Disable Linux PAM module for specific users !
For user case where you want to skip MultiFactorAuthentication / PAM module like google authentication validation code for specific users and keep it enabled for the rest, below solution can be used-
1) Create a user group on the Linux instance. We are going to disable MFA/PAM for users present in this new group-
sudo groupadd <groupname>
2) Create User or add existing user to newly created group-
sudo useradd <username>
sudo usermod -a -G <groupname> <username>

3) Edit /etc/pam.d/sshd file and add the below statement to skip PAM module for the newly created group-

auth [success=done default=ignore] pam_succeed_if.so user ingroup <groupname>


If full access is required for this new group then add below line to visudo file-

%<groupname>ALL=(ALL)       NOPASSWD: ALL

When a user will be created and added to the new group, on first login MFA will be created but will not be enforced on further logins.

Thanks for checking out !

All comments.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.