I have questions especially for the SystemD gurus. I am trying to setup an PAM 2-factor-authentication. The first factor is username/password. The second factor is a device (Yubikey). This works as expected. But I want to have an easy-to-use rescue mode. For instance the following conditions may result in a system where nobody can log in: 1. The network is down. Yubikey needs (in default "client mode") a working Internet connection. 2. The device (Yubikey) is lost or unavailable. 3. The Yubiley PAM configuration is somehow broken. 4. The computer boots in rescue mode and there is only user "root" available and network is down. My first idea was to exclude user "root" from the 2-factor-authentication. But this is not ideal. Especially in openSUSE (with openSUSE's way to configure "sudo" where root's password should be typed in if the user want's to switch to root) the root password is often typed in and should be better protected. Now I created a special user "rescue". This is the only user which may login only with username/password. The configuration for "login" looks as follows: #%PAM-1.0 auth requisite pam_nologin.so auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad] pam_securetty.so auth [default=1 success=ignore] pam_succeed_if.so quiet user != rescue # <- user "rescue" skips next entry auth requisite pam_yubico.so id=16 authfile=/etc/yubikeyid # <- Yubikey authentication in client mode auth include common-auth account include common-account password include common-password session required pam_loginuid.so session include common-session session optional pam_mail.so standard session optional pam_ck_connector.so With special "sudo" configuration (not shown here) user "rescue" can modify the PAM configuration and temporary disable the Yubikey device authentication. Now my question are: * Which PAM configuration file in /etc/pam.d is used for single user / rescue mode of SystemD? * Is it possible to login another user except "root"? Normally only the password for "root" is accepted. Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org