Two Factor SSH Authentication on external address only

I have an Ubuntu server with both a private, internal, IP and a public-facing IP. I want to set up two-factor authentication for SSH on just the public side. Is this possible? I was planning on using Google Authenticator, but am open to alternative ideas as well.


Yes, you can do this with pam_access.so. This recipe was taken from the wiki for the Google Authenticator:

A useful PAM recipe is to allow skipping two-factor authentication when the connection originates from certain sources. This is already supported by PAM. For example, the pam_access module can be used to check the source against local subnets:

# skip one-time password if logging in from the local network
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth       required     pam_google_authenticator.so

In this case, access-local.conf looks like:

# only allow from local IP range
+ : ALL : 10.0.0.0/24
+ : ALL : LOCAL
- : ALL : ALL

Thus login attempts from 10.0.0.0/24 will not require two-factor authentication.


My requirement was very similar, but more specifically i wanted to 1) have pubkey AND googleAuth from outside and 2) have pubkey OR password from inside (password in case i lose all my pubkeys):

/etc/ssh/sshd_config:

AuthenticationMethods publickey,keyboard-interactive
Match address 192.168.2.0/24
    PasswordAuthentication yes
    AuthenticationMethods "password" "publickey"
Match all

/etc/pam.d/sshd:

# Google Authenticator
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth sufficient pam_google_authenticator.so

# Standard Un*x authentication.
auth [success=ignore default=4] pam_access.so accessfile=/etc/security/access-local.conf
@include common-auth

/etc/security/access-local.conf

+ : ALL : 192.168.2.0/24
- : ALL : ALL

Additionally to previous answer i had to skip the 4 rules inside /etc/pam.d/common-auth when from outside, also i configured google auth to sufficient instead of required. I did this on Ubuntu 20.04, but this solution should be quite generic