From owner-freebsd-questions@freebsd.org Mon May 9 12:14:14 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 10BBBB33353 for ; Mon, 9 May 2016 12:14:14 +0000 (UTC) (envelope-from gandalf@shopzeus.com) Received: from shopzeus.com (shopzeus.com [87.229.70.149]) by mx1.freebsd.org (Postfix) with ESMTP id CA71F118C for ; Mon, 9 May 2016 12:14:13 +0000 (UTC) (envelope-from gandalf@shopzeus.com) Received: from [127.127.127.127] (localhost [127.127.127.127]) (Authenticated sender: gandalf) by shopzeus.com (Postfix) with ESMTPSA id 469B0889CA09 for ; Mon, 9 May 2016 08:14:11 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shopzeus.com; s=shopzeus_com; t=1462796051; bh=XU3a8NRnElfUN2sWdBnzLv4fIKtPZCPx1wgC5OiJfqo=; h=Subject:To:References:From:Date:In-Reply-To:From; b=aKMDSUPH2FmxF969Xdse2Et1j57cfQ7EIN++pAZUCGMhv4k4Rmbo1IQX4Mh2kXYn2 mKOdJGERGZgeiER3GNwhLa05K6XOHPKfVMamqBLauKzVIBk9UfcFtVBBe3JCiW7Kxo FTBmA8EZW4C6ZBFy7ppp2Q6rfkfhxCifp7htOaCCA83OsEHvtwRq5mbE9TqQbyoew/ hc0s4QFk51gvULKokEHwCwBXCVkWCsTZlM+a49tYq6NbxStkIetEwxtTbV1Cx8ymdP lIjAjqBTp1N+gN28Cy0MB3kdwzdlfpW3XjYxbwehEDS6CYnZtwnvE6X5cokYh35sJZ gTpJEoxQZrejw== Subject: Re: pam.d + pam_google_authenticator, per user configuration To: freebsd-questions@freebsd.org References: <47a8a432-639b-98d4-c2bc-bd7f95cd1d03@shopzeus.com> <9ef3d7e6-85ff-11e2-0b6e-7003b09b7fe6@shopzeus.com> From: =?UTF-8?Q?Nagy_L=c3=a1szl=c3=b3_Zsolt?= Message-ID: <25078578-3079-028b-87bc-86838dd86428@shopzeus.com> Date: Mon, 9 May 2016 14:14:11 +0200 MIME-Version: 1.0 In-Reply-To: <9ef3d7e6-85ff-11e2-0b6e-7003b09b7fe6@shopzeus.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 May 2016 12:14:14 -0000 Finally, I have found a solution. Followed the guide here: http://blather.michaelwlucas.com/archives/2573 Shell script to /usr/sbin/pam_not_root.sh: #!/bin/sh if [ $PAM_USER !=3D "root" ] then exit 0 else exit 1 fi Last auth line of /etc/pam.d/su and /etc/pam.d/login: auth include system And here are the last two lines of /etc/pam.d/system: # google auth auth sufficient pam_exec.so /usr/sbin/pam_not_root.sh auth required /usr/local/lib/pam_google_authenticator.s= o How it works: If the target user is "root", then pam_not_root.sh return 1, and the chain breaks with success. If the target user is "root", then pam_not_root.sh return 0, the chain continues with pam_google_authenticator.so, and the chain succeeds only if pam_google_authenticator.so succeeds. I wonder why don't we have pam_listfile.so compiled by default in FreeBSD? It is also true, that a 7 line shell script solves the problem..= =2E