LinuxQuestions.org - Blocking SSH passwords *only* for remote users

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Blocking SSH passwords *only* for remote users (https://www.linuxquestions.org/questions/linux-security-4/blocking-ssh-passwords-%2Aonly%2A-for-remote-users-4175726956/)

compata

07-14-2023 04:44 PM

Blocking SSH passwords *only* for remote users

I know how to enable SSH password access and how to prohibit it and require key access instead. What isn't obvious is whether I can do both on the same system for different users.

What I want is to allow password access for anyone connecting on my LAN but require keys for anyone connecting from the world. I suppose I could do that by running two different SSH daemons (on different ports) but I wonder if there is a more straight-forward method.

michaelk

07-14-2023 06:25 PM

ssh has a match directive that should work.

Code:

PasswordAuthentication no

ChallengeResponseAuthentication no



Match address 192.168.1.0/24

    PasswordAuthentication yes

Match all

Change the address to match your LAN subnet.

compata

07-14-2023 07:50 PM

Thanks, michealk. I would have been surprised if there wasn't something like that.

Turbocapitalist

07-15-2023 12:25 AM

OpenSSH has some of the better reference manual pages out there. For the manual pages which are well written, it is an especially good habit to check them periodically when trying new things or revisiting an old task.

So be sure to follow up on that by reading up on the Match directive in the relevant manual page: "man sshd_config"

All times are GMT -5. The time now is 01:49 PM.