search

google / google-authenticator-libpam

Apache License 2.0
1.78k stars 284 forks source link

Why is there no 2fa prompt for "su - user" but 2fa prompt for "su user"? #210

Closed miguelmota closed 2 years ago

miguelmota commented 2 years ago

Hi, I'm trying to require 2fa for su. The issue is that there is no 2fa prompt when running su - <user> (with dash) but there is a prompt when running su <user> (no dash)?

I added this to /etc/pam.d/su

auth required pam_google_authenticator.so

The rest of config is default on arch linux

#%PAM-1.0
auth required pam_google_authenticator.so
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            required        pam_unix.so
account         required        pam_unix.so
session         required        pam_unix.so
password        include         system-auth

DeepinScreenshot_select-area_20220321121325

DeepinScreenshot_select-area_20220321121347

Any ideas on how to make 2fa prompt show for su -? thanks!

ThomasHabets commented 2 years ago

From the su manual on my system:

FILES
       /etc/pam.d/su
           default PAM configuration file

       /etc/pam.d/su-l
           PAM configuration file if --login is specified

--login is the same as -, per same manual.