Date: Mon, 9 May 2016 14:14:11 +0200 From: =?UTF-8?Q?Nagy_L=c3=a1szl=c3=b3_Zsolt?= <gandalf@shopzeus.com> To: freebsd-questions@freebsd.org Subject: Re: pam.d + pam_google_authenticator, per user configuration Message-ID: <25078578-3079-028b-87bc-86838dd86428@shopzeus.com> In-Reply-To: <9ef3d7e6-85ff-11e2-0b6e-7003b09b7fe6@shopzeus.com> References: <47a8a432-639b-98d4-c2bc-bd7f95cd1d03@shopzeus.com> <9ef3d7e6-85ff-11e2-0b6e-7003b09b7fe6@shopzeus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Finally, I have found a solution. Followed the guide here: http://blather.michaelwlucas.com/archives/2573 Shell script to /usr/sbin/pam_not_root.sh: #!/bin/sh if [ $PAM_USER !=3D "root" ] then exit 0 else exit 1 fi Last auth line of /etc/pam.d/su and /etc/pam.d/login: auth include system And here are the last two lines of /etc/pam.d/system: # google auth auth sufficient pam_exec.so /usr/sbin/pam_not_root.sh auth required /usr/local/lib/pam_google_authenticator.s= o How it works: If the target user is "root", then pam_not_root.sh return 1, and the chain breaks with success. If the target user is "root", then pam_not_root.sh return 0, the chain continues with pam_google_authenticator.so, and the chain succeeds only if pam_google_authenticator.so succeeds. I wonder why don't we have pam_listfile.so compiled by default in FreeBSD? It is also true, that a 7 line shell script solves the problem..= =2E
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?25078578-3079-028b-87bc-86838dd86428>