Re: Use one of many second factors authentication on PAM
On Sun, 14 Nov 2021 17:57:53 +0000
André Rodier <andre@rodier.me> wrote:
> Hello all,
>
> I have been able to configure pam on Linux, to add two factors
> authentication for session, sudo, etc...
>
> First, I tried Google authenticator and a code from my phone, and it is
> working like a charm.
>
> Then, I commented out the google-authenticator entry, and tried a U2F
> key. Again, this is working very well, and the light blink after I type
> the password.
>
> Same for a Yubikey, working like a charm, and I even have a clue message
> on GDM "Please touch your device".
>
> Now, I would like to achieve the following:
>
> - Having my password as the first authentication, of course mandatory.
> - Then, being able to use one of my second authentication device.
>
> This is basically what we have on Google, for instance.
>
> Any idea ?
I think you need to look into the details of PAM stacking. See here:
https://unix.stackexchange.com/a/638466
for a discussion of something similar to what you want to do (although you'll have to adapt it
to your specific preferences), and here for more information:
https://developer.ibm.com/tutorials/l-pam/
Celejar
Reply to: