Question: google-authenticator PAM library provide option to disable/enable totp authentication runtime at user level

[raviteja-b]

I have integrated google-authenticator-libpam into PAM configuration of system. System has multiple users while one user wanted to have TOTP based google-authentication while other users wanted to have TOTP based google-authentication disabled and one user may have secret generated while other user may not have secret key setup. currently system has pam static configuration which is common for all users.

I wanted to understand if google-authenticator-libpam can provide any runtime user level configuration to enable or disable TOTP authentication

1. does google-authenticator PAM library provide any option to enable/disable totp authentication runtime at user level ?

2. does google-authenticator-libpam identify and return valid error/return code if user needs to have secret key generated to have TOTP authentication ?

[ThomasHabets]

The easiest option is to simply use the nullok option.

If you want to enforce it, then you should probably use some other PAM module that has a list of users, and skip the GA PAM module based on that.

[raviteja-b]

nullok

Yes, we are using nullok, does google-authenticator pam module return any specific return code to identify if user authenticated without totp and requires secret key setup?

[raviteja-b]

If you want to enforce it, then you should probably use some other PAM module that has a list of users, and skip the GA PAM module based on that.

google-authentication pam module does not support user level totp authentication control ??

[ThomasHabets]

No, and in my opinion that belongs in a separate PAM module, since one could want this for many PAM modules.

Looks like there is one already: https://linux.die.net/man/8/pam_listfile

[raviteja-b]

No, and in my opinion that belongs in a separate PAM module, since one could want this for many PAM modules.

Looks like there is one already: https://linux.die.net/man/8/pam_listfile

ok, as per google-authentication pam module what is the right way to disable/enbale TOTP based authentication for an user?

[ThomasHabets]

Here you go. Chatjippity didn't get it right on the first attempt, but the second one looks right.

Invert the sense or the success=X default=Y if you want to force it for everyone except the ones in the list.

[abhilashraju]

@ThomasHabets I can use this for skipping bypassed MFA users.
Is it possible if GoogleAuthenticator can return something similar to password change requried code (PAM_NEW_AUTHTOK_REQD) for the secrete key. This will help us to identify first time login for a user and take him though generate secret key process.

[ThomasHabets]

Maybe. But I think someone like you, who has this use case, may need to come up with how to best do this.

It sounds to me like if we just want to return another code in the code path of a list of users, then it should be a different PAM module. Something like:

if in the list, skip 2
GA PAM check
skip 1
unconditionally return change password required

Or "in the list" could instead be "user's $HOME/.google_authenticator doesn't exist"