Use different authentication methods for SSH depending on client IP


#1

Dear,

i want to use DUO for my SSHD. All works fine in default configuration using pubkey + DUO.

But i want to separate/differ the authentication methods depending on clients IP.

  • Default: pubkey + DUO (Default configuration; checked)
  • LAN: pubkey only (no addition DUO)
  • localhost: password only (no additional DUO)

Using defaults “/etc/pam.d/sshd” i got the expected result

  • Default: LogIn using pubkey followed by password = OK
  • LAN: LogIn using pubkey only = OK
  • localhost: LogIn using password only = OK

Using pam_duo.so at “/etc/pam.d/sshd”, as described (Debian) i got:

  • Default: LogIn using pubkey followed by DUO = OK
  • LAN: LogIn using pubkey only = OK
  • localhost: prompt password, but every time “access denied”

Seems the sshd_config are ok (prooft by pubkey+password combination), i think!

Any idea how to configure this scenario? Thanks in advanced!

Dieter


My sshd_config (essentials):
Protocol 2
UsePrivilegeSeparation yes
PermitEmptyPasswords no
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/xyz
PasswordAuthentication no
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
UsePAM yes
UseDNS yes/no
Match Address 127.0.0.* Host localhost
PubkeyAuthentication no
PasswordAuthentication yes
AuthenticationMethods password
Match Address 192.168.1.*
PubkeyAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey


Default /etc/pam.d/sshd:
@include common-auth
#which is identical to
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
:


DUO modified /etc/pam.d/sshd:
#@include common-auth
#duo-unix
auth [success=1 default=ignore] pam_duo.so
auth requisite pam_deny.so
auth required pam_permit.so
:


DUO modified second /etc/pam.d/sshd:
#@include common-auth
#duo-unix
auth [success=1 default=ignore] pam_duo.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
: