2

I'm trying to only allow external SSH connections with an ssh key, but allow internal ssh logins with a password. It seems like this is possible but I can't seem to make it work with the options that I am trying.

I thought the following entries in sshd_config would only permit root logins from the listed subnets -- is that wrong? It doesn't seem to work properly.

AllowUsers [email protected].*
AllowUsers [email protected].* 

I'm unable to block the SSH ports on the network firewall since it will block the vendors from logging in with their SSH keys. Too late for me to change the ports to something higher. I basically just want to allow root to login from local IPs and remove the possibility of people attempting to try to ssh to root all day long. IPS rules are helping with that but i'd like to have the piece of mind that external login without a key is never going to work.

1
  • What specifically isn't working properly? Have you tried using match blocks? What does the rest of your sshd_config look like? Commented Jun 13, 2017 at 4:26

1 Answer 1

6

Something like:

AuthenticationMethods publickey
Match Address 192.168.0.0/16
    AuthenticationMethods publickey password

Adapting the IP block to what you need.

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.