# Require Google Authenticator for SSH, except for whitelisted source IPs



## jem (Jun 21, 2017)

Hello.

Has anyone worked out a way of enabling Google Authenticator (security/pam_google_authenticator) on a FreeBSD host to require one-time passwords for ssh(1) connections, except for those from a whitelisted IP address range?

I need to add this extra layer of protection to my hosted server as I have had to re-enable challenge-response authentication to enable connecting through www/shellinabox, which precludes use of public-key authentication.

Searching the web for this topic returned this servervault post, but the replies there seem to be applicable to a different pam(3) implementation, probably on a Linux system.  They use configuration syntax that FreeBSD's pam doesn't support, and a pam_access module that it doesn't have, that can base policy on IP addresses.

At first glance, FreeBSD's pam doesn't include any similar module, so what I want doesn't seem to be possible.

I could run a second sshd(8) instance, with pam_google_authenticator enabled for all connections to the primary one, and disable PAM and allow public-key authentication only on the second one, but this is a bit kludgey.

Any suggestions welcome.

jem


----------



## rootbert (Oct 28, 2021)

sorry for necroposting, thought it is ok since I am posting a solution, which is the match keyword in the sshd config:

```
Match Address 192.168.1.1
        AuthenticationMethods publickey
```


----------

