in my test servers (with debian or centos) I need to be able to jump from only once user to root with google authentication.
to understand the problem, for example on the server I have two users
bob -> to use su – or su root uses google authentication (does not know and can not knows root password)
alice -> to use su – or su root using normal root password because he knows them.
I do not know if I understand correctly, I try to add it to
[root@proxy ~]# nano /etc/pam.d/su
lines on top such as:
#%PAM-1.0 #auth required pam_google_authenticator.so nullok use_uid user = bob #auth required pam_google_authenticator.so use_uid user = bob auth required pam_google_authenticator.so
but nothing of conditions
user = bob not working. Only the standard “global” row works fine… I tested it with many guides from the web
but it still does not work. I have no ideas how to solve this problem.
I am asking for guidance in understanding this.
You can use pam_succeed_if to skip the check as bob in
auth [success=2 default=ignore] pam_succeed_if.so use_uid user in bob auth sufficient pam_unix.so auth requisite pam_deny.so auth sufficient pam_google_authenticator.so auth requisite pam_deny.so