Home / server / Questions / 222637
Accepted
Brad
Asked: 2011-01-15 11:23:31 +0800 CST

sshd: How to enable PAM authentication for specific users under

  • 772

I am using sshd, and allow logins with public key authentication.

I want to allow select users to log in with a PAM two-factor authentication module.

Is there any way I can allow PAM two-factor authentication for a specific user?

By the same token - I only want to enable password authentication for specific accounts. I want my SSH daemon to reject the password authentication attempts to thwart would-be hackers into thinking that I will not accept password authentication - except for the case in which someone knows my heavily guarded secret account, which is password enabled. I want to do this for cases in which my SSH clients will not let me do either secret key, or two-factor authentication.

linux ssh pam

3 Answers

  1. Best Answer

    You could probably handle this with the pam_listfile module. Create an /etc/pam.d/sshd file that looks something like:

    auth requisite  pam_listfile.so item=user sense=allow file=/etc/authusers
auth sufficient pam_securid.so
auth required   pam_deny.so

    This would allow only people listed in /etc/authusers the ability to authenticate with a two-factor module (in our case, secureid). I haven't actually tested this configuration, but the theory is sound.

    You could make it simpler by allowing anyone to authenticate using two factor authentication; presumably, only those people with the appropriate devices/configuration would be able to succeed, so you'd get effectively the same behavior.

    • 9

  2. In order to disable two-factor auth for users without Google Authenticator configured, add the nullok option in /etc/pam.d/sshd:

    auth   required   pam_google_authenticator.so nullok

    For more details see: https://github.com/google/google-authenticator-libpam#setting-up-a-user

    • 7

  3. Using the below solution, PAM Module(google authenticator) can be disable for specific users-

    1) Create a user group on the Linux instance. MFA/PAM will be disabled for users present in this new group-

    sudo groupadd <groupname>

    2) Create User or add existing user to newly created group-

    sudo useradd <username>
sudo usermod -a -G <groupname> <username>

    3) Edit /etc/pam.d/sshd file and add the below statement to skip PAM module for the newly created group-

    auth [success=done default=ignore] pam_succeed_if.so user ingroup <groupname>

    Optional-

    If full access is required for this new group then add below line to visudo file-

    %<groupname>ALL=(ALL)       NOPASSWD: ALL

    When a user will be created and added to the new group, MFA will be skipped for those users.

    Referenced from -TechManyu Blog

    • 5