billdenney · February 16, 2022 18:36
diff --git a/openssh-2fa-external.sh b/openssh-2fa-external.sh
 #!/bin/bash

 # From https://unix.stackexchange.com/questions/24198/how-to-get-netmask-from-bash
 default_if=$(ip route list | awk '/^default/ {print $5}')
 local_netmask=$(ip -o -f inet addr show $default_if | awk '{print $4}')

 # From https://serverfault.com/questions/518802/two-factor-ssh-authentication-on-external-address-only
 printf "# only allow from local IP range\n+ : ALL : ${local_netmask}\n+ : ALL : LOCAL\n- : ALL : ALL\n" > /etc/security/access-local.conf

 apt-get install libpam-google-authenticator
 # Insert these lines just below pam_nologin.so in /etc/pam.d/sshd
 ## # skip one-time password if logging in from the local network
 ## auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
 ## auth required pam_google_authenticator.so

 # Modify /etc/ssh/sshd_config
 # Set: ChallengeResponseAuthentication yes
 # Set: UsePAM yes
	#!/bin/bash

	# From https://unix.stackexchange.com/questions/24198/how-to-get-netmask-from-bash
	default_if=$(ip route list \| awk '/^default/ {print $5}')
	local_netmask=$(ip -o -f inet addr show $default_if \| awk '{print $4}')

	# From https://serverfault.com/questions/518802/two-factor-ssh-authentication-on-external-address-only
	printf "# only allow from local IP range\n+ : ALL : ${local_netmask}\n+ : ALL : LOCAL\n- : ALL : ALL\n" > /etc/security/access-local.conf

	apt-get install libpam-google-authenticator
	# Insert these lines just below pam_nologin.so in /etc/pam.d/sshd
	## # skip one-time password if logging in from the local network
	## auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
	## auth required pam_google_authenticator.so

	# Modify /etc/ssh/sshd_config
	# Set: ChallengeResponseAuthentication yes
	# Set: UsePAM yes