I installed google two factor authentication on my linux server.
(thanks to: https://github.com/google/google-authenticator-libpam)
When I try to access root account via ssh, authenticator works fine.
Verification code: .....
Password: ....
[root@hostname] works fine :)
But!! access other user account and try to access root account using su,
authenticator only require password.
[user@hostname] whoami
user
[user@hostname] su
password: .....
[root@hostname] What?!!!
I set all config to default value.
How can I fix it??
This is the default way this works. Since you are using the google-authenticator-libpam module you are only adding two factor authentication to the actual external interface login via the addition of auth required pam_google_authenticator.so to the sshd config file.
The proper security implementation (or at least one of the proper ways) is to not allow external login for the root user, going one step further and locking down ssh to only allow login from users who have two factor authentication enabled is even better.
To do that you would add the following in your sshd config :
AllowUsers admin bob