billdenney/openssh-2fa-external.sh

## openssh-2fa-external.sh
#!/bin/bash

# From https://unix.stackexchange.com/questions/24198/how-to-get-netmask-from-bash
default_if=$(ip route list | awk '/^default/ {print $5}')
local_netmask=$(ip -o -f inet addr show $default_if | awk '{print $4}')

# From https://serverfault.com/questions/518802/two-factor-ssh-authentication-on-external-address-only
printf "# only allow from local IP range\n+ : ALL : ${local_netmask}\n+ : ALL : LOCAL\n- : ALL : ALL\n" > /etc/security/access-local.conf

apt-get install libpam-google-authenticator
# Insert these lines just below pam_nologin.so in /etc/pam.d/sshd
## # skip one-time password if logging in from the local network
## auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
## auth required pam_google_authenticator.so

# Modify /etc/ssh/sshd_config
# Set: ChallengeResponseAuthentication yes
# Set: UsePAM yes
	#!/bin/bash

	# From https://unix.stackexchange.com/questions/24198/how-to-get-netmask-from-bash
	default_if=$(ip route list \| awk '/^default/ {print $5}')
	local_netmask=$(ip -o -f inet addr show $default_if \| awk '{print $4}')

	# From https://serverfault.com/questions/518802/two-factor-ssh-authentication-on-external-address-only
	printf "# only allow from local IP range\n+ : ALL : ${local_netmask}\n+ : ALL : LOCAL\n- : ALL : ALL\n" > /etc/security/access-local.conf

	apt-get install libpam-google-authenticator
	# Insert these lines just below pam_nologin.so in /etc/pam.d/sshd
	## # skip one-time password if logging in from the local network
	## auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
	## auth required pam_google_authenticator.so

	# Modify /etc/ssh/sshd_config
	# Set: ChallengeResponseAuthentication yes
	# Set: UsePAM yes