Hello.
Has anyone worked out a way of enabling Google Authenticator (security/pam_google_authenticator) on a FreeBSD host to require one-time passwords for ssh(1) connections, except for those from a whitelisted IP address range?
I need to add this extra layer of protection to my hosted server as I have had to re-enable challenge-response authentication to enable connecting through www/shellinabox, which precludes use of public-key authentication.
Searching the web for this topic returned this servervault post, but the replies there seem to be applicable to a different pam(3) implementation, probably on a Linux system. They use configuration syntax that FreeBSD's pam doesn't support, and a pam_access module that it doesn't have, that can base policy on IP addresses.
At first glance, FreeBSD's pam doesn't include any similar module, so what I want doesn't seem to be possible.
I could run a second sshd(8) instance, with pam_google_authenticator enabled for all connections to the primary one, and disable PAM and allow public-key authentication only on the second one, but this is a bit kludgey.
Any suggestions welcome.
jem
Has anyone worked out a way of enabling Google Authenticator (security/pam_google_authenticator) on a FreeBSD host to require one-time passwords for ssh(1) connections, except for those from a whitelisted IP address range?
I need to add this extra layer of protection to my hosted server as I have had to re-enable challenge-response authentication to enable connecting through www/shellinabox, which precludes use of public-key authentication.
Searching the web for this topic returned this servervault post, but the replies there seem to be applicable to a different pam(3) implementation, probably on a Linux system. They use configuration syntax that FreeBSD's pam doesn't support, and a pam_access module that it doesn't have, that can base policy on IP addresses.
At first glance, FreeBSD's pam doesn't include any similar module, so what I want doesn't seem to be possible.
I could run a second sshd(8) instance, with pam_google_authenticator enabled for all connections to the primary one, and disable PAM and allow public-key authentication only on the second one, but this is a bit kludgey.
Any suggestions welcome.
jem
