sshd: How to enable PAM authentication for specific users under
I am using sshd, and allow logins with public key authentication.
I want to allow select users to log in with a PAM two-factor authentication module.
Is there any way I can allow PAM two-factor authentication for a specific user?
By the same token - I only want to enable password authentication for specific accounts. I want my SSH daemon to reject the password authentication attempts to thwart would-be hackers into thinking that I will not accept password authentication - except for the case in which someone knows my heavily guarded secret account, which is password enabled. I want to do this for cases in which my SSH clients will not let me do either secret key, or two-factor authentication.
Solution 1:
You could probably handle this with the pam_listfile
module. Create an /etc/pam.d/sshd
file that looks something like:
auth requisite pam_listfile.so item=user sense=allow file=/etc/authusers
auth sufficient pam_securid.so
auth required pam_deny.so
This would allow only people listed in /etc/authusers
the ability to authenticate with a two-factor module (in our case, secureid). I haven't actually tested this configuration, but the theory is sound.
You could make it simpler by allowing anyone to authenticate using two factor authentication; presumably, only those people with the appropriate devices/configuration would be able to succeed, so you'd get effectively the same behavior.
Solution 2:
In order to disable two-factor auth for users without Google Authenticator configured, add the nullok
option in /etc/pam.d/sshd
:
auth required pam_google_authenticator.so nullok
For more details see: https://github.com/google/google-authenticator-libpam#setting-up-a-user