Because of a few different applications I need to use, I need to be able to bypass Google's 2 Factor Authentication pam.d module when an SSH connection is coming from the same network. There is very little information about this online, but there are a few questions on the Stack Network, but none of the solutions worked for me. I am not sure if it is because the solutions are specifically for Linux, or I am just missing something. I am using macOS in all instances here.
**I am not very familiar with these settings. I do want to require a password, key, & 2FA if I am not on the same local network, but skip the 2FA if I am on the same local network**
Current Setup:
SSH requires a valid key, password, & 2 Factor Auth
File Contents Of:
**/etc/pam.d/sshd**
auth optional pam_krb5.so use_kcminit
auth optional pam_ntlm.so try_first_pass
auth optional pam_mount.so try_first_pass
auth required pam_opendirectory.so try_first_pass
auth required pam_google_authenticator.so nullok
account required pam_nologin.so
account required pam_sacl.so sacl_service=ssh
account required pam_opendirectory.so
password required pam_opendirectory.so
session required pam_launchd.so
session optional pam_mount.so
**/etc/ssh/ssh_config**
# Host *
# ForwardAgent no
# ForwardX11 no
# PasswordAuthentication yes
# HostbasedAuthentication no
GSSAPIAuthentication yes
GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Protocol 2
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,[email protected]
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
Host *
SendEnv LANG LC_*
**/etc/ssh/sshd_config**
#Protocol Version
Protocol 2
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
MaxAuthTries 3
#MaxSessions 10
PubkeyAuthentication yes
AuthenticationMethods publickey,keyboard-interactive:pam
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
# Kerberos options
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
ClientAliveInterval 360
ClientAliveCountMax 0
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# pass locale information
AcceptEnv LANG LC_*
# no default banner path
Banner /etc/ssh/banner
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
**EDIT:**
I attempted a few different combinations of the listed solutions to the Stack posts at the links listed below but I could not get the provided solutions to work. I do not know if I am missing something in my configuration, or if it has to do with I'm using macOS, or if maybe the order of what's listed in my sshd file in pam.d is incorrect.
https://unix.stackexchange.com/questions/388384/ssh-only-require-google-authenticator-from-outside-local-network?rq=1
https://serverfault.com/questions/799657/ssh-google-authenticator-ignore-whitelist-ips
I attempted to add this to the sshd file in pam.d:
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access.conf
auth sufficient pam_google_authenticator.so
And adding an access.conf file to /etc/security/access.conf:
+ : ALL : 10.0.1.0/24
+ : ALL : LOCAL
+ : ALL : 10.0.1.4
+ : ALL : 10.0.1.6
+ : ALL : 10.0.1.16
+ : ALL : 10.0.1.20
- : ALL : ALL