I have an OpenSSH 5.9p1 server running on Ubuntu Precise 12.04 which accepts connections from both the internal network and the Internet. I'd like to require public key authentication for connections from the Internet, but accept either public key or password authentication for connections from the internal network. Can I configure OpenSSH to implement this?
SnapOverflow
The
Matchdirective in/etc/ssh/sshd_configallows you to selectively apply configuration directives. One of the available match criteria is the source address of the connection, and so this can be used to implement what you want. You can disable password authentication by default, and then enable it for connections from internal network IP ranges. (Note that you also want to disableChallengeResponseAuthenticationin order to prevent passwords being used.) This example allows password authentication from all RFC1918 private IP ranges. See the sshd_config manpage for more details.Note that Match block should be added to the end of the file otherwise everything that follows it would be matched until the next Match block. The bad positioning of Match block may cause inability to connect.