This question may sound strange but it would improve acceptance of OTP a lot.
Is there a chance to use a whitelist of internal IP segment(s) where no OTP Auth is needed? For example: If the user is inside the company he should login normally just with his name+password. If he’s outside OTP should be mandantory.
Logical thinking, but what if your internal accounts were compromised, and attackers can easily access all the data. Better to keep it on for everyone. My 2 cents. You either need it or you don’t.
Yes, you can do this with pam_access.so. This recipe was taken from the wiki for the Google Authenticator:
A useful PAM recipe is to allow skipping two-factor authentication when the connection originates from certain sources. This is already supported by PAM. For example, the pam_access module can be used to check the source against local subnets:
skip one-time password if logging in from the local network
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth required pam_google_authenticator.so
In this case, access-local.conf looks like:
only allow from local IP range
- : ALL : 10.0.0.0/24
- : ALL : LOCAL
- : ALL : ALL
Thus login attempts from 10.0.0.0/24 will not require two-factor authentication.
There you have it.
I am trying to enable two factor authentication for external ip addresses. Can you give me more detail about this procedure?
In general this is a bad idea as outlined by our security experts in https://github.com/nextcloud/server/issues/2035