3

I installed google authenticator (two step verification), "libpam-google-authenticator" package, although it asks for a code for every single connection to SSH. I want to put localhost and my own ip whitelisted from google authenticator so I and localhost skip two step verification

Or is there a way to skip SSH challenge for certain ips?

PhysiOS
  • 412
  • 7
  • 15
  • Are you using public key or password for authentication? – kasperd Aug 29 '16 at 12:46
  • Using password authentication plus two step verification, but I figured it out now – PhysiOS Aug 29 '16 at 12:48
  • Public key authentication has some security advantages which I don't think it is possible to achieve through the PAM interface. For that reason I suspect public key authentication is more secure than what you are doing. – kasperd Aug 29 '16 at 12:54
  • Possible duplicate of [Two Factor SSH Authentication on external address only](http://serverfault.com/questions/518802/two-factor-ssh-authentication-on-external-address-only) – ziesemer Apr 04 '17 at 00:08

1 Answers1

6

In "/etc/pam.d/sshd" 

auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth required pam_google_authenticator.so

Then on "/etc/security/access-local.conf"

#localhost doesn't need two step verification
+ : ALL : 192.168.1.0/24
+ : ALL : LOCAL
+ : ALL : YOURIPHERE
#All other hosts need two step verification
- : ALL : ALL

Don't forget to restart ssh

PhysiOS
  • 412
  • 7
  • 15