6

I am trying to get an SSH server running Ubuntu 10.04 to allow password logons only when coming from the local network. For all other users, especially those logging in from the internet via the firewall, I want to force Key based authentication. I googled around and found the following.

Here's what I have changed in /etc/ssh/sshd_config:

PasswordAuthentication yes
Match Address 192.168.5.0/24
PasswordAuthentication yes

With that, I log in from another machine that has a 192.168.5. address, but it won't allow me in for lack of a publicKey: Permission denied (publickey).

Marco Ramos
  • 3,120
  • 23
  • 25
senorsmile
  • 713
  • 8
  • 20

2 Answers2

9

This should do the trick:

PubkeyAuthentication yes
PasswordAuthentication no
Match Address 192.168.5.* PasswordAuthentication yes

The first two lines will enable pubkey authentication by default. The last line will override the other two lines for the matched network (192.168.5.0/24).

John Gardeniers
  • 27,458
  • 12
  • 55
  • 109
Marco Ramos
  • 3,120
  • 23
  • 25
  • glad to help :) – Marco Ramos Apr 26 '11 at 22:04
  • 1
    Strictly speaking, the third line only overrides the second line -- local network users will still have the option to use pubkey authentication if they so choose, but can also elect to use their password instead. Personally, though, I see absolutely nothing wrong with that -- you're allowing passwords for users on the local network, requiring pubkey for users outside the local network, and as an added bonus allowing local users the option to use the exact same authentication method they use outside. – Kromey Apr 26 '11 at 23:41
2

The newline after the match condition is significant. This should work:

PasswordAuthentication no
Match Address 192.168.5.0/24
PasswordAuthentication yes

EDIT: I'm surprised the other answer worked! It didn't work for me. Well, this way you should be able to use a CIDR netmask.

Eduardo Ivanec
  • 14,881
  • 1
  • 37
  • 43
  • The only thing I edited in my file was to change 192.168.5.0/24 to 192.168.5* And that got it working. I left the newline which I originally had. – senorsmile Apr 26 '11 at 22:13
  • It must be something version-dependent - it seems OpenSSH 5.8 at least enforces the newline and allows CIDR netmasks. – Eduardo Ivanec Apr 26 '11 at 22:17