2

When reading How do I restrict a specified SSH user to connect only from one IP or hostname? I came close to solving a problem I have with specific logins - but it does not cover my case.

I need to ensure that an ssh connection to my host coming from anything else than 192.168.10.0/24 is authenticated via a key. Connections from 192.168.10.0/24 can use both (or only password based if this is a problem).

The ssh_config man page mentions in the PATTERNS section that

the following entry (in authorized_keys) could be used:

from="!*.dialup.example.com,*.example.com"

This would allow for a solution exactly opposite to mine: that some sources are not allowed to use keys but I do not see how to turn it into my need.

How to force the use of ssh keys when the client does not connect from certain IPs?

WoJ
  • 1,315
  • 6
  • 19
  • 34

1 Answers1

2

According to the man page you can divide your /etc/sshd_config in sections that match hosts, the first section that matches being used:

So you could have:

# everything for your local hosts
Host 192.168.*.*
[...]
RSAAuthentication yes
PasswordAuthentication yes
[...]

# Everything for other hosts
Host * 
[...]
RSAAuthentication yes
PasswordAuthentication no
[...]

To avoid all that duplication, there seems to be away to have blocks that are valid for specific hosts:

Host * 
[...]
RSAAuthentication yes
[...]
Match 192.168.*.*
    PasswordAuthentication yes
Match all
xenoid
  • 5,504
  • Excellent, thank you. The second block does not seem to be right, though: all clients would be required to use keys, and 192.168.*.* would be denied passwords. I would have added a ! in front of the match but this is a too small of an edit to be accepted. – WoJ Mar 01 '19 at 07:54
  • Or just PasswordAuthentication yes instead of no, assuming that the default is no to account for the Host * earlier. I will test all that when back home (from vacation, as you are from the same region as I am :)). – WoJ Mar 01 '19 at 08:02
  • Yes, Actually meant PasswordAuthentication yes. Answer corrected. – xenoid Mar 01 '19 at 08:03