Discussion:
pam.d + pam_google_authenticator, per user configuration
(too old to reply)
Nagy László Zsolt
2016-05-09 09:45:32 UTC
Permalink
Hi!

I would like to use pam google authenticator for the root user only.
Here is how it should work:

* from ssh, root login is not permitted

* only users in the wheel groups are allowed to gain root access with
the "su" command

* the policy for the su command should be able to configured so that it
adds additional authentication modules for the root user

My problem:

/etc/pam.d/su file can be configured as follows:

auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth required pam_unix.so no_warn
try_first_pass
auth required /usr/local/lib/pam_google_authenticator.so

This will check google authentication codes for *all* users. There is no
way to turn it on for a single user, or for a group of users. In theory,
this could be possible, because by the time pam_google_authenticator is
used, PAM already knows the name of the user that needs to be logged in.
But I see no way for conditionally using an auth module.

Another possible option would be to rewrite the su command to use a
different policy for the root user (but that does not seem like a good
idea).

So the question is: how can I enable an authentication module for a
selected user?

Thanks,

Laszlo
Nagy László Zsolt
2016-05-09 11:23:35 UTC
Permalink
Post by Nagy László Zsolt
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth required pam_unix.so no_warn
try_first_pass
auth required /usr/local/lib/pam_google_authenticator.so
Somebody coming from Linux has suggested that I use pam_listfile with
sense=deny option, but pam_listfile does not exist in FreeBSD.

This would be ideal:

auth sufficient pam_user.so not_target=root
auth required /usr/local/pam_google_authenticator.so

The imaginary "not_target" parameter of the imaginary "pam_user.so"
module would succeed, if the target user is not equal to the specified
user. Combined with the "scufficient" control-flag, it would break the
chain and succeed without asking for a google auth code. Otherwise the
chain would continue to the google authenticator.

I have tried to come up with a version that uses pam_group, but I
couldn't. It is possible to give "group=wheel" to pam_group, but it is
not possible to give "target user is not root".
Nagy László Zsolt
2016-05-09 12:14:11 UTC
Permalink
Finally, I have found a solution. Followed the guide here:
http://blather.michaelwlucas.com/archives/2573

Shell script to /usr/sbin/pam_not_root.sh:

#!/bin/sh
if [ $PAM_USER != "root" ]
then
exit 0
else
exit 1
fi

Last auth line of /etc/pam.d/su and /etc/pam.d/login:

auth include system

And here are the last two lines of /etc/pam.d/system:


# google auth
auth sufficient pam_exec.so /usr/sbin/pam_not_root.sh
auth required /usr/local/lib/pam_google_authenticator.so

How it works: If the target user is "root", then pam_not_root.sh return
1, and the chain breaks with success. If the target user is "root", then
pam_not_root.sh return 0, the chain continues with
pam_google_authenticator.so, and the chain succeeds only if
pam_google_authenticator.so succeeds.

I wonder why don't we have pam_listfile.so compiled by default in
FreeBSD? It is also true, that a 7 line shell script solves the problem...
Nagy László Zsolt
2016-05-09 17:13:27 UTC
Permalink
Post by Nagy László Zsolt
#!/bin/sh
if [ $PAM_USER != "root" ]
then
exit 0
else
exit 1
fi
Even simpler one liner:

#!/bin/sh
[ $PAM_USER != "root" ]

Loading...