Matt Mossholder on 28 Oct 2014 16:35:29 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Google Authenticator / SSH

On Tue, Oct 28, 2014 at 5:37 PM, Rich Freeman <> wrote:
On Tue, Oct 28, 2014 at 5:26 PM, Eugene Smiley <> wrote:
> That's interesting, but it would seem to be best used on the network edges.
> It would prevent automated ssh/rsync backups from working, right?

Yes, you would either need to exempt those, or bypass pam using RSA.


Here's how I get around it on Fedora 20:


auth       required
auth       substack     password-auth
auth       [success=2 default=ignore] accessfile=/etc/security/local-access.conf noaudit
auth       [success=1 default=ignore] user notingroup otp_users
auth       required
auth       requisite
auth       include      postlogin

+ : ALL :
+ : ALL :
+ : ALL :
- : ALL : ALL

This basically makes it check to see if the source is in an RFC1918 subnet, and if so, bypasses authenticator. Otherwise, it checks to see if the user is NOT in the otp_users group, and if that is true, they are sent to pam_shield for potential blacklisting.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --