Its been a while since I looked at PAM, but if you don't mind doing a little hacking there is the pam_require module that can be used to force specific group membership. It seems like it should be easy enough for it to negate that test. Then you could make that 'sufficient' so that non-admins pass and then fall through to the pam_usb to validate the admin users. Like I said, its been a while but it should be workable. --rick http://www.splitbrain.org/projects/pam_require Chris Frederick wrote: > Hi all, > > I got a question about security in linux that I'm having trouble > googling for. I'm trying to secure a desktop so that users can still > log in, but admins have a two factor authentication with the pam_usb module. > > Is there a way in pam to say "if you are not in group 'x' or root, your > password is good enough, otherwise you need your usb key as well"? I've > got pam_usb set up for login and su, the su works great, but I don't > want to require a key for everyone for login. > > Thanks all > > Chris Frederick > > _______________________________________________ > TCLUG Mailing List - Minneapolis/St. Paul, Minnesota > tclug-list at mn-linux.org > http://mailman.mn-linux.org/mailman/listinfo/tclug-list