I have installed and configured PAM on my Ubuntu server which is working correctly. To log in I want to require an SSH Key to be installed, a password to be provided and a valid code from an authenticator app.
The issue that I have is that I would like to add exceptions to these requirements on a per-user basis.
For example, I want to enforce all of these auth methods for my user account, but specify another user (git - for my GitLab installation) to be accessed by SSH key only (no password or 2FA code required) so the push and pull behaviour works.
The only way I have found to get round this at the moment is to set auth required pam_google_authenticator.so nullok
in the /etc/pam.d/sshd file, so the 2FA part is optional, as well as commenting out the @include common-auth
line. This however means that while the 2FA part works, I am no longer asked for my password on my main account.
I have tried to do the following:
auth [success=1 default=ignore] pam_succeed_if.so user in git
@include common-auth
but this doesnt seem to work.
What do I need to do to enable all of the above auth methods by default, but add exceptions for specific user accounts like git
etc?