On 12/11/15 4:08 AM, Stefan Müller-Wilken wrote:
Well, also an approach, but restricted to SSH only. My requirement is to conditionally include PAM modules, so tuning httpd will not suffice, I'm afraid. But thanks for the idea!
I don't think the PAM stack itself can be conditional, but the modules in the stack can do conditional processing. If you have a second-factor authentication mechanism included in the stack and listed as "requisite", then it can do the address range checking work and (if the address is OK) return success to continue the authentication process or (if the address is suspicious) perform additional authentication and deny immediately if bad.
I haven't used it, but there's a module called "pam_shield" that might be a good starting point on building such a beast.
-- James Carlson 42.703N 71.076W <[email protected]> _______________________________________________ openindiana-discuss mailing list [email protected] http://openindiana.org/mailman/listinfo/openindiana-discuss
