Tweaking Two-Factor Authentication for SSH

Andy H3

andy@friendica.hubup.pro

Scholar, investigator, coach, consultant, ethnographer, argonaut, socionaut, musicographer, horticulturist, builder, open source compliance lead, fedizen, human cyborg, formerly known as TestCardTed.

Network posts

Krung Thep Mahanakhon (Bangkok), Thailand

https://go.hubup.pro/andy ✔

Andy H3 via The Lazy Admin Club

5 years ago •

Andy H3
5 years ago •

Tweaking Two-Factor Authentication for SSH

Hello,

I'm using two-factor authentication for remote SSH access.

This also means accessing the SSH server from the local network requires two-factor authentication.

Is there a way to exude specific users from two-factor authentication and than grant them only local access?

At the moment all users seem to require two-factor authentication, regardless whether they have set a second validation level.

!The Lazy Admin Club

!The Lazy Admin Club

in reply to Andy H3

Rebeka Catalina 🐛

in reply to Andy H3 • 5 years ago •

Perhaps the so called 'match blocks' could be helpful.

Match (User|Group) (&lt;username&gt;|&lt;groupname&gt;)
        SSHd instructions
        for this case
        go here

This entry was edited (5 years ago)

like this

Unknown parent

Rebeka Catalina 🐛

Unknown parent • 5 years ago •

It looks like the group must be specified too.

Ok.. well the pipe symbol ( "|" ) in my comment above stands for 'or' - so you have to read <a>|<b> like '<a> or <b>'

Perhaps you could define two different UNIX-groups. For example 'simpleAccess' and '2fAcces' and the in sshd_config you do something like

AllowGroups simpleAccess 2fAccess

Match Group 2fAccess
   your 2-factor-auth
   stuff only for this
   group

This entry was edited (5 years ago)

in reply to Andy H3

Andy H3

in reply to Andy H3 • 5 years ago •

@Rebeka Catalina I found the answer. In the pam configuration this line needs to be added auth [success=done default=ignore] pam_access.so accessfile=/etc/security/access-local.conf and then local access defined.

See here: https://unix.stackexchange.com/questions/388384/ssh-only-require-google-authenticator-from-outside-local-network

@Rebeka Catalina

in reply to Andy H3

Rebeka Catalina 🐛

in reply to Andy H3 • 5 years ago •

Nice

Well, I don't understand pam, because I don't use it. I used to compile my operating systems completely without pam support - so I can't really say anything to this solution, but awesome, that you could solve the problem

in reply to Rebeka Catalina 🐛

Andy H3

in reply to Rebeka Catalina 🐛 • 5 years ago •

Oh.. probably not yet solved. Now local access works, but remote doesn't anymore... I'll do some more testing.

Can you use 2FA without pam? Prior to enabling 2FA, I didn't use pam either.

in reply to Andy H3

Rebeka Catalina 🐛

in reply to Andy H3 • 5 years ago •

AFAIK pam is needed for 2fa - I don't use 2fa on my machines.

like this

in reply to Andy H3

Andy H3

in reply to Andy H3 • 5 years ago •

Finally, got it working properly!This is right the pam configuration. Plus Rebeka 's ssh settings.

auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access.conf
auth sufficient pam_google_authenticator.so
auth required pam_unix.so

like this

Unknown parent

Andy H3

Unknown parent • 5 years ago •

Wow, it works! I deleted this contact and your post's avatar changed from the red line to the cat. 😊

in reply to Andy H3

Rebeka Catalina 🐛

in reply to Andy H3 • 5 years ago •

Cool

⇧

Andy H3 via The Lazy Admin Club

Andy H3 5 years ago •

Andy H3
5 years ago •