# key-based auth on openssh dependant of the IP [SOLVED]

## meyerm

Hi,

I'd like my server to be reachable by SSH only for specific users and with a certificate from the internet. From the internal DMZ root should be able to login by using just a password. root-login from the internet isn't possible at all. It would be preferable if the users could login with a password from the internal network.

With AllowUsers I can limit root-login to the internal network and allow specific users a login from everywhere. But how can I limit the access from the outside to key-based authentication only but keep the password based login from the internal (at least for root)?

Thanks,

MLast edited by meyerm on Thu Feb 04, 2010 9:12 am; edited 1 time in total

----------

## boerKrelis

Why not run two SSH daemons with different configs?

And then use the iptables REDIRECT target to connect to the one or the other, depending on where the client is (DMZ, internal network, or internet).

----------

## f4u5t

Have a look at the "Match" keyword in sshd_config(5). Suppose your DMZ network is 10.0.0.0/24 and your internal network is 192.168.0.0/24 (or were you saying the DMZ and internal networks are the same?):

```

# internet

PermitRootLogin No

PasswordAuthentication No

# DMZ

Match Address 10.0.0.0/24

  PermitRootLogin Yes

  PasswordAuthentication Yes

# internal

Match Address 192.168.0.0/24

  PermitRootLogin No

  PasswordAuthentication Yes

```

Edit: not tested at all

----------

## boerKrelis

 *meyerm wrote:*   

> 
> 
> Edit: not tested at all
> 
> 

 

Nevertheless, looks much cleaner than running two daemons.

----------

## meyerm

Hello you two,

thank you very much for your suggestions.

Two daemons are a nice workaround, but as you said already, not that clean. I also already thought about that but didn't like it so much.

The Match-keyword on the other hand is great! I tried what you proposed and it worked. Just a little annoyance: even though the man-pages says your CIDR notation is possible, I was only able to get it to work with 10.* instead of 10.0.0.0/24. Not so nice, but in this case ok, since I don't need to distinguish subnets.

Then I also had to disable PAM - otherwise it always accepted passwords. If you spontanously know how to prevent PAM from doing that (don't forget, password authentication should be allowed from the DMZ but not from the internet), it would be great. If not it's not so much of a problem. It works for now  :Smile: 

So, thank you again!

----------

## timeBandit

I think you need to disable ChallengeResponseAuthentication as well as PasswordAuthentication, if you want to have PAM enabled but not let it prompt for passwords. Although I don't use Match keywords, I do have PAM enabled with public-key-only authentication--no password prompts ever, for any user--and I have that setting.

----------

## meyerm

Oh, indeed! ChallengeResponseAuthentication was the "problem". It is labeled with Change to no to disable s/key passwords so I thought it wouldn't influence the "normal" password authenticaten. But now I have a no-root/key-only authentication from the internet and a root/key/password login possibility from the DMZ. Exactly what I wanted. And that with PAM enabled.

Thank you very much to all three!

----------

