Requiring SSH-key Login From Specific IP Ranges
Posted
by Sean M
on Server Fault
See other posts from Server Fault
or by Sean M
Published on 2010-03-16T21:14:44Z
Indexed on
2010/03/18
4:41 UTC
Read the original article
Hit count: 515
I need to be able to access my server (Ubuntu 8.04 LTS) from remote sites, but I'd like to worry a bit less about password complexity. Thus, I'd like to require that SSH keys be used for login instead of name/password. However, I still have a lot to learn about security, and having already badly broken a test box when I was trying to set this up, I'm acutely aware of the chance of screwing myself while trying to accomplish this. So I have a second goal: I'd like to require that certain IP ranges (e.g. 10.0.0.0/8) may log in with name/password, but everyone else must use an SSH key to log in.
How can I satisfy both of these goals?
There already exists a very similar question here, but I can't quite figure out how to get to what I want from that information.
Current tactic: reading through the PAM documentation (pam_access looks promising) and looking at /etc/ssh/sshd_config.
Edit: Alternatively, is there a way to specify that certain users must authenticate with SSH keys, and others may authenticate with name/password?
Solution that's currently working:
# Globally deny logon via password, only allow SSH-key login. PasswordAuthentication no # But allow connections from the LAN to use passwords. Match Address 192.168.*.* PasswordAuthentication yes
The Match Address block can also usefully be a Match User block, answering my secondary question. For now I'm just chalking the failure to parse CIDR addresses up to a quirk of my install, and resolving to try again when I go to Ubuntu 10.04 not too long from now. PAM turns out not to be necessary.
© Server Fault or respective owner