Ping a Specific Port

Question

LonnieBest

Asked: 2013-09-28 22:08:08 +0800 CST2013-09-28 22:08:08 +0800 CST 2013-09-28 22:08:08 +0800 CST

Disable Password Authentication for Remote Users Only

772

I've read how it is possible to disable password authentication on an Ubuntu server. However, is it possible to disable this for remote users only?

I'm afraid that, if I enable this both locally and remotely (as designed), I will ultimately lose the key and lock myself out (over time). If I were able to disable password authentication for remote users only, losing the key wouldn't be so tragic; I could simply go to the LAN and login with a password and create a new key.

3 Answers

Voted

dawud · Answer 1 · 2013-09-29T05:28:51+08:00

From the sshd_config(5) manpage:

 Match   Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another
         Match line or the end of the file.

         The arguments to Match are one or more criteria-pattern pairs.  The available criteria are User, Group, Host, LocalAddress, LocalPort, and Address.  The match patterns may consist of single entries or comma-
         separated lists and may use the wildcard and negation operators described in the PATTERNS section of ssh_config(5).

         The patterns in an Address criteria may additionally contain addresses to match in CIDR address/masklen format, e.g. “192.0.2.0/24” or “3ffe:ffff::/32”.  Note that the mask length provided must be consistent
         with the address - it is an error to specify a mask length that is too long for the address or one with bits set in this host portion of the address.  For example, “192.0.2.0/33” and “192.0.2.0/8” respectively.

This means that, assuming 10.0.0.0/24 to be your LAN, you can have PasswordAuthentication disabled in the main configuration and a Match block like this:

    ....
    PasswordAuthentication No
    ....
Match Address 10.0.0.0/24
    PasswordAuthentication Yes

deagh · Answer 2 · 2013-09-28T22:28:55+08:00

deagh

2013-09-28T22:28:55+08:002013-09-28T22:28:55+08:00

You can put all remote users into a local (additional) group ex. 'remoteusr' and disallow login with password in 'sshd_config'

Match Group remoteusr
      PasswordAuthentication no

2

tylerl · Answer 3 · 2013-09-28T23:12:18+08:00

tylerl

2013-09-28T23:12:18+08:002013-09-28T23:12:18+08:00

An option I've seen used before is to run two instances of sshd reading from separate config files. Your default one listens for normal SSH traffic, configured as securely as you want.

The second instance is your "back door", which listens only on a separate port or separate IP, perhaps with appropriate firewall rules to prevent access from outside the network. It's configured differently; perhaps allowing password auth, perhaps allowing access to accounts that are disallowed in the primary, etc.

1

Disable Password Authentication for Remote Users Only

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?