Perl or PHP Script that can tail /var/log/auth.log - two-factor authentication
Is there some way to write code that would accomplish what I'm about to type?
IF I see this (PAM-listfile: Refused user root for service ssh) in /var/log/auth.log, then do this.
IF I see this (Accepted password for root from) in /var/log/auth.log, then do this.
My "do this" would then be something related to PAM.
Essentially my goal is this:
If I ssh to my server from an IP address I've connected from before, then just let me in. If I ssh to my server from an IP address that I've never connected to from before, then you need to two-factor my authentication attempt.
I currently have two-factor authentication setup using PhoneFactor. My /etc/pam.d/ssh config looks like this:
# PAM configuration for the Secure Shell service
auth required pam_listfile.so item=rhost sense=allow file=/etc/ssh/ssh.allow onerr=fail
auth sufficient /lib/security/pam_radius_auth.so
The first auth required looks at a file that contains IP addresses. If your IP is in here, you will receive a phone call (the second auth required line). If you press # after receiving the phone call, you gain access to the shell.
If your IP address is not in the ssh/ssh.allow file, you still get a phone call. If you press # after receiving the phone call, you are denied access to the shell because your IP is not in the "whitelist" file.
The goal is:
If I'm in the whitelist, don't PhoneFactor me, just let me in.
If I'm not in the whitelist, PhoneFactor me, then let me in. Then somehow I'll write a script that adds the IP address I just connected from to the whitelist.
Currently, like I said. I get a PhoneFactor call no matter what. But, if my IP is not in the ssh.allow file, I'm denied.
Any suggestions on completing this task? Custom PAM module that will look at one condition and if met, pass it on? Or, if the condiition isn't met, pass it on to something else?