I am about to make two-factor authentication mandatory for ssh logins using libpam_google_authenticator. I'd like to be able to waive this requirement when users log in from certain IP addresses.
I have this in /etc/pam.d/sshd:
auth required pam_google_authenticator.so
and this in /etc/ssh/sshd_config:
ChallengeResponseAuthentication yes
I thought about using the Match directive in sshd_config, but the manpage suggests that ChallengeResponseAuthentication can't be used in that way. In any event, I'm not sure that would get around the pam requirement.
Is there a way of waiving the challenge-response for clients with certain IP addresses?
I've not done this specifically with google auth, but I'm doing something similar with pam_access and a substack. The way I do it to create a file in /etc/pam.d named yubi-auth. It contains:
Then in password-auth, I use
auth substack yubi-auth. The result is that if a user is coming from an approved ip address in acceess.conf they don't have to use the yubikey, otherwise they have to use it. (and they CAN always use it if they wish).I've not tested this method with google auth, but I think the same logic should work.
You can run two instances of sshd with different configurations. In an extreme case: Use one patched version (as this is probably not possible via the config file) which uses a different PAM string than ssh so that you can create different PAM configurations for both instances. Or you start one instance in chroot / lxc so that it sees a different PAM configuration. That might be easier (to maintain).
The client selection can be done by iptables (DNAT) then. Just send the respective clients to the port of the second instance (or to the lxc IP).