLyipiat4Fl32dGnBRhZl3EcbY xaNOIhq7Zd7dg== To: freebsd-questions@freebsd.org From: =?UTF-8?Q?Nagy_L=c3=a1szl=c3=b3_Zsolt?= Subject: pam.d + pam_google_authenticator, per user configuration Message-ID: <47a8a432-639b-98d4-c2bc-bd7f95cd1d03@shopzeus.com> Date: Mon, 9 May 2016 11:45:32 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 May 2016 09:54:28 -0000 Hi! I would like to use pam google authenticator for the root user only. Here is how it should work: * from ssh, root login is not permitted * only users in the wheel groups are allowed to gain root access with the "su" command * the policy for the su command should be able to configured so that it adds additional authentication modules for the root user My problem: /etc/pam.d/su file can be configured as follows: auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_loc= al auth required pam_unix.so no_warn try_first_pass auth required /usr/local/lib/pam_google_authenticator.s= o This will check google authentication codes for *all* users. There is no way to turn it on for a single user, or for a group of users. In theory, this could be possible, because by the time pam_google_authenticator is used, PAM already knows the name of the user that needs to be logged in. But I see no way for conditionally using an auth module. Another possible option would be to rewrite the su command to use a different policy for the root user (but that does not seem like a good idea). So the question is: how can I enable an authentication module for a selected user? Thanks, Laszlo