SSH force public key only for internet connections
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
SSH force public key only for internet connections
Hi Everyone
I am wondering if it is possible to force internet/external SSH connections to authenticate with a public key and allow local connections to connect via user and password?
As ssh has no notion of different interfaces (and if you had
external connections forwarded via NAT it would be pretty much
impossible all together) the answer is no; you could compile
a separate sshd w/ a directory structure of its own, a port
to itself, and only permit one form of authentication on that.
Actually, looking at the home pages for sshd_config http://www.openbsd.org/cgi-bin/man.c...nfig&sektion=5 it seems to me that you should be able to use the 'Match' keyword, as Authentication types are allowed to be specified inside a Match block.
Its good to see your still helping people after so many years on this forum! The internet connections will be forwarded via NAT so I understand what your saying, all connections are really coming from the LAN as far as the SSH server is concerned.
Thanks for your input too chrism01, thats an interesting option that I didnt know existed I will keep that in mind is case its useful in the future.
you could compile a separate sshd w/ a directory structure of its own, a port to itself, and only permit one form of authentication on that.
If you want to run a separate sshd you just need to supply a different config file, right? I mean that's what I do for running a backup sshd out of Xinetd...
If you want to run a separate sshd you just need to supply a different config file, right? I mean that's what I do for running a backup sshd out of Xinetd...
You could, but wouldn't they use the same lock file? I thought that's compiled in.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
