When reading How do I restrict a specified SSH user to connect only from one IP or hostname? I came close to solving a problem I have with specific logins - but it does not cover my case.
I need to ensure that an ssh connection to my host coming from anything else than 192.168.10.0/24 is authenticated via a key. Connections from 192.168.10.0/24 can use both (or only password based if this is a problem).
The ssh_config man page mentions in the PATTERNS section that
the following entry (in
authorized_keys) could be used:from="!*.dialup.example.com,*.example.com"
This would allow for a solution exactly opposite to mine: that some sources are not allowed to use keys but I do not see how to turn it into my need.
How to force the use of ssh keys when the client does not connect from certain IPs?
According to the man page you can divide your
/etc/sshd_configin sections that match hosts, the first section that matches being used:So you could have:
To avoid all that duplication, there seems to be away to have blocks that are valid for specific hosts: