Brett F. asked:
I have an Ubuntu server with both a private, internal, IP and a public-facing IP. I want to set up two-factor authentication for SSH on just the public side. Is this possible? I was planning on using Google Authenticator, but am open to alternative ideas as well.
Yes, you can do this with
pam_access.so. This recipe was taken from the wiki for the Google Authenticator:
A useful PAM recipe is to allow skipping two-factor authentication when the connection originates from certain sources. This is already supported by PAM. For example, the pam_access module can be used to check the source against local subnets:
# skip one-time password if logging in from the local network auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf auth required pam_google_authenticator.so
In this case, access-local.conf looks like:
# only allow from local IP range + : ALL : 10.0.0.0/24 + : ALL : LOCAL - : ALL : ALL
Thus login attempts from 10.0.0.0/24 will not require two-factor authentication.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.