jump to root (su -) with google authentication for one specific user

Posted on

Problem :

in my test servers (with debian or centos) I need to be able to jump from only once user to root with google authentication.
to understand the problem, for example on the server I have two users
bob -> to use su – or su root uses google authentication (does not know and can not knows root password)
alice -> to use su – or su root using normal root password because he knows them.
I do not know if I understand correctly, I try to add it to

[root@proxy ~]# nano /etc/pam.d/su

lines on top such as:

#auth required pam_google_authenticator.so nullok use_uid user = bob
#auth required pam_google_authenticator.so use_uid user = bob
auth required pam_google_authenticator.so

but nothing of conditions user = bob not working. Only the standard “global” row works fine… I tested it with many guides from the web
but it still does not work. I have no ideas how to solve this problem.

I am asking for guidance in understanding this.

Solution :

You can use pam_succeed_if to skip the check as bob in /etc/pam.d/su, e.g.

auth [success=2 default=ignore] pam_succeed_if.so use_uid user in bob
auth sufficient                 pam_unix.so
auth requisite                  pam_deny.so
auth sufficient                 pam_google_authenticator.so
auth requisite                  pam_deny.so

Leave a Reply

Your email address will not be published. Required fields are marked *