Google Authenticator PAM for specific users

authenticationgoogle-authenticatorpampassword

My current sshd PAM config:

#%PAM-1.0
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

I'm adding Google Authenticator but we're not ready to roll it out to all users.

I believe the following should require the Google Authenticator PAM for users in the 'gauth' group, but was hoping someone could check my work before I go locking myself out of SSH…

#%PAM-1.0
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
auth [success=1 default=ignore] pam_succeed_if.so quiet user notingroup gauth
auth required pam_google_authenticator.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

Am I understanding correctly that "success=1" means "skip the next line if this is successful"?

Best Answer

I believe your understanding is correct, based on the pam documentation.

You should be able to make the changes, test, and revert back if needed if you open another connection to test with, leaving your original ssh session connected (make sure it doesn't time out though!)