Ubuntu – Google authenticator for certain users

authenticationgooglepamsshtwo-factor-authentication

After enabling Google authenticator (2 step authentication) on one of my testing servers running ubuntu 16.04 (LTS), I noticed I couldn't login anymore with a user who doesn't have a google authenticator profile on the server. I had to create a google authenticator profile (key) to let this user login.

My question now is:
would it be possible to have certain users use google authenticator and other users just SSH login without the google authenticator.

Detail:

user1 has a profile with google authenticator.

user2 doesn't have a profile with google authenticator.

user1 logs in through SSH, fills in his password and the code provide by the google authenticator app, he is able to login.

user2 logs in through SSH, fills in his password and is able to login (he doesn't need to enter a code.

It would be ideal to have 2 usergroups one that needs the google authenticator code and one that doesn't need it.

Best Answer

  • Using the below solution, PAM Module(google authenticator) can be disable for specific users-

    1) Create a user group on the Linux instance. MFA/PAM will be disabled for users present in this new group-

    sudo groupadd <groupname>
    

    2) Create User or add existing user to newly created group-

    sudo useradd <username>
    sudo usermod -a -G <groupname> <username>
    

    3) Edit /etc/pam.d/sshd file and add the below statement to skip PAM module for the newly created group-

    auth [success=done default=ignore] pam_succeed_if.so user ingroup <groupname>
    

    Optional-

    If full access is required for this new group then add below line to visudo file-

    %<groupname>ALL=(ALL)       NOPASSWD: ALL
    

    When a user will be created and added to the new group, MFA will be skipped for those users.

    Referenced from - TechManyu Blog