2

When reading How do I restrict a specified SSH user to connect only from one IP or hostname? I came close to solving a problem I have with specific logins - but it does not cover my case.

I need to ensure that an ssh connection to my host coming from anything else than 192.168.10.0/24 is authenticated via a key. Connections from 192.168.10.0/24 can use both (or only password based if this is a problem).

The ssh_config man page mentions in the PATTERNS section that

the following entry (in authorized_keys) could be used:

from="!*.dialup.example.com,*.example.com"

This would allow for a solution exactly opposite to mine: that some sources are not allowed to use keys but I do not see how to turn it into my need.

How to force the use of ssh keys when the client does not connect from certain IPs?

WoJ
  • 1,345

1 Answers1

2

According to the man page you can divide your /etc/sshd_config in sections that match hosts, the first section that matches being used:

So you could have:

# everything for your local hosts
Host 192.168.*.*
[...]
RSAAuthentication yes
PasswordAuthentication yes
[...]

# Everything for other hosts
Host * 
[...]
RSAAuthentication yes
PasswordAuthentication no
[...]

To avoid all that duplication, there seems to be away to have blocks that are valid for specific hosts:

Host * 
[...]
RSAAuthentication yes
[...]
Match 192.168.*.*
    PasswordAuthentication yes
Match all
xenoid
  • 5,759