4

My current sshd PAM config:

#%PAM-1.0
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

I'm adding Google Authenticator but we're not ready to roll it out to all users.

I believe the following should require the Google Authenticator PAM for users in the 'gauth' group, but was hoping someone could check my work before I go locking myself out of SSH...

#%PAM-1.0
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
auth [success=1 default=ignore] pam_succeed_if.so quiet user notingroup gauth
auth required pam_google_authenticator.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

Am I understanding correctly that "success=1" means "skip the next line if this is successful"?

ceejayoz
  • 32,469
  • 7
  • 81
  • 105

2 Answers2

4

I believe your understanding is correct, based on the pam documentation.

You should be able to make the changes, test, and revert back if needed if you open another connection to test with, leaving your original ssh session connected (make sure it doesn't time out though!)

benjarrell
  • 188
  • 1
  • 8
1

When playing around with the PAM stack I usually do not use the service, that I in fact want to modify, since this is a "productive" service.

So in this case I would test with /etc/pam.d/login instead of ssh. login can be tested by simply calling:

login

If the PAM config looks good, I can transfer it to gdm, ssh or whatever. (Who needs a local login ;-)

And yes, success=n means, in case of success, skip the next n lines.

cornelinux
  • 229
  • 1
  • 7