Two factor authentication is much more security than simply password authentication. There are times, though, that you will want to create an exception for a specific user. In my case, I wanted to allow a vulnerability scanner to scan my systems. Rather than turn two factor off for the duration of the scan, I set out to learn how to add an exception for a specific user. I accomplished this on CentOS 6 Linux, but it works an any Linux version using PAM.
The solution to my problem is the pam_listfile PAM module. Pam_listfile allows you to specify a text file that contains a list of either users or groups. You then tell PAM what to do with the file (allow, deny) as well as how to handle what to do if it can’t read the file for some reason.
Thanks to this site I learned the details of what to do. In my case I want a single username to not be prompted for a 2nd authentication factor. All other users must use two factors. I created the file /etc/scan_user and added the username I wanted to have the exception:
echo "scanuser" > /etc/scanuser
Then I modified /etc/pam.d/password-auth and placed it after the first authentication factor, but before the second.
vi /etc/pam.d/password-auth
#First authentication factor auth required pam_unix.so #pam_listfile to check username and see if it's allowed with only one factor or must provide a second auth sufficient pam_listfile.so onerr=fail item=user sense=allow file=/etc/qualys_user #Second authentication factor. This is only reached if the user is not on the list provided in pam_listfile. auth required pam_google_authenticator.so
The PAM configuration is as follows:
- First factor required for everyone (pam_unix)
- pam_listfile sufficient for anyone who matches the provided list.
- Second factor required for everyone else (anyone who wasn’t on the pam_listfile list
My vulnerability scanner is now happy and I still have two factor authentication enabled for every other user in the system. Success.