sshd: How to enable PAM authentication for specific users under

Question

I am using sshd, and allow logins with public key authentication.

I want to allow select users to log in with a PAM two-factor authentication module.

Is there any way I can allow PAM two-factor authentication for a specific user?

By the same token - I only want to enable password authentication for specific accounts. I want my SSH daemon to reject the password authentication attempts to thwart would-be hackers into thinking that I will not accept password authentication - except for the case in which someone knows my heavily guarded secret account, which is password enabled. I want to do this for cases in which my SSH clients will not let me do either secret key, or two-factor authentication.

Which two-factor product? – Scott Pack Jan 14 '11 at 19:29 — Scott Pack, Jan 14 '11 at 19:29

score 9 · Accepted Answer · answered Jan 14 '11 at 20:19

You could probably handle this with the pam_listfile module. Create an /etc/pam.d/sshd file that looks something like:

auth requisite  pam_listfile.so item=user sense=allow file=/etc/authusers
auth sufficient pam_securid.so
auth required   pam_deny.so

This would allow only people listed in /etc/authusers the ability to authenticate with a two-factor module (in our case, secureid). I haven't actually tested this configuration, but the theory is sound.

You could make it simpler by allowing anyone to authenticate using two factor authentication; presumably, only those people with the appropriate devices/configuration would be able to succeed, so you'd get effectively the same behavior.

I'm doing something sorta similar - I have sshd allow Chal/Resp and Secret Key. Only one account is actually configured for the Google-Authenticator challenge/response - so other accounts MUST use the Secret Key only. I guess this is as good as I am going to get... — Brad, Jan 16 '11 at 17:10

Adam · Answer 2 · 2017-02-22T21:06:23.487

7

In order to disable two-factor auth for users without Google Authenticator configured, add the nullok option in /etc/pam.d/sshd:

auth   required   pam_google_authenticator.so nullok

For more details see: https://github.com/google/google-authenticator-libpam#setting-up-a-user

edited Feb 22 '17 at 21:06

answered Feb 18 '16 at 14:18

Adam

191
1
4

score 5 · Answer 3 · answered Jul 04 '18 at 00:43

Using the below solution, PAM Module(google authenticator) can be disable for specific users-

1) Create a user group on the Linux instance. MFA/PAM will be disabled for users present in this new group-

sudo groupadd <groupname>

2) Create User or add existing user to newly created group-

sudo useradd <username>
sudo usermod -a -G <groupname> <username>

3) Edit /etc/pam.d/sshd file and add the below statement to skip PAM module for the newly created group-

auth [success=done default=ignore] pam_succeed_if.so user ingroup <groupname>

Optional-

If full access is required for this new group then add below line to visudo file-

%<groupname>ALL=(ALL)       NOPASSWD: ALL

When a user will be created and added to the new group, MFA will be skipped for those users.

Referenced from -TechManyu Blog

sshd: How to enable PAM authentication for specific users under

3 Answers3