I have an OpenSSH 5.9p1 server running on Ubuntu Precise 12.04 which accepts connections from both the internal network and the Internet. I'd like to require public key authentication for connections from the Internet, but accept either public key or password authentication for connections from the internal network. Can I configure OpenSSH to implement this?
1 Answers
The Match
directive in /etc/ssh/sshd_config
allows you to selectively apply configuration directives. One of the available match criteria is the source address of the connection, and so this can be used to implement what you want. You can disable password authentication by default, and then enable it for connections from internal network IP ranges. (Note that you also want to disable ChallengeResponseAuthentication
in order to prevent passwords being used.) This example allows password authentication from all RFC1918 private IP ranges. See the sshd_config manpage for more details.
PasswordAuthentication no
ChallengeResponseAuthentication no
Match Address 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
PasswordAuthentication yes
Note that Match block should be added to the end of the file otherwise everything that follows it would be matched until the next Match block. The bad positioning of Match block may cause inability to connect.
-
4Please note: if you do this and forward SSH from some publicly accessible machine (jumphost) to a machine with the above config (internal host) you could still open yourself up for attack as the source IP of the jumphost would be a RFC1918 address and allow password authentication to your internal host. – c4urself Nov 27 '17 at 15:24
-
19.5years after original answer it resolved my problem... And you don't have to put the match in the end of the file anymore. https://unix.stackexchange.com/questions/67334/openssh-how-to-end-a-match-block "To end up a match block with openssh 6.5p1 or above, use the line: Match all" – Griffin Dec 13 '21 at 12:14
-
@c4urself Obviously, the configuration we're discussing here should go on the jumphost. That's the machine that should have this config that allows the internal interface to accept password but public interface only accepts keys. If the attacker takes control of your jumphost, you'll be in serious pain in any case. – Mikko Rantalainen May 11 '22 at 12:56