Date: Mon, 9 May 2016 13:23:35 +0200 From: =?UTF-8?Q?Nagy_L=c3=a1szl=c3=b3_Zsolt?= <gandalf@shopzeus.com> To: freebsd-questions@freebsd.org Subject: Re: pam.d + pam_google_authenticator, per user configuration Message-ID: <9ef3d7e6-85ff-11e2-0b6e-7003b09b7fe6@shopzeus.com> In-Reply-To: <47a8a432-639b-98d4-c2bc-bd7f95cd1d03@shopzeus.com> References: <47a8a432-639b-98d4-c2bc-bd7f95cd1d03@shopzeus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> auth sufficient pam_opie.so no_warn > no_fake_prompts > auth requisite pam_opieaccess.so no_warn allow_l= ocal > auth required pam_unix.so no_warn > try_first_pass > auth required /usr/local/lib/pam_google_authenticator= =2Eso Somebody coming from Linux has suggested that I use pam_listfile with sense=3Ddeny option, but pam_listfile does not exist in FreeBSD. This would be ideal: auth sufficient pam_user.so not_target=3Droot auth required /usr/local/pam_google_authenticator.so The imaginary "not_target" parameter of the imaginary "pam_user.so" module would succeed, if the target user is not equal to the specified user. Combined with the "scufficient" control-flag, it would break the chain and succeed without asking for a google auth code. Otherwise the chain would continue to the google authenticator. I have tried to come up with a version that uses pam_group, but I couldn't. It is possible to give "group=3Dwheel" to pam_group, but it is not possible to give "target user is not root".
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9ef3d7e6-85ff-11e2-0b6e-7003b09b7fe6>