I want to allow anybody in the 192.168.1.0-192.168.1.255 range to be able to log in with a password or a SSH key, but people outside that range to only be able to log in with a SSH key.
Can this be accomplished without more than one sshd?
I'm on Ubuntu 9.04.
This is untested, but setting up something like this at the very end of
sshd_configshould work:Basically you're globally allowing public key auth, globally disallowing password auth, and then specifically re-allowing password authentication for anyone in the 192.168.1.0/24 subnet.
Edit: You probably already have the first three lines elsewhere in your config. If you do, they do not need to be added again. However the "Match" block must be at the end of the file.
Also, the
RSAAuthenticationkeyword is specific to SSH v1, which you don't allow, right?Yes, I think so. You can use the AllowUser and MatchUser directives in the sshd_config file to set up per-user configuration directives.
I think you can make this work by configuring sshd with PAM and Pubkey auth, and then configure PAM to only allow access from certain subnets. This trickery works because sshd doesn't ask PAM anything about key based auth.
In /etc/ssh/sshd_config (I think these are the defaults anyways on Ubuntu) something like:
In /etc/pam.d/sshd uncomment the pam_access line (I believe on Ubuntu it's present in the right sequence but commented out):
In /etc/security/access.conf:
Note: I have not tested this at all.