Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
key-based auth on openssh dependant of the IP [SOLVED]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
meyerm
Veteran
Veteran


Joined: 27 Jun 2002
Posts: 1311
Location: Munich / Germany

PostPosted: Wed Feb 03, 2010 3:41 pm    Post subject: key-based auth on openssh dependant of the IP [SOLVED] Reply with quote

Hi,

I'd like my server to be reachable by SSH only for specific users and with a certificate from the internet. From the internal DMZ root should be able to login by using just a password. root-login from the internet isn't possible at all. It would be preferable if the users could login with a password from the internal network.

With AllowUsers I can limit root-login to the internal network and allow specific users a login from everywhere. But how can I limit the access from the outside to key-based authentication only but keep the password based login from the internal (at least for root)?

Thanks,
M


Last edited by meyerm on Thu Feb 04, 2010 9:12 am; edited 1 time in total
Back to top
View user's profile Send private message
boerKrelis
Apprentice
Apprentice


Joined: 01 Jul 2003
Posts: 241
Location: The Netherlands

PostPosted: Wed Feb 03, 2010 7:31 pm    Post subject: Reply with quote

Why not run two SSH daemons with different configs?
And then use the iptables REDIRECT target to connect to the one or the other, depending on where the client is (DMZ, internal network, or internet).
Back to top
View user's profile Send private message
f4u5t
n00b
n00b


Joined: 09 Jul 2008
Posts: 45

PostPosted: Wed Feb 03, 2010 9:53 pm    Post subject: Reply with quote

Have a look at the "Match" keyword in sshd_config(5). Suppose your DMZ network is 10.0.0.0/24 and your internal network is 192.168.0.0/24 (or were you saying the DMZ and internal networks are the same?):

Code:

# internet
PermitRootLogin No
PasswordAuthentication No

# DMZ
Match Address 10.0.0.0/24
  PermitRootLogin Yes
  PasswordAuthentication Yes

# internal
Match Address 192.168.0.0/24
  PermitRootLogin No
  PasswordAuthentication Yes


Edit: not tested at all
Back to top
View user's profile Send private message
boerKrelis
Apprentice
Apprentice


Joined: 01 Jul 2003
Posts: 241
Location: The Netherlands

PostPosted: Thu Feb 04, 2010 12:06 am    Post subject: Reply with quote

meyerm wrote:

Edit: not tested at all

Nevertheless, looks much cleaner than running two daemons.
Back to top
View user's profile Send private message
meyerm
Veteran
Veteran


Joined: 27 Jun 2002
Posts: 1311
Location: Munich / Germany

PostPosted: Thu Feb 04, 2010 9:11 am    Post subject: Reply with quote

Hello you two,

thank you very much for your suggestions.

Two daemons are a nice workaround, but as you said already, not that clean. I also already thought about that but didn't like it so much.

The Match-keyword on the other hand is great! I tried what you proposed and it worked. Just a little annoyance: even though the man-pages says your CIDR notation is possible, I was only able to get it to work with 10.* instead of 10.0.0.0/24. Not so nice, but in this case ok, since I don't need to distinguish subnets.

Then I also had to disable PAM - otherwise it always accepted passwords. If you spontanously know how to prevent PAM from doing that (don't forget, password authentication should be allowed from the DMZ but not from the internet), it would be great. If not it's not so much of a problem. It works for now :-)

So, thank you again!
Back to top
View user's profile Send private message
timeBandit
Bodhisattva
Bodhisattva


Joined: 31 Dec 2004
Posts: 2676
Location: here, there or in transit

PostPosted: Thu Feb 04, 2010 4:55 pm    Post subject: Reply with quote

I think you need to disable ChallengeResponseAuthentication as well as PasswordAuthentication, if you want to have PAM enabled but not let it prompt for passwords. Although I don't use Match keywords, I do have PAM enabled with public-key-only authentication--no password prompts ever, for any user--and I have that setting.
_________________
Plants are pithy, brooks tend to babble--I'm content to lie between them.
Super-short f.g.o checklist: Search first, strip comments, mark solved, help others.
Back to top
View user's profile Send private message
meyerm
Veteran
Veteran


Joined: 27 Jun 2002
Posts: 1311
Location: Munich / Germany

PostPosted: Thu Feb 04, 2010 9:15 pm    Post subject: Reply with quote

Oh, indeed! ChallengeResponseAuthentication was the "problem". It is labeled with Change to no to disable s/key passwords so I thought it wouldn't influence the "normal" password authenticaten. But now I have a no-root/key-only authentication from the internet and a root/key/password login possibility from the DMZ. Exactly what I wanted. And that with PAM enabled.

Thank you very much to all three!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum