From owner-freebsd-questions@freebsd.org Mon May 9 11:23:38 2016 Return-Path: <owner-freebsd-questions@freebsd.org> Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 33CF2B3425F for <freebsd-questions@mailman.ysv.freebsd.org>; Mon, 9 May 2016 11:23:38 +0000 (UTC) (envelope-from gandalf@shopzeus.com) Received: from shopzeus.com (shopzeus.com [87.229.70.149]) by mx1.freebsd.org (Postfix) with ESMTP id EE2AC12F3 for <freebsd-questions@freebsd.org>; Mon, 9 May 2016 11:23:37 +0000 (UTC) (envelope-from gandalf@shopzeus.com) Received: from [127.127.127.127] (localhost [127.127.127.127]) (Authenticated sender: gandalf) by shopzeus.com (Postfix) with ESMTPSA id CB182889CA8B for <freebsd-questions@freebsd.org>; Mon, 9 May 2016 07:23:34 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shopzeus.com; s=shopzeus_com; t=1462793015; bh=4f+Mm8S2bjyEKybHfnyEV0AMHzkdgEugsAYwshDoB18=; h=Subject:To:References:From:Date:In-Reply-To:From; b=de6ja39q2zJQOoCRVScx+W+XrK33DvpY9RDqlEWlqxLaoZzhMvnO8o3MJ6BpGnXC3 tWywkgOhabHNI5ImWcQxTJWvZrXAtYn6BlxgP4SvOeVDVWS9XdkhEcOvrGzlTQsgbX 9jjWrcz5SP43Fazx5OE8Tt/ZLE/4CZsxIVxi6HnFtIXsMDWIfGJJxX2ARVneEtapml sV+QQqJJBLgqnGddWKK7+2sbKVnu9KNbZZZju0P96TFUh19UFkeP2dF5yfXSACGOGx /21EPY97DMggxfWckCI6ZViJXE4hB5cLWjV+25t7oe+WBXCGTrWPVAl7oVar0WOCuw opkTAQVMENDsw== Subject: Re: pam.d + pam_google_authenticator, per user configuration To: freebsd-questions@freebsd.org References: <47a8a432-639b-98d4-c2bc-bd7f95cd1d03@shopzeus.com> From: =?UTF-8?Q?Nagy_L=c3=a1szl=c3=b3_Zsolt?= <gandalf@shopzeus.com> Message-ID: <9ef3d7e6-85ff-11e2-0b6e-7003b09b7fe6@shopzeus.com> Date: Mon, 9 May 2016 13:23:35 +0200 MIME-Version: 1.0 In-Reply-To: <47a8a432-639b-98d4-c2bc-bd7f95cd1d03@shopzeus.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: User questions <freebsd-questions.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/> List-Post: <mailto:freebsd-questions@freebsd.org> List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=subscribe> X-List-Received-Date: Mon, 09 May 2016 11:23:38 -0000 > auth sufficient pam_opie.so no_warn > no_fake_prompts > auth requisite pam_opieaccess.so no_warn allow_l= ocal > auth required pam_unix.so no_warn > try_first_pass > auth required /usr/local/lib/pam_google_authenticator= =2Eso Somebody coming from Linux has suggested that I use pam_listfile with sense=3Ddeny option, but pam_listfile does not exist in FreeBSD. This would be ideal: auth sufficient pam_user.so not_target=3Droot auth required /usr/local/pam_google_authenticator.so The imaginary "not_target" parameter of the imaginary "pam_user.so" module would succeed, if the target user is not equal to the specified user. Combined with the "scufficient" control-flag, it would break the chain and succeed without asking for a google auth code. Otherwise the chain would continue to the google authenticator. I have tried to come up with a version that uses pam_group, but I couldn't. It is possible to give "group=3Dwheel" to pam_group, but it is not possible to give "target user is not root".