I need to be able to access my server (Ubuntu 8.04 LTS) from remote sites, but I'd like to worry a bit less about password complexity. Thus, I'd like to require that SSH keys be used for login instead of name/password. However, I still have a lot to learn about security, and having already badly broken a test box when I was trying to set this up, I'm acutely aware of the chance of screwing myself while trying to accomplish this. So I have a second goal: I'd like to require that certain IP ranges (e.g. 10.0.0.0/8) may log in with name/password, but everyone else must use an SSH key to log in.
How can I satisfy both of these goals?
There already exists a very similar question here, but I can't quite figure out how to get to what I want from that information.
Current tactic: reading through the PAM documentation (pam_access looks promising) and looking at /etc/ssh/sshd_config.
Edit: Alternatively, is there a way to specify that certain users must authenticate with SSH keys, and others may authenticate with name/password?
Solution that's currently working:
# Globally deny logon via password, only allow SSH-key login.
PasswordAuthentication no
# But allow connections from the LAN to use passwords.
Match Address 192.168.*.*
PasswordAuthentication yes
The Match Address block can also usefully be a Match User block, answering my secondary question. For now I'm just chalking the failure to parse CIDR addresses up to a quirk of my install, and resolving to try again when I go to Ubuntu 10.04 not too long from now. PAM turns out not to be necessary.
Not sure how PAM would need to fit into this. With a recent version of SSH (like what is available on 8.04) it should be as easy as using a Match blocks for the address space you wish to allow.
So your sshd_config should contain something like this.