Two-Factor Auth with pam_google_authenticator

So, this is something pretty spiffy, and a lot of people have set it up already, provided nice walkthroughs, etc.  Since there are many good walkthroughs already (like here or here), I won't go into too much detail.  It's stunningly simple to set up, if you don't mind manually pulling the module's source out of version control and building it yourself.


But, one thing struck me as necessary.  I have users that don't use two-factor auth right now, and they may not want to.  So, how can I make this optional?  Well, PAM makes this pretty painless, although it's not built into the module itself:
auth    [default=ignore success=1]      pam_succeed_if.so quiet user notingroup secure
auth    required        pam_google_authenticator.so

That's it.  Basically, you have a group "secure," that if users are in, they will be required to use two-factor auth.  The way it works is by skipping the following rule if users are not in the "secure" group, but ignoring the result of pamsucceedif if they are.  Otherwise, they aren't.  Get it?  Now, this does mean that users need to be manually added to this group in order to be graced with two-factor authentication, but it's still better than nothing.  If you're curious about a related enhancement, this bug report details some additional thoughts on transitioning to two-factor auth.

About this Entry

This page contains a single entry by Doug Kelly published on March 24, 2011 12:27 AM.

Why People Suck at Driving was the previous entry in this blog.

Making Code Reviews Practical is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Pages

Powered by Movable Type 5.2.3