Matt Mossholder on 28 Oct 2014 16:35:29 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Google Authenticator / SSH


On Tue, Oct 28, 2014 at 5:37 PM, Rich Freeman <r-plug@thefreemanclan.net> wrote:
On Tue, Oct 28, 2014 at 5:26 PM, Eugene Smiley <eug.smiley@gmail.com> wrote:
> That's interesting, but it would seem to be best used on the network edges.
> It would prevent automated ssh/rsync backups from working, right?
>

Yes, you would either need to exempt those, or bypass pam using RSA.

--
Rich

Here's how I get around it on Fedora 20:

/etc/pam.d/sshd:
=============

auth       required     pam_sepermit.so
auth       substack     password-auth
auth       [success=2 default=ignore] pam_access.so accessfile=/etc/security/local-access.conf noaudit
auth       [success=1 default=ignore] pam_succeed_if.so user notingroup otp_users
auth       required     pam_google_authenticator.so
auth       requisite    pam_shield.so
auth       include      postlogin

/etc/security/local-access.conf:
=======================
+ : ALL : 10.0.0.0/8
+ : ALL : 172.16.0.0/12
+ : ALL : 192.168.0.0/16
+ : ALL : LOCAL
- : ALL : ALL


This basically makes it check to see if the source is in an RFC1918 subnet, and if so, bypasses authenticator. Otherwise, it checks to see if the user is NOT in the otp_users group, and if that is true, they are sent to pam_shield for potential blacklisting.

     --Matt 
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug