On Sun, 14 Nov 2021 17:57:53 +0000 André Rodier <an...@rodier.me> wrote:
> Hello all, > > I have been able to configure pam on Linux, to add two factors > authentication for session, sudo, etc... > > First, I tried Google authenticator and a code from my phone, and it is > working like a charm. > > Then, I commented out the google-authenticator entry, and tried a U2F > key. Again, this is working very well, and the light blink after I type > the password. > > Same for a Yubikey, working like a charm, and I even have a clue message > on GDM "Please touch your device". > > Now, I would like to achieve the following: > > - Having my password as the first authentication, of course mandatory. > - Then, being able to use one of my second authentication device. > > This is basically what we have on Google, for instance. > > Any idea ? I think you need to look into the details of PAM stacking. See here: https://unix.stackexchange.com/a/638466 for a discussion of something similar to what you want to do (although you'll have to adapt it to your specific preferences), and here for more information: https://developer.ibm.com/tutorials/l-pam/ Celejar
