sshd: How to enable PAM authentication for specific users under

Solution 1:

You could probably handle this with the pam_listfile module. Create an /etc/pam.d/sshd file that looks something like:

auth requisite item=user sense=allow file=/etc/authusers
auth sufficient
auth required

This would allow only people listed in /etc/authusers the ability to authenticate with a two-factor module (in our case, secureid). I haven't actually tested this configuration, but the theory is sound.

You could make it simpler by allowing anyone to authenticate using two factor authentication; presumably, only those people with the appropriate devices/configuration would be able to succeed, so you'd get effectively the same behavior.

Solution 2:

In order to disable two-factor auth for users without Google Authenticator configured, add the nullok option in /etc/pam.d/sshd:

auth   required nullok

For more details see:

Solution 3:

Using the below solution, PAM Module(google authenticator) can be disable for specific users-

1) Create a user group on the Linux instance. MFA/PAM will be disabled for users present in this new group-

sudo groupadd <groupname>

2) Create User or add existing user to newly created group-

sudo useradd <username>
sudo usermod -a -G <groupname> <username>

3) Edit /etc/pam.d/sshd file and add the below statement to skip PAM module for the newly created group-

auth [success=done default=ignore] user ingroup <groupname>


If full access is required for this new group then add below line to visudo file-

%<groupname>ALL=(ALL)       NOPASSWD: ALL

When a user will be created and added to the new group, MFA will be skipped for those users.

Referenced from -TechManyu Blog