2

I am trying to satisfy a weird case, so bear with me please.

I want to use [don't gasp] graphical Windows tools (like WinSCP, PuTTY, etc) with signed OpenSSH keys. These tools don't support signed keys. But they do support a whole lot of "forwarding" and "proxy" methods.

I can set them up with a "local proxy" that actually executes OpenSSH command with the signed keys to the same server and setups up a tunnel: local port 2222 forwards to server's 127.0.0.1:22

Great, now the Windows tools can execute ssh/scp commands over the already-authenticated tunnel... but the first thing they try to do is: open ssh and authenticate (and they can't pass a signed key...).

So, since I already authenticated on the tunnel, can I configure the remote machine's ssh server to NOT ask nor for password, nor key, if the connection attempt is done over 127.0.0.1:22?

Please note I am not talking about a "jump" server to reach "remote". I only have 1 "remote" server.

TL;DR:

On my Ubuntu server, I want to do ssh user@127.0.0.1 and not be asked for key or password, but only if request came from 127.0.0.1

Slav
  • 143

2 Answers2

6

You can set an empty password for the user and allow authentication with empty passwords from the localhost, by adding these lines to the top of the file /etc/ssh/sshd_config:

Match Address 127.0.0.*
  PermitEmptyPasswords yes

That makes OpenSSH accept "none" authentication:

The available authentication methods are: “gssapi-with-mic”, “hostbased”, “keyboard-interactive”, “none” (used for access to password-less accounts when PermitEmptyPasswords is enabled), “password” and “publickey”.

WinSCP and PuTTY try "none" authentication automatically. So they should not even ask for the (empty) password.

Thanks to @pa4080 for suggesting a simplification of my solution.

Martin Prikryl
  • 451
0

Match Address 127.0.0.* PermitEmptyPasswords yes

Putting this at the top of my sshd config file causes my OpenSSH server to crash (Ubuntu 19.04) and not recover after a reboot. Putting it at the bottom of the file is the specified method (see the commented out section at the bottom of the file).

Quote from ref below:

If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.<<

Reference: https://man.openbsd.org/sshd_config#AuthenticationMethods

D. Cole
  • 1