Feature Request: Add 'prompt_for_username' and 'authz_group' options #118
Description
Hello maintainers,
First, thank you for creating this module—it has been incredibly helpful for our use cases.
I would like to propose adding a couple of new options to better support MFA on shared accounts (e.g., authenticating to root via SSH).
Use Case:
When a user SSHs to a shared account like root, we want to challenge them for their personal TOTP token as a second factor.
Current Challenge:
The module automatically sends the target username (root) to the RADIUS server. However, the MFA validation needs to happen against the originating user's identity. The existing ruser option doesn't solve this, as PAM_RUSER is often not set in this scenario.
Proposed Solution:
I suggest adding two new options:
prompt_for_username: A boolean option that, when enabled, would always prompt the user to enter their username for the RADIUS request, rather than auto-detecting it from PAM_USER.
authz_group: An option to specify a local Linux group. This would add a simple authorization check, ensuring the module only attempts RADIUS authentication if the user belongs to that group.
I believe these features would add valuable flexibility. If you are open to this, I would be more than happy to implement the changes and submit a pull request.
Looking forward to your thoughts.