My current sshd PAM config:
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
I'm adding Google Authenticator but we're not ready to roll it out to all users.
I believe the following should require the Google Authenticator PAM for users in the 'gauth' group, but was hoping someone could check my work before I go locking myself out of SSH...
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
auth [success=1 default=ignore] pam_succeed_if.so quiet user notingroup gauth
auth required pam_google_authenticator.so
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
Am I understanding correctly that "success=1" means "skip the next line if this is successful"?
I believe your understanding is correct, based on the pam documentation.
You should be able to make the changes, test, and revert back if needed if you open another connection to test with, leaving your original ssh session connected (make sure it doesn't time out though!)
When playing around with the PAM stack I usually do not use the service, that I in fact want to modify, since this is a "productive" service.
So in this case I would test with /etc/pam.d/login instead of ssh. login can be tested by simply calling:
If the PAM config looks good, I can transfer it to gdm, ssh or whatever. (Who needs a local login ;-)
And yes, success=n means, in case of success, skip the next n lines.