Yubico Forum

Re: differentiate between local and remote connections

2011-01-20T06:44:12+01:00

That sounds to be a good option!

Statistics: Posted by samir — Thu Jan 20, 2011 6:44 am

Re: differentiate between local and remote connections

2011-01-19T18:51:01+01:00

Thanks, I'll have a look at that.

My other options is to run two ssh servers, one for internal on standard port 22 then the other with yubikey on a different port that is NAT'ed through the firewall. The NAT means I don't need to worry about it being on a different port as it can still present itself on 22 if I want it to.

Statistics: Posted by digininja — Wed Jan 19, 2011 6:51 pm

Re: differentiate between local and remote connections

2011-01-17T13:15:37+01:00

Yubico PAM module does not support selective two or single factor authentication based on from where the user is connecting (i.e. remotely or locally). Only two factor authentication is supported for all users. However, by making a small modification in the Yubico PAM module it will be possible to selective provide either YubiKey based two factor authentication or single factor password based authentication to a group of users.

The changes are needed to be made in the logic where the Yubico PAM module looks for the YubiKey ID and Username binding. If no YubiKey ID and Username binding found for a user, then the Yubico PAM module should skip all checks and send the success signal to the underlying PAM modules.

Statistics: Posted by samir — Mon Jan 17, 2011 1:15 pm

differentiate between local and remote connections

2010-12-26T13:56:54+01:00

Is it possible to have the ssh/PAM module differentiate between an ssh connection from the same subnet and from a everywhere else?

I'd like to restrict ssh connections coming in from the internet to have to use their yubikey but to allow local connections through with just a password.

Statistics: Posted by digininja — Sun Dec 26, 2010 1:56 pm