google authenticator for certain users

ssh authentication google pam two-factor-authentication

9,590

Solution 1

Using the below solution, PAM Module(google authenticator) can be disable for specific users-

1) Create a user group on the Linux instance. MFA/PAM will be disabled for users present in this new group-

sudo groupadd <groupname>

2) Create User or add existing user to newly created group-

sudo useradd <username>
sudo usermod -a -G <groupname> <username>

3) Edit /etc/pam.d/sshd file and add the below statement to skip PAM module for the newly created group-

auth [success=done default=ignore] pam_succeed_if.so user ingroup <groupname>

Optional-

If full access is required for this new group then add below line to visudo file-

%<groupname>ALL=(ALL)       NOPASSWD: ALL

When a user will be created and added to the new group, MFA will be skipped for those users.

Referenced from - TechManyu Blog

Solution 2

This might help: Disable PAM module for group.

You could place one user in a google-authenticator group and the other user in a non-google-authenticator group.

Solution 3

I didn't try, but readme says you just may add "nullok" option:

auth required pam_google_authenticator.so nullok

9,590

user1116942

Updated on September 18, 2022

Comments

user1116942 over 1 year

After enabling Google authenticator (2 step authentication) on one of my testing servers running ubuntu 16.04 (LTS), I noticed I couldn't login anymore with a user who doesn't have a google authenticator profile on the server. I had to create a google authenticator profile (key) to let this user login.

My question now is: would it be possible to have certain users use google authenticator and other users just SSH login without the google authenticator.

Detail:

user1 has a profile with google authenticator.

user2 doesn't have a profile with google authenticator.

user1 logs in through SSH, fills in his password and the code provide by the google authenticator app, he is able to login.

user2 logs in through SSH, fills in his password and is able to login (he doesn't need to enter a code.

It would be ideal to have 2 usergroups one that needs the google authenticator code and one that doesn't need it.
saviour123 over 5 years

This answer saved me 3days of work
karmendra almost 4 years

For root user even after adding it to the new group I created "no2fa" it is still asking for 2fa, this trick does work for any other user, but for root, is there any way to skip 2fa for root user?
karmendra almost 4 years

yes, but nullok is not working, I can confirm for Ubuntu 18.04
Ricky about 3 years

nullok works the first time a user logs in, not continously. The docs state it's if a user hasn't set it up the first time.
Ricky about 3 years

This works for some applications, not all... For example, workbench will still fail as the server checks the PAM authentication, after connecting through SSH.