Re: Use one of many second factors authentication on PAM

[André Rodier <andre@rodier.me>]

On 14/11/2021 20:26, Celejar wrote:
> On Sun, 14 Nov 2021 17:57:53 +0000
> André Rodier <andre@rodier.me> wrote:
>
> > Hello all,
> >
> > I have been able to configure pam on Linux, to add two factors
> > authentication for session, sudo, etc...
> >
> > First, I tried Google authenticator and a code from my phone, and it is
> > working like a charm.
> >
> > Then, I commented out the google-authenticator entry, and tried a U2F
> > key. Again, this is working very well, and the light blink after I type
> > the password.
> >
> > Same for a Yubikey, working like a charm, and I even have a clue message
> > on GDM "Please touch your device".
> >
> > Now, I would like to achieve the following:
> >
> > - Having my password as the first authentication, of course mandatory.
> > - Then, being able to use one of my second authentication device.
> >
> > This is basically what we have on Google, for instance.
> >
> > Any idea ?
>
> I think you need to look into the details of PAM stacking. See here:
>
> https://unix.stackexchange.com/a/638466
>
> for a discussion of something similar to what you want to do (although you'll have to adapt it
> to your specific preferences), and here for more information:
>
> https://developer.ibm.com/tutorials/l-pam/
>
> Celejar

Thanks!

--
𝓐𝓡 - André Rodier