Re: [PLUG] Google Authenticator / SSH

[Matt Mossholder <matt@mossholder.com>]

On Tue, Oct 28, 2014 at 5:37 PM, Rich Freeman <r-plug@thefreemanclan.net> wrote:

On Tue, Oct 28, 2014 at 5:26 PM, Eugene Smiley <eug.smiley@gmail.com> wrote:
> That's interesting, but it would seem to be best used on the network edges.
> It would prevent automated ssh/rsync backups from working, right?
>

Yes, you would either need to exempt those, or bypass pam using RSA.

--
Rich

Here's how I get around it on Fedora 20:

/etc/pam.d/sshd:

=============

auth       required     pam_sepermit.so

auth       substack     password-auth

auth       [success=2 default=ignore] pam_access.so accessfile=/etc/security/local-access.conf noaudit

auth       [success=1 default=ignore] pam_succeed_if.so user notingroup otp_users

auth       required     pam_google_authenticator.so

auth       requisite    pam_shield.so

auth       include      postlogin

/etc/security/local-access.conf:

=======================

+ : ALL : 10.0.0.0/8

+ : ALL : 172.16.0.0/12

+ : ALL : 192.168.0.0/16

+ : ALL : LOCAL

- : ALL : ALL

This basically makes it check to see if the source is in an RFC1918 subnet, and if so, bypasses authenticator. Otherwise, it checks to see if the user is NOT in the otp_users group, and if that is true, they are sent to pam_shield for potential blacklisting.

     --Matt 

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug