4

I need to be able to access my server (Ubuntu 8.04 LTS) from remote sites, but I'd like to worry a bit less about password complexity. Thus, I'd like to require that SSH keys be used for login instead of name/password. However, I still have a lot to learn about security, and having already badly broken a test box when I was trying to set this up, I'm acutely aware of the chance of screwing myself while trying to accomplish this. So I have a second goal: I'd like to require that certain IP ranges (e.g. 10.0.0.0/8) may log in with name/password, but everyone else must use an SSH key to log in.

How can I satisfy both of these goals?

There already exists a very similar question here, but I can't quite figure out how to get to what I want from that information.

Current tactic: reading through the PAM documentation (pam_access looks promising) and looking at /etc/ssh/sshd_config.


Edit: Alternatively, is there a way to specify that certain users must authenticate with SSH keys, and others may authenticate with name/password?

Solution that's currently working: 

 # Globally deny logon via password, only allow SSH-key login. PasswordAuthentication no # But allow connections from the LAN to use passwords. Match Address 192.168.*.* PasswordAuthentication yes

The Match Address block can also usefully be a Match User block, answering my secondary question. For now I'm just chalking the failure to parse CIDR addresses up to a quirk of my install, and resolving to try again when I go to Ubuntu 10.04 not too long from now. PAM turns out not to be necessary.

Improve this question

1 Answer 1

Reset to default
11

Not sure how PAM would need to fit into this. With a recent version of SSH (like what is available on 8.04) it should be as easy as using a Match blocks for the address space you wish to allow.

So your sshd_config should contain something like this.

# global option no password auth (keys only) PasswordAuthentication no # permit password from rfc1918 Match Address 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 PasswordAuthentication yes
Improve this answer
11
  • I see that I was looking in the wrong place. Commented Mar 16, 2010 at 23:07
  • Drat. The "Match" isn't parsing correctly, resulting in a global requirement to log on with keys. Commented Mar 16, 2010 at 23:26
  • Are you sure you got the syntax right for the net/mask? I did test the above on my 9.10 system, and checked the sshd_config man page on a 8.04 system to make sure the Match was documented there. Commented Mar 16, 2010 at 23:43
  • I copied and pasted - I will consult the man page on the given system and try again. Commented Mar 16, 2010 at 23:49
  • Try with just a single network instead of a list maybe? Commented Mar 16, 2010 at 23:54

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.