Two Factor SSH Authentication on external address only

Brett F. asked:

I have an Ubuntu server with both a private, internal, IP and a public-facing IP. I want to set up two-factor authentication for SSH on just the public side. Is this possible? I was planning on using Google Authenticator, but am open to alternative ideas as well.

My answer:

Yes, you can do this with This recipe was taken from the wiki for the Google Authenticator:

A useful PAM recipe is to allow skipping two-factor authentication when the connection originates from certain sources. This is already supported by PAM. For example, the pam_access module can be used to check the source against local subnets:

# skip one-time password if logging in from the local network
auth [success=1 default=ignore] accessfile=/etc/security/access-local.conf
auth       required

In this case, access-local.conf looks like:

# only allow from local IP range
+ : ALL :
- : ALL : ALL

Thus login attempts from will not require two-factor authentication.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.