Results 1 to 8 of 8

Thread: SSH Authentication: Allow Password for LAN

  1. #1
    Join Date
    Aug 2006
    Beans
    241
    Distro
    Kubuntu 9.10 Karmic Koala

    SSH Authentication: Allow Password for LAN

    Is it possible to allow SSH authentication by password only when on the local network, but require a key when connecting from a remote network (internet)?

    (OpenSSH)

  2. #2
    Join Date
    Aug 2006
    Beans
    241
    Distro
    Kubuntu 9.10 Karmic Koala

    Re: SSH Authentication: Allow Password for LAN

    Any suggestions?

  3. #3
    Join Date
    Apr 2007
    Location
    Souf Cackalacky
    Beans
    603
    Distro
    Ubuntu Development Release

    Re: SSH Authentication: Allow Password for LAN

    If your computer is connected to the outside world at all, and you require a key there, why not just add your private key to the machines on your own lan?

  4. #4
    Join Date
    Aug 2006
    Beans
    241
    Distro
    Kubuntu 9.10 Karmic Koala

    Re: SSH Authentication: Allow Password for LAN

    I could do that, but would rather find a way to use password authentication.

  5. #5
    Join Date
    Sep 2006
    Beans
    8,627
    Distro
    Ubuntu 14.04 Trusty Tahr

    Match xx.yy.zz.0/m

    Quote Originally Posted by zzzBrett View Post
    Is it possible to allow SSH authentication by password only when on the local network, but require a key when connecting from a remote network (internet)?

    (OpenSSH)
    Look at Match in sshd_config. It allows you to change the value of PasswordAuthentication based on group or network. Substitute your subnet for the one below.


    Code:
    # require a key for everybody
    PasswordAuthentication no
    
    # any member of the group 'downstairs' can log in without a key
    # while connecting from the subnet 
    Match Address 192.168.0.0/16 Group downstairs
        PasswordAuthentication yes
    Match also allows the following to be changed: AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand, GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication, KbdInteractiveAuthentication, KerberosAuthentication, MaxAuthTries, MaxSessions, PermitOpen, PermitRootLogin, RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, X11Forwarding, and X11UseLocalHost.

  6. #6
    Join Date
    Aug 2006
    Beans
    241
    Distro
    Kubuntu 9.10 Karmic Koala

    Re: Match xx.yy.zz.0/m

    Exactly what I was looking for. Thanks.

  7. #7
    Join Date
    Nov 2006
    Beans
    21

    Re: Match xx.yy.zz.0/m

    Quote Originally Posted by Lars Noodén View Post
    Code:
    # require a key for everybody
    PasswordAuthentication no
    
    # any member of the group 'downstairs' can log in without a key
    # while connecting from the subnet 
    Match Address 192.168.0.0/16 Group downstairs
        PasswordAuthentication yes
    Just to clarify this example requires them to be on the subnet AND in the group. If you just want to require them to be on the subnet then leave out the Group clause.

  8. #8
    Join Date
    Feb 2008
    Location
    Texas
    Beans
    21,542
    Distro
    Ubuntu Gnome Development Release

    Re: SSH Authentication: Allow Password for LAN

    Thanks for sharing and please do not post in threads that have not had activity for a year or longer, since this is an old thread it has been closed.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •