Information Security Asked by Brill on January 14, 2021
I have a Linux server running SSHD and would like to know if its possible to configure it, such that from within the LAN you only need a RSA key to authenticate (on port X), but from outside the LAN the user would need to authenticate with both a RSA key and an OTP password generated by a PAM module (via port Y)?
I tried configuring /etc/ssh/sshd_config with the match condition:
match user XX
LocalPort 22
PasswordAuthentication no
RSAAuthentication yes
match user XX
LocalPort 12345
PasswordAuthentication yes
RSAAuthentication no
It gives me the error: bad parameter
implying that this command isn’t supported, although in the sshd_config manual it says that it is.
In summary, my question is: Is it possible to have different authentication methods for the same user depending on which port they SSH into?
You could run two ssh
daemons listening on separate ports by using two sshd_config files and the -f
option of sshd
. One configuration file would include the OTP/pam module whilst the other would only allow key-based authentication..
Both would then authenticate the user against their own private key regardless.
One word of caution: you'll have to manually track updates of the SSH daemon, as it's likely that your system would only update one configuration file and not the other.
Correct answer by lorenzog on January 14, 2021
In fact match expression must be on the same first line. So this should work as expected in /etc/ssh/sshd_config
:
Match User XX LocalPort 22
PasswordAuthentication no
RSAAuthentication yes
Match User XX LocalPort 12345
PasswordAuthentication yes
RSAAuthentication no
Beware that the Match
block ends with end of configuration file or another Match
directive. Indentation is only there for prettyness. As a result, DO NOT add some Match
lines in the middle of existing configuration file. So simply put your Match
blocks at the end of the file.
Warning OpenSSH is compiled with hard-coded limit of listen ports, by default 8 (Debian, Ubuntu...) and startup logic appears to open ports in reverse order compared to configuration directives, with consequence to reject to open default SSH 22 port when you declare more ports than allowed... and you have already guessed you just lose your SSH access to your system! If you need more than 8 SSH ports, I recommend to keep only 22 handled by regular service/daemon, and setup your additional SSH ports thanks to xinetd.
Answered by Yves Martin on January 14, 2021
Here's a link to a post for a similar situation: https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-configure-wikid-with-putty-and-ssh-for-vnc. Two sshd setups, one forwarding to the other, one using keys, the other an OTP. Not quite what you want, but might help.
Answered by nowen on January 14, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP