Deterministic PAM-based authentication?

[Paul Lussier]

Hi all,

Does anyone here know how to hack PAM such that it can
deterministically enforce different authentication schemes based on
some criteria (like a source IP address?)

For example, I want to enforce the use of OTPs if ssh'ing to a system
from outside our firewall, but allow the use of krb5 authentication if
ssh'ing to the system from within our network.

I'm not entirely sure how to get PAM to do this.  Setting up the OTP
was pretty easy, and that works just fine.  krb5 auth was similarly
simple.  But I'm kind of stumped on how to configure it to use krb5 auth
for an internal connection and force otp for an external one.

-- 

Seeya,
Paul