I've boiled Two factor authentication down from all my research and come to the conclusion I'd like to do it with "Something someone HAS" and "Something someone KNOWS"
I have a few options but I'd like to know if the really count as 2 Factor Authentication. Keep in mind this is for SSH access in
Firewall IP Filtering - Someone HAS to have a specific IP / SSH Password.
SSH Private Key (PER User) / SSH User Password
Phone/SMS Authentication of a dynamic token that is sent to the number of a person / SSH Key or Password
Any ideas if these would be workable? Or any alternatives?
The HAS in Something someone HAS implies "possession", not "requires". It typically refers to a hardware token -- like a SecurID fob from RSA, or a Yubikey. In particular, it implies something that is unique and can only be possessed by one person at a time. An ssh password absolutely does not qualify, since a password can be compromised in a number of ways (trojaned ssh daemon, keylogger, visual observation, etc). Two-factor authentication is usually put in place to deal with the very real problems that affect password-based authentication.
IP addresses aren't good for authentication because (a) they're reasonably easy to fake, and (b) it's possible for multiple people to be connecting from the same ip address. In particular, if people are connecting from their house through a router, then you're relying on the security of their network (is it an open wifi network? Do they share with their neighbors?).
This is your "something someone knows". SSH keys are preferable to passwords, since this reduces the chances of someone's password being recovered by a trojaned ssh server. This does require that your users understand how to take care of their private keys (make sure they always have a password, never place them on shared storage, etc).
This is a typical substitute for a dedicate hardware token (the assumption is that the ability to receive an SMS message to a given number requires that you possess the appropriate mobile phone). Google uses this for their two-factor authentication, for example, and there are a number of products out there that will let you roll this out yourself.
In summary:
SSH keys + hardware token or SMS authentication is a good and reasonably common solution. Passwords instead of ssh keys are also common, but I like to advocate against them because passwords are prone to a number of problems.
I think the answer here is "it depends". SMS is a very weak system in many, many ways. I cover a bunch of them here: http://www.wikidsystems.com/WiKIDBlog/fraudsters-defeat-poor-risk-management-not-two-factor-authentication. There are a couple of risks here. One is that SMS is such a popular mechanism for security that an attacker targets an SMS service and wreaks a lot of havoc, including on you. The other is that your app is tempting enough to be targeted itself as in the example in my post.
IP addresses are trivial to spoof so that doesn't really add security, but just like changing the port # for SSH, you might reduce your log data.
Also, will you need a custom PAM module to so this? I'm not familiar with a pam module that will check keys and an OTP. The Keys are typically handled by SSH and passwords by PAM.
HTH,