11

I am using sshd, and allow logins with public key authentication.

I want to allow select users to log in with a PAM two-factor authentication module.

Is there any way I can allow PAM two-factor authentication for a specific user?

By the same token - I only want to enable password authentication for specific accounts. I want my SSH daemon to reject the password authentication attempts to thwart would-be hackers into thinking that I will not accept password authentication - except for the case in which someone knows my heavily guarded secret account, which is password enabled. I want to do this for cases in which my SSH clients will not let me do either secret key, or two-factor authentication.

Improve this question
2
  • Which two-factor product? Commented Jan 14, 2011 at 19:29
  • google-authenticator Commented Jan 16, 2011 at 17:07

3 Answers 3

Reset to default
9

You could probably handle this with the pam_listfile module. Create an /etc/pam.d/sshd file that looks something like:

auth requisite pam_listfile.so item=user sense=allow file=/etc/authusers auth sufficient pam_securid.so auth required pam_deny.so

This would allow only people listed in /etc/authusers the ability to authenticate with a two-factor module (in our case, secureid). I haven't actually tested this configuration, but the theory is sound.

You could make it simpler by allowing anyone to authenticate using two factor authentication; presumably, only those people with the appropriate devices/configuration would be able to succeed, so you'd get effectively the same behavior.

Improve this answer
1
  • I'm doing something sorta similar - I have sshd allow Chal/Resp and Secret Key. Only one account is actually configured for the Google-Authenticator challenge/response - so other accounts MUST use the Secret Key only. I guess this is as good as I am going to get... Commented Jan 16, 2011 at 17:10
7

In order to disable two-factor auth for users without Google Authenticator configured, add the nullok option in /etc/pam.d/sshd:

auth required pam_google_authenticator.so nullok

For more details see: https://github.com/google/google-authenticator-libpam#setting-up-a-user

Improve this answer
6

Using the below solution, PAM Module(google authenticator) can be disable for specific users-

1) Create a user group on the Linux instance. MFA/PAM will be disabled for users present in this new group-

sudo groupadd <groupname>

2) Create User or add existing user to newly created group-

sudo useradd <username> sudo usermod -a -G <groupname> <username>

3) Edit /etc/pam.d/sshd file and add the below statement to skip PAM module for the newly created group-

auth [success=done default=ignore] pam_succeed_if.so user ingroup <groupname>

Optional-

If full access is required for this new group then add below line to visudo file-

%<groupname>ALL=(ALL) NOPASSWD: ALL

When a user will be created and added to the new group, MFA will be skipped for those users.

Referenced from -TechManyu Blog

Improve this answer
1
  • I would mention that the auth [success=done default=ignore] pam_succeed_if.so user ingroup <groupname> command in pam.d comes before the command that requires 2FA (e.g. auth required pam_google_authenticator.so) Commented Nov 17, 2024 at 22:00

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.