Only allow internal password ssh logins, always allow external ssh logins with key

debugcn Published at Dev

saleetzo

I'm trying to only allow external SSH connections with an ssh key, but allow internal ssh logins with a password. It seems like this is possible but I can't seem to make it work with the options that I am trying.

I thought the following entries in sshd_config would only permit root logins from the listed subnets -- is that wrong? It doesn't seem to work properly.

AllowUsers [email protected].*
AllowUsers [email protected].*

I'm unable to block the SSH ports on the network firewall since it will block the vendors from logging in with their SSH keys. Too late for me to change the ports to something higher. I basically just want to allow root to login from local IPs and remove the possibility of people attempting to try to ssh to root all day long. IPS rules are helping with that but i'd like to have the piece of mind that external login without a key is never going to work.

Patrick Mevzek

Something like:

AuthenticationMethods publickey
Match Address 192.168.0.0/16
    AuthenticationMethods publickey password

Adapting the IP block to what you need.

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at2021-07-8

Comments

0 comments

From Dev

Related Related

Article

Only allow internal password ssh logins, always allow external ssh logins with key

Only allow internal password ssh logins, always allow external ssh logins with key

How to allow unauthenticated logins over ssh on FreeBSD?

Allow password authentication in SSH only when there is no key in authorized_keys

How to allow SSH only with RSA key, and SFTP with password and chroot?

How do I completely disable password ssh logins?

Is there a way to have parse allow Facebook Logins?

Only allow SSH incoming and outgoing

about number of failed ssh logins in ubuntu server

lockout local logins on reverse-ssh appliance

How can I disable ssh logins for accounts?

chain a series of SSH logins and process killing

Allow http access only from two selected IPs and get alerts for other attempted logins

How do I allow SFTP with a password BUT not SSH?

How do I allow SFTP with a password BUT not SSH?

How to allow only ssh and internet access with iptables?

Only allow one user on system to be SSH'd into

Bearer token for external logins

SSH with private key always require password

How to allow a user ssh using password only if he's using the local network?

How to only make one user authenticate via SSH keys and allow password authentication to all others

How can I allow SSH password authentication from only certain IP addresses?

How to restrict an SSH user to only allow SSH-tunneling?

How to Use who/w with Non-Interactive SSH logins

allow access to ssh and proftp from LAN and one external IP

Allow regular users to SSH using a private key they cannot read

Allow a UNIX group access to only a single file through SSH

How to only allow access to web server through SSH?

How can I allow SSH and SMTP only using IPTables?

VirtualBox allow ssh through NAT only after login local user

Allow reverse SSH tunnel but not simple SSH