No hacking needed <snip /usr/share/doc/pam_require-0.6/README.gz> Since version 0.3 you may let in everybody __except__ the named group or user. This example keeps out members of the lusers group: account required pam_unix.so account required pam_require.so !@lusers </snip> Thanks, I'll give this a shot Chris rwh wrote: > Its been a while since I looked at PAM, but if you don't mind doing a > little hacking there is the pam_require module that can be used to force > specific group membership. It seems like it should be easy enough for it > to negate that test. Then you could make that 'sufficient' so that > non-admins pass and then fall through to the pam_usb to validate the > admin users. > > Like I said, its been a while but it should be workable. > > --rick > > http://www.splitbrain.org/projects/pam_require > > > Chris Frederick wrote: >> Hi all, >> >> I got a question about security in linux that I'm having trouble >> googling for. I'm trying to secure a desktop so that users can still >> log in, but admins have a two factor authentication with the pam_usb module. >> >> Is there a way in pam to say "if you are not in group 'x' or root, your >> password is good enough, otherwise you need your usb key as well"? I've >> got pam_usb set up for login and su, the su works great, but I don't >> want to require a key for everyone for login. >> >> Thanks all >> >> Chris Frederick >> >> _______________________________________________ >> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota >> tclug-list at mn-linux.org >> http://mailman.mn-linux.org/mailman/listinfo/tclug-list >