OpenSSH: requiring keys, but allow passwords from some locations

Most of my OpenSSH servers now require public key authentication for users. On a few systems, however, I must allow remote access with password auth. I need SSH to allow password auth from those IP addresses and only those addresses, but still require public keys from other locations.

Do this with OpenSSH’s match keyword.

Start by configuring sshd for the most common case — in this case, requiring public key authentication. This requires only two changes to the default configuration:

ChallengeResponseAuthentication no
PasswordAuthentication no

sshd will now only allow authentication with public keys.

Now use the match keyword to set a different configuration for certain circumstances. Match will let you compare based on user, group, host (as in DNS hostname), or address. I don’t trust DNS for security, so I chose to match a configuration based on IP addresses. Here, I specifically enable password authentication for connections from selected IP addresses.

Match Address 192.0.2.128/25,10.10.10.32/27
PasswordAuthentication yes

If the connection comes from either of the specified address ranges, the user can try to authenticate with a password. Otherwise, the user must use a public key.

I could have chosen to allow password authentication based on the incoming user, but that wouldn’t block the ongoing “Hail Mary” SSH-guessing attacks. Matching based on user or group would be useful for, say, allowing X11 forwarding. I can’t imagine why I would ever use a Match based on a hostname in DNS, but I concede it might be sensible in some very special circumstance.

One thing to note is that not all sshd_config options work in a Match block. ChallengeResponseAuthentication, for example, can only be set at the global level, so I didn’t activate it in this example. See the sshd_config man page for the list of usable configuration options.

13 comments to OpenSSH: requiring keys, but allow passwords from some locations

  • Amanda

    I suddenly think that I inspired this post.

    Also, right after the “PasswordAuthentication no” line, you say that sshd will now allow authentication with passwords. I suspect that you mean with keys.

    My proof-reading fee is one lunch.

  • You’re not the inspiration, but you know the inspiration quite well.

    Fixed, thanks.

  • Humpfh.

    And here I am running a second instance of sshd on a different port to achieve basically the same thing. I think I will abandon that soon. Perhaps after http://www.bsdcan.org/ (blatant spamming that I am sure Mr Lucas will allow).

  • Oh, that second instance is wide open on a higher port, but requires keys. Port 22 is highly restricted to a few IP addresses. The above solution contains everything to port 22. Which I tightly filter to stop the annoying log messages.

    I can still change my setup, and achieve precisely the same thing by redirecting the incoming port to port 22 and still tightly filter port 22.

  • You’ll be at BSDCan, Dan? Huh. I had no idea you’d be at BSDCan. BSDCan is awesome. Everyone should go to BSDCan. Even if BSDCan is further away from the gelato shop than NYCBSDCon.

  • […] Lucas describes an extra layer of protection for when you can’t force public key usage on every SSH […]

  • Gleb Kurtsou

    Using higher port number wasn’t helpful against brute force attacks for me. I have local patch to require authentication by both public key and password (multi-factor authentication). Ssh access is enabled only for several users and config contains the following:

    ChallengeResponseAuthentication force
    PubkeyAuthentication force

    Patch is not complete and requires privilege separation to be disabled for now, but I’d be happy to share it.

  • Thanks! Just what I was looking for, wanting to use passwords from the local network and keys for external hosts!

  • […] erlauben (eine sehr gute Anleitung um den SSH Zugang sicher zu konfigurieren gibt es hier oder hier). Ă„ndern der config-Datei /etc/ssh/sshd_config: Umstellen von yes auf […]

  • Hello! My spouse and I often write guest articles or blog posts for other blog owners to help increase
    publicity to our work, as well as provide fantastic articles to blog
    owners. It truly is a win win situation!
    If you are interested feel free to e-mail me at: jeremy.

    parra@gawab.com so we can communicate further. Many thanks!

  • Hey! This is the third time visiting now and I just
    wanted to say I truley enjoy looking through your blog. I decided
    to bookmark it at delicious.com with the title: OpenSSH:
    requiring keys, but allow passwords from some locations

  • Erik

    I think I love you!!!
    I’ve been having problems for days now with one computer couldn’t use ssh keys and I didn’t want to use only passwords.
    This fixed all my problems instantly an without any loss of security.

    Thank you very much!

  • […] password authentication on our local network but required passphrases for external connections. OpenSSH: requiring keys, but allow passwords from some locations (Michael W. Lucas) was really helpful. I edited /etc/ssh/sshd_config, set PasswordAuthentication […]