Tiered Access Control: Enforce MFA Only For Clients Outside Your LAN

Is your Local Area Network completely locked down, but you still need to go through the same rigorous security checks that an external client would have to? This process can be time-consuming and frustrating. There is a better way!

Instead of forcing the same access control policies for all clients, you can remove hurddles if a client is connecting from a trusted network. In this tutorial, I use Multi-Factor Authentication (MFA) as an example. First, I demonstrate how to setup MFA over SSH connections to a Linux machine. Then, I model how you can limit this requirement to only external networks, thus creating tiers of trust within your authentication procedure.

Solution

1. Install the PAM module for enabling MFA logins. In this example, we use the Google Authenticator app:

   sudo apt install libpam-google-authenticator
   

2. Open the appropriate configuration file with this command:

   sudo nano /etc/pam.d/sshd
   

   Then, configure the SSH authentication stack to require MFA by adding this line to the bottom:

   auth required pam_google_authenticator.so
   

   Press CTRL+S then CTRL+X to save and exit.

3. Configure SSH to accept MFA verification codes by entering the file:

   sudo nano /etc/ssh/sshd_config
   

   And changing no to yes on this line:

   ChallengeResponseAuthentication no
   

4. Enroll a user in the Google Authenticator app. To do so, login as the user, and run google-authenticator, then answer "yes" to all prompts unless you desire to personalize the settings:

   su - jake
   google-authenticator
   

   Once the QR code appears on the screen, scan it with your Google Authenticator app and the Linux machine will be added to your list of time-based one-time pin codes. It will be identified by its hostname.

5. Restart the SSH service:

   sudo systemctl restart ssh
   

   At this time MFA access codes will be required for all users who wish to login via SSH.

6. To limit this requirement to only clients connecting from outside your LAN, add an additional line to the PAM configuration file to call the access module:

   sudo nano /etc/pam.d/sshd
   

   Modify our previous addition like so:

   auth [success=1 default=ignore] pam_access.so  
   auth required pam_google_authenticator.so
   

7. Open the access control file:

   sudo nano /etc/security/access.conf
   

   Append the following rules to the bottom, adjusting the IP range to your LAN:

   +:ALL:10.207.237. 
   -:ALL:ALL
   

   The module will accept remote addresses as individual IPs, IP/subnet, CIDR notation, or in prefix form as above. You can add multiple addresses as a space-separated list.

   IMPORTANT: This change will apply to any service using the pam_access module. By default, it should not be enabled for other authentication stacks, but if it is, this rule will apply to those as well. If you wish to create a configuration file for this purpose only that will not affect other services, see the manual page for pam_access(8).

   And that's all! There is no need to restart any services since these changes will take effect immediately.

Reference

• Ubuntu Tutorial: Configure SSH to use MFA
• Manual Page: pam_access(8)
• Background Information: PAM Tutorial