I have setup google-authenticator as 2FA together with publickey authentication. What I need is to skip the 2FA when connecting by SSH from specific IP.
I'm running Ubuntu 18.04.
Relevant snippet from of /etc/pam.d/sshd
# PAM configuration for the Secure Shell service
# Standard Un*x authentication.
#@include common-auth
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth required pam_google_authenticator.so
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
@include common-account
/etc/security/access-local.conf
#localhost doesn't need two step verification
+ : ALL : 192.168.1.20
#All other hosts need two step verification
- : ALL : ALL
/etc/ssh/sshd_config
PermitRootLogin no
PubkeyAuthentication yes
AuthenticationMethods publickey,keyboard-interactive:pam
/etc/ssh/ssh_known_hosts
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
X11Forwarding no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
The result
Permission denied (keyboard-interactive).
I have restarted sshd after every change, even tried to reboot the machine.
Before marking this as a duplicate I have tried all these answers, none of them seems to work, also several other resources on the Internet:
SSH Google Authenticator Ignore/Whitelist ips
Two Factor SSH Authentication on external address only
At this point I'm not sure what am I missing.
Edit: I changed the question, the original was about connecting from localhost which as was pointed out by michael-hampton in the comments was useless. Thanks.
