Do not use google-authenticator when ssh from LAN ?

[jyte]

Hi,

I don't really know if that is the right place to ask, so appologies if it is not, and any hint as to where to get an answer is welcome.

That said, I would like to setup my ssh to accept :

• (public key) or (user's password), when the request comes from LAN,
• (public key) or (user's password + google-auth) when the request comes from Internet.

I can disable PasswordAuthentication in sshd_config and at the end add the following to still allow user login from LAN.

Match Address 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
PasswordAuthentication yes

However, I fail to get a working setup to the usecase described above.

Any idea ? suggestion ? I run ubuntu 20.04 if that is of any use.

[davama]

https://github.com/google/google-authenticator-libpam/issues/188#issuecomment-712951620

You could do something like here but for IPnets instead by using “pam_accees.so”

[ThomasHabets]

Yeah this is a PAM question, not a GA question. But yes pam_access.so is very likely your solution.