Two Factor SSH Authentication on external address only

Brett F. asked:

I have an Ubuntu server with both a private, internal, IP and a public-facing IP. I want to set up two-factor authentication for SSH on just the public side. Is this possible? I was planning on using Google Authenticator, but am open to alternative ideas as well.

My answer:


Yes, you can do this with pam_access.so. This recipe was taken from the wiki for the Google Authenticator:

A useful PAM recipe is to allow skipping two-factor authentication when the connection originates from certain sources. This is already supported by PAM. For example, the pam_access module can be used to check the source against local subnets:

# skip one-time password if logging in from the local network
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth       required     pam_google_authenticator.so

In this case, access-local.conf looks like:

# only allow from local IP range
+ : ALL : 10.0.0.0/24
+ : ALL : LOCAL
- : ALL : ALL

Thus login attempts from 10.0.0.0/24 will not require two-factor authentication.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.