I'm trying to set up Google Authenticator for a couple of our production servers and, while I got it working, I don't really understand why it works with the config I have and why it didn't work with other things I tried. Furthermore, one of my requirements is to disable two-factor authentication when ssh'ing from one prod machine to another (we only have two).
I got things functioning with:
auth requisite pam_unix.so nullok_secure auth [success=1 default=ignore] pam_google_authenticator.so added to /etc/pam.d/common-auth
My issue is that I don't understand why:
auth [success=1 default=ignore] pam_unix.so nullok_secure auth required pam_google_authenticator.so doesn't do the trick. Option #2 rejects all login attempts and never reaches the google auth portion.
Also, if I want to add my auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf line what changes do I need to make to it and where do I put it?
When I read the docs it sounded logical what the options did, but things just didn't work the way I understood them.
Any help would be spectacular.
[link][2 comments]