Most of my OpenSSH servers now require public key authentication for users. On a few systems, however, I must allow remote access with password auth. I need SSH to allow password auth from those IP addresses and only those addresses, but still require public keys from other locations.
Do this with OpenSSH’s match keyword.
Start by configuring sshd for the most common case — in this case, requiring public key authentication. This requires only two changes to the default configuration:
sshd will now only allow authentication with public keys.
Now use the match keyword to set a different configuration for certain circumstances. Match will let you compare based on user, group, host (as in DNS hostname), or address. I don’t trust DNS for security, so I chose to match a configuration based on IP addresses. Here, I specifically enable password authentication for connections from selected IP addresses.
Match Address 192.0.2.128/25,10.10.10.32/27
If the connection comes from either of the specified address ranges, the user can try to authenticate with a password. Otherwise, the user must use a public key.
I could have chosen to allow password authentication based on the incoming user, but that wouldn’t block the ongoing “Hail Mary” SSH-guessing attacks. Matching based on user or group would be useful for, say, allowing X11 forwarding. I can’t imagine why I would ever use a Match based on a hostname in DNS, but I concede it might be sensible in some very special circumstance.
One thing to note is that not all sshd_config options work in a Match block. ChallengeResponseAuthentication, for example, can only be set at the global level, so I didn’t activate it in this example. See the sshd_config man page for the list of usable configuration options.