Skip to main content
Unix & Linux

Return to Question

added 1005 characters in body
Source Link
mcbeav
mcbeav
  • 79
  • 2
  • 8

EDIT:

I attempted a few different combinations of the listed solutions to the Stack posts at the links listed below but I could not get the provided solutions to work. I do not know if I am missing something in my configuration, or if it has to do with I'm using macOS, or if maybe the order of what's listed in my sshd file in pam.d is incorrect.

SSH - Only require google-authenticator from outside local network

https://serverfault.com/questions/799657/ssh-google-authenticator-ignore-whitelist-ips

I attempted to add this to the sshd file in pam.d:

auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access.conf
auth sufficient pam_google_authenticator.so

And adding an access.conf file to /etc/security/access.conf:

+ : ALL : 10.0.1.0/24
+ : ALL : LOCAL
+ : ALL : 10.0.1.4
+ : ALL : 10.0.1.6
+ : ALL : 10.0.1.16
+ : ALL : 10.0.1.20
- : ALL : ALL

EDIT:

I attempted a few different combinations of the listed solutions to the Stack posts at the links listed below but I could not get the provided solutions to work. I do not know if I am missing something in my configuration, or if it has to do with I'm using macOS, or if maybe the order of what's listed in my sshd file in pam.d is incorrect.

SSH - Only require google-authenticator from outside local network

https://serverfault.com/questions/799657/ssh-google-authenticator-ignore-whitelist-ips

I attempted to add this to the sshd file in pam.d:

auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access.conf
auth sufficient pam_google_authenticator.so

And adding an access.conf file to /etc/security/access.conf:

+ : ALL : 10.0.1.0/24
+ : ALL : LOCAL
+ : ALL : 10.0.1.4
+ : ALL : 10.0.1.6
+ : ALL : 10.0.1.16
+ : ALL : 10.0.1.20
- : ALL : ALL
Source Link
mcbeav
mcbeav
  • 79
  • 2
  • 8

Help With Bypassing SSH 2 Factor Authentication When On Same Local Network macOS

Because of a few different applications I need to use, I need to be able to bypass Google's 2 Factor Authentication pam.d module when an SSH connection is coming from the same network. There is very little information about this online, but there are a few questions on the Stack Network, but none of the solutions worked for me. I am not sure if it is because the solutions are specifically for Linux, or I am just missing something. I am using macOS in all instances here.

I am not very familiar with these settings. I do want to require a password, key, & 2FA if I am not on the same local network, but skip the 2FA if I am on the same local network

Current Setup:

SSH requires a valid key, password, & 2 Factor Auth

File Contents Of:

/etc/pam.d/sshd

auth       optional       pam_krb5.so use_kcminit
auth       optional       pam_ntlm.so try_first_pass
auth       optional       pam_mount.so try_first_pass
auth       required       pam_opendirectory.so try_first_pass
auth       required       pam_google_authenticator.so nullok
account    required       pam_nologin.so
account    required       pam_sacl.so sacl_service=ssh
account    required       pam_opendirectory.so
password   required       pam_opendirectory.so
session    required       pam_launchd.so
session    optional       pam_mount.so

/etc/ssh/ssh_config

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   PasswordAuthentication yes
#   HostbasedAuthentication no
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
#   Port 22
#   Protocol 2
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,[email protected]
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h

Host *
    SendEnv LANG LC_*

/etc/ssh/sshd_config

#Protocol Version
Protocol 2

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
MaxAuthTries 3
#MaxSessions 10

PubkeyAuthentication yes
AuthenticationMethods publickey,keyboard-interactive:pam

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile  .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes

# Kerberos options
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
ClientAliveInterval 360
ClientAliveCountMax 0
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# pass locale information
AcceptEnv LANG LC_*

# no default banner path
Banner /etc/ssh/banner

# override default of no subsystems
Subsystem   sftp    /usr/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   PermitTTY no
#   ForceCommand cvs server