Refuse to authenticate remote users #384
Description
Is your feature request related to a problem?
When SSH is configured to with UsePAM and PAM's SSH service includes pam_u2f, it will attempt to authenticate the user against a local (the server running sshd) u2f token. PAM's SSH service shouldn't include pam_u2f, but PAM service configs are often shared. See, e.g., NixOS/nixpkgs#166076.
Describe the solution that you'd like
Check if PAM_RHOST is set and something other than "localhost". See how pam_fprintd does this:
Fprintd also optionally integrates with libsystemd, but I'm not sure if that's strictly speaking required (checking RHOST should be sufficient, as far as I can tell).
Describe the alternatives that you've considered
The alternative is to educate users and/or get distros to fix their PAM configs, but, IMO, it still makes sense to have a sanity check in pam_u2f.
Additional context
I'm happy to submit a PR to check PAM_RHOST (it seems simple enough). Linking in libsystemd requires messing with the build system, so I'm probably not the best person to attempt that.