Unfortunately, it is not currently possible to do it with the present PAM server versions (up to 3.2.4), as we can currently only enforce a SINGLE admin approval (not 2 or more admin approvals).
Here below are the 3 different processes that could come into play in the current PAM version:
- Standard password use/view: Just use/view password, No additional requirements. The user is allowed to view the password without any condition.
- Re-authenticate on password view/use: The User is required to input their own password again during checkout (first authentication is PAM Login, 2nd authentication is the authorization prompt when using Password). This helps if someone walks away from an unlocked workstation while logged into PAM.
- Dual Authorization: Sends a request to all admins listed in config, but ONLY 1 authorization is required to allow this. There is currently NO way to specify that 2 or more approvals are required. If 2 or more approvals are needed then that would require an enhancement.