MacOS/OS X google authenticator pam configs for screensaver, ssh, sudo, authotization (GUI login)

authorization

# authorization: auth account
# !!! DO NOT USE !!!
# !!! USING THIS BREAKS ANY LOGIN AFTER THE FIRST LOGIN !!!
# !!! IT IS LEFT HERE AS A WARNING !!!
# this change impacts the GUI login at boot
# if it breaks in someway, there may very
# well be no way to recover.
#
# NOTE: if you use filevault, you filevault
# password will not change. you will decrypt
# using your plain password, then you will be prompted
# for a password again. at the second prompt enter:
#
# NOTE: at the second password prompt the user must enter their password followed by the google autb string in the pasasword prompt, no space in between.
# e.g., foobar123456 where "foobar" is the pw and "123456" is the code from google authenticator.
#
# i've noticed some quirks:
# 1. after this is configured, you can't
# turn on/off file vault in preferences.
# it appears to cache the credentials when
# you unlock the "Lock" in the pref panel.
# then replay them when you turn on/off file
# vault without going through PAM. It doesn't
# work.
auth required /usr/local/lib/security/pam_google_authenticator.so use_first_pass forward_pass nullok
auth       optional       pam_krb5.so use_first_pass use_kcminit
auth       optional       pam_ntlm.so use_first_pass
auth       required       pam_opendirectory.so use_first_pass nullok
account    required       pam_opendirectory.so

screensaver

# screensaver: auth account
# the tricky bit - needs to be first *and* use_first_pass and forward_pass
# segfaults the login prompt in any other configuration i tried.
# NOTE: user must enter their password followed by the google autb string in the pasasword prompt, no space in between.
# e.g., foobar123456 where "foobar" is the pw and "123456" is the code from google authenticator.
auth required /usr/local/lib/security/pam_google_authenticator.so use_first_pass forward_pass nullok
auth       optional       pam_krb5.so use_first_pass use_kcminit
auth       required       pam_opendirectory.so use_first_pass nullok
account    required       pam_opendirectory.so
account    sufficient     pam_self.so
account    required       pam_group.so no_warn group=admin,wheel fail_safe
account    required       pam_group.so no_warn deny group=admin,wheel ruser fail_safe

sshd

# sshd: auth account password session
# this one was tricky too - if you use public key auth and disable keyboard interactive in sshd_config
# these auth hooks are never hit, including the google authenticator.
# so enable keyboard interactive and challenge response. these fields need to be in /etc/ssh/sshd_config:
# PasswordAuthentication no
# AuthenticationMethods publickey,keyboard-interactive
# ChallengeResponseAuthentication yes
# UsePAM yes
auth required /usr/local/lib/security/pam_google_authenticator.so nullok
#auth       optional       pam_krb5.so use_kcminit
#auth       optional       pam_ntlm.so try_first_pass
#auth       optional       pam_mount.so try_first_pass
#auth       required       pam_opendirectory.so try_first_pass
account    required       pam_nologin.so
account    required       pam_sacl.so sacl_service=ssh
account    required       pam_opendirectory.so
password   required       pam_opendirectory.so
session    required       pam_launchd.so
session    optional       pam_mount.so

sudo

# sudo: auth account password session
auth required /usr/local/lib/security/pam_google_authenticator.so nullok
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

Any modifications to these files will get blown away whenever Apple ships an update with these files in it - .e.g a major release.