For user case where you want to skip MultiFactorAuthentication / PAM module like google authentication validation code for specific users and keep it enabled for the rest, below solution can be used-
1) Create a user group on the Linux instance. We are going to disable MFA/PAM for users present in this new group-
sudo groupadd <groupname>
2) Create User or add existing user to newly created group-
sudo useradd <username> sudo usermod -a -G <groupname> <username>
3) Edit /etc/pam.d/sshd file and add the below statement to skip PAM module for the newly created group-
auth [success=done default=ignore] pam_succeed_if.so user ingroup <groupname>
Optional-
If full access is required for this new group then add below line to visudo file-
%<groupname>ALL=(ALL) NOPASSWD: ALL
When a user will be created and added to the new group, on first login MFA will be created but will not be enforced on further logins.
Thanks for checking out !
Cloud and DevOps Professional and previously a C# ASP.NET Developer with keen interest in system design and architecture. Currently involved in projects using AWS, Azure, Automation, Monitoring, REST APIs and DevOps. Email: [email protected] / [email protected]
Latest posts by Abhimanyu (see all)
- Auto clear notification using Watcher - June 10, 2020
- All about Alerting in ELK stack - June 4, 2020
- Performance Benchmarking ElasticSearch (ELK) with Rally - April 13, 2020
