Selective password authentication - SSH

This is a discussion on Selective password authentication - SSH ; Using OpenSSH, is it possible to disable password authentication selectively? I would like to allow password authentication for incoming SSH connections from within my LAN, but not for those incoming from the external world....

+ Reply to Thread
Results 1 to 3 of 3

Thread: Selective password authentication

  1. Selective password authentication

    Using OpenSSH, is it possible to disable password authentication
    selectively? I would like to allow password authentication for
    incoming SSH connections from within my LAN, but not for those incoming
    from the external world.



  2. Re: Selective password authentication

    >>>>> "FWS" == Frank W Steiner writes:


    FWS> Using OpenSSH, is it possible to disable
    FWS> password authentication selectively? I would like
    FWS> to allow password authentication for incoming SSH
    FWS> connections from within my LAN, but not for those
    FWS> incoming from the external world.


    sshd sets the PAM rhost item to the remote hostname or
    address of a client connection, so if you set sshd to
    validate passwords via PAM (UsePAM=yes), in principle a PAM
    module should be able to do this. You might be able to use
    a combination of standard modules for it, perhaps pam_access
    configured with the desired address restrictions, required
    before the password check in the sshd PAM config. This is
    just off the top of my head though; I haven't tried this.


    --

    Richard Silverman

    res@qoxp.net


  3. Re: Selective password authentication

    On Mon, 11 Sep 2006 21:08:21 GMT, Frank W. Steiner wrote:
    > Using OpenSSH, is it possible to disable password authentication
    > selectively? I would like to allow password authentication for
    > incoming SSH connections from within my LAN, but not for those incoming
    > from the external world.


    These instructions carry NO warranty. Any problems you create are
    yours to keep.

    The simplest way to do this is set up two ssh daemons, each with its
    own policy. I've done this with RH9 and Centos4 systems. The
    instructions below pertain to these systems; other distros may
    use different files in different places. They assume that you
    already have a working ssh listening on the LAN only.

    And, of course, you'll have to dig through the files to make sure
    you've made all the correct changes. It's especially important to
    make sure that each daemon has its own copies of any support files
    like configs, keys, startups, executables, and so on.

    1. Make changed copies of the ssh config files
    cd /etc/ssh
    cp -p ssh_config extssh_config
    Make changes as necessary
    cp -p sshd_config extsshd_config
    Consider changes to: Port, ListenAddress, HostKey,
    PermitRootLogin, PasswordAuthentication, and others
    HostKey must point to new files, something like
    /etc/ssh/extssh_host_...

    2. Create a matching sshd executable
    cd /usr/sbin
    ln -s sshd extsshd
    No changes here

    3. Create a matching PAM module
    cd /etc/pam.d
    ln -s ssh extsshd
    No changes here

    4. Make changed copy of the ssh startup file
    cd /etc/rc.d/init.d/
    cp -p sshd extsshd
    Many changes to "extssh" files instead of "ssh" files:
    configs, executables, keys and so on.
    cd

    5. Add the new extsshd to the list of configured services
    (RH9 and Centos4 style):
    chkconfig --add extsshd
    chkconfig --list | grep extsshd
    It should be on in levels 2345
    service extsshd start
    This should create the necessary keys

    If some update procedure updates the sshd startup file,
    you'll have to change the extsshd startup file again.

    Good luck.

    --
    Dale Dellutri (lose the Q's)

+ Reply to Thread