Only allow password authentication to SSH server from internal network

ssh security linux ssh-keys

Solution 1:

The Match directive in /etc/ssh/sshd_config allows you to selectively apply configuration directives. One of the available match criteria is the source address of the connection, and so this can be used to implement what you want. You can disable password authentication by default, and then enable it for connections from internal network IP ranges. (Note that you also want to disable ChallengeResponseAuthentication in order to prevent passwords being used.) This example allows password authentication from all RFC1918 private IP ranges. See the sshd_config manpage for more details.

PasswordAuthentication no
ChallengeResponseAuthentication no

Match Address 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
    PasswordAuthentication yes

Note that Match block should be added to the end of the file otherwise everything that follows it would be matched until the next Match block. The bad positioning of Match block may cause inability to connect.

Related

How far is "too far off" for ntpd? Can it get there by a sudden jump to heavy load? Can this be overridden?
Should I have to enable automatic update on Debian lenny stable?
What is the difference between Authoritative Nameserver and Recursive Resolver?
What are SMTP relays and smarthosts?
Run a bash script after EC2 instance boots
Force systemd timesyncd to sync time with NTP server immediately
Techniques to Monitor cron tasks?
Windows shares via command line with user/pass, without mapping the drive? [closed]
How to set ulimit value permanently?
Is there a way to make journalctl show logs from "the last time foo.service ran"?
CentOS 7 - end of life in 2024, then what
How precise is a cron daemon?