Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 09-15-2010, 12:02 PM   #1
Registered: Jun 2007
Distribution: Ubuntu
Posts: 90

Rep: Reputation: 15
Different authentication policies for local and remote authentication


I would like to have the password-based authentication allowed only if I login from one of our local machines (or directly from the terminal window/console straight on the machine), and the key(rsa/dsa)-based authentication from any other external box.

I am not happy about the solution I figured out (I am still not sure if this actually works, since I did not get a chance to log into the box from any remote/external point).

Allow both options in /etc/ssh/sshd_config:

PasswordAuthentication yes
PubkeyAuthentication yes

And on top of that, I edited the /etc/security/access.conf to contain something like:

-:ALL EXCEPT LOCAL .our.local.address

which "should" be allowing only the local access to the machine (does it also block the external access when using keys? not sure).

Could anyone please suggest another, more "elegant" way to solve this problem?

I was reading some things about PAM, but could not find a definite answer to the problem.

We are running Debian Lenny on the machine that we would like to access.
Old 09-15-2010, 04:43 PM   #2
Registered: Jun 2007
Distribution: Ubuntu
Posts: 90

Original Poster
Rep: Reputation: 15
I just tried to access the machine from a remote location by using a password authentication and it worked as well.

I am a bit puzzled, since I expected that there will no be authentication allowed from a remote location at all, due to the rule in /etc/security/access.conf...

Now, back to the goal: I would like to have a password based ssh (or just directly from console) access to a box from a machine located on the same network, and a key-based access to the same machine from a non-local network.

Old 09-16-2010, 04:23 PM   #3
Senior Member
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
What version of OpenSSH? If you have a new enough version to support the Match directive, you're in business.

pam_access(8) solves certain problems very well, but it's probably not what you want in this case.
1 members found this post helpful.
Old 09-16-2010, 05:11 PM   #4
Registered: Jun 2007
Distribution: Ubuntu
Posts: 90

Original Poster
Rep: Reputation: 15
Oh, this is awesome! We have OpenSSH_5.1p1 and the match directive perfectly fits the need. Thank you very much! I finally feel relieved after days of searching and reading!


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Kerberos, LDAP, THEN Local authentication? cckid Linux - Server 2 10-20-2009 01:41 PM
LDAP authentication without local account viveksnv Linux - Security 2 10-12-2009 07:39 PM
Kerberos Authentication without Local Account? zachet Linux - Newbie 1 07-15-2009 02:23 PM
Authentication service cannot retrieve authentication info - for new user yosial Linux - Newbie 2 10-28-2008 11:30 PM
Local authentication fails lshoemak Linux - Security 7 08-04-2006 02:03 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:17 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration