Requiring SSH-key Login From Specific IP Ranges

Posted by Sean M on Server Fault See other posts from Server Fault or by Sean M
Published on 2010-03-16T21:14:44Z Indexed on 2010/03/18 4:41 UTC
Read the original article Hit count: 515

I need to be able to access my server (Ubuntu 8.04 LTS) from remote sites, but I'd like to worry a bit less about password complexity. Thus, I'd like to require that SSH keys be used for login instead of name/password. However, I still have a lot to learn about security, and having already badly broken a test box when I was trying to set this up, I'm acutely aware of the chance of screwing myself while trying to accomplish this. So I have a second goal: I'd like to require that certain IP ranges (e.g. 10.0.0.0/8) may log in with name/password, but everyone else must use an SSH key to log in.

How can I satisfy both of these goals?

There already exists a very similar question here, but I can't quite figure out how to get to what I want from that information.

Current tactic: reading through the PAM documentation (pam_access looks promising) and looking at /etc/ssh/sshd_config.


Edit: Alternatively, is there a way to specify that certain users must authenticate with SSH keys, and others may authenticate with name/password?


Solution that's currently working:

# Globally deny logon via password, only allow SSH-key login.  
PasswordAuthentication no  

# But allow connections from the LAN to use passwords.  
Match Address 192.168.*.*  
    PasswordAuthentication yes  

The Match Address block can also usefully be a Match User block, answering my secondary question. For now I'm just chalking the failure to parse CIDR addresses up to a quirk of my install, and resolving to try again when I go to Ubuntu 10.04 not too long from now. PAM turns out not to be necessary.

© Server Fault or respective owner

Related posts about ssh

Related posts about access-control