sshd question
Karl Auer
kauer at biplane.com.au
Wed Apr 22 08:22:59 UTC 2015
On Tue, 2015-04-21 at 08:26 +0200, Petter Adsen wrote:
> Can I set up sshd so that it requires key authentication on one
> interface, but allows password logins on another, or do I need to run
> two different sshd processes?
Try "man sshd_config", and read up on the "Match" directive:
Match Introduces a conditional block. If all of the criteria
on the Match line are satisfied, the keywords on the
following lines override those set in the global section
of the config file, until either another Match line or
the end of the file. If a keyword appears in multiple
Match blocks that are satisified, only the first
instance of the keyword is applied.
I haven't tried the particular thing you are attempting, but the list of
things you can configure on a tuple-controlled basis (User, Group, Host,
LocalAddress, LocalPort, Address) does include, among heaps of other
things, PasswordAuthentication and PubkeyAuthentication, which should
let you do what you need to do.
You would allow PubkeyAuthentication globally, disallow
Passwordauthentication globally, set up a Match block for the interface
where passwords are to be allowed and allow PasswordAuthentication in
that Match block. You might want to look at disallowing
PermitEmptyPasswords and PermitRootLoginm preferably globally but
definitely at least within that Match block...
Regards, K.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389
GPG fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
Old fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882
More information about the ubuntu-users
mailing list