Using OpenSSH, is it possible to disable password authentication
selectively? I would like to allow password authentication for
incoming SSH connections from within my LAN, but not for those incoming
from the external world.

>>>>> "FWS" == Frank W Steiner <steinfw@hotmail.com> writes:


FWS> Using OpenSSH, is it possible to disable
FWS> password authentication selectively? I would like
FWS> to allow password authentication for incoming SSH
FWS> connections from within my LAN, but not for those
FWS> incoming from the external world.


sshd sets the PAM rhost item to the remote hostname or
address of a client connection, so if you set sshd to
validate passwords via PAM (UsePAM=yes), in principle a PAM
module should be able to do this. You might be able to use
a combination of standard modules for it, perhaps pam_access
configured with the desired address restrictions, required
before the password check in the sshd PAM config. This is
just off the top of my head though; I haven't tried this.


--

Richard Silverman

res@qoxp.net

On Mon, 11 Sep 2006 21:08:21 GMT, Frank W. Steiner <steinfw@hotmail.com> wrote:
> Using OpenSSH, is it possible to disable password authentication
> selectively? I would like to allow password authentication for
> incoming SSH connections from within my LAN, but not for those incoming
> from the external world.

These instructions carry NO warranty. Any problems you create are
yours to keep.

The simplest way to do this is set up two ssh daemons, each with its
own policy. I've done this with RH9 and Centos4 systems. The
instructions below pertain to these systems; other distros may
use different files in different places. They assume that you
already have a working ssh listening on the LAN only.

And, of course, you'll have to dig through the files to make sure
you've made all the correct changes. It's especially important to
make sure that each daemon has its own copies of any support files
like configs, keys, startups, executables, and so on.

1. Make changed copies of the ssh config files
cd /etc/ssh
cp -p ssh_config extssh_config
Make changes as necessary
cp -p sshd_config extsshd_config
Consider changes to: Port, ListenAddress, HostKey,
PermitRootLogin, PasswordAuthentication, and others
HostKey must point to new files, something like
/etc/ssh/extssh_host_...

2. Create a matching sshd executable
cd /usr/sbin
ln -s sshd extsshd
No changes here

3. Create a matching PAM module
cd /etc/pam.d
ln -s ssh extsshd
No changes here

4. Make changed copy of the ssh startup file
cd /etc/rc.d/init.d/
cp -p sshd extsshd
Many changes to "extssh" files instead of "ssh" files:
configs, executables, keys and so on.
cd

5. Add the new extsshd to the list of configured services
(RH9 and Centos4 style):
chkconfig --add extsshd
chkconfig --list | grep extsshd
It should be on in levels 2345
service extsshd start
This should create the necessary keys

If some update procedure updates the sshd startup file,
you'll have to change the extsshd startup file again.

Good luck.

--
Dale Dellutri <ddelQQQlutr@panQQQix.com> (lose the Q's)