Only allow password authentication to SSH server from internal network
Solution 1:
The Match
directive in /etc/ssh/sshd_config
allows you to selectively apply configuration directives. One of the available match criteria is the source address of the connection, and so this can be used to implement what you want. You can disable password authentication by default, and then enable it for connections from internal network IP ranges. (Note that you also want to disable ChallengeResponseAuthentication
in order to prevent passwords being used.) This example allows password authentication from all RFC1918 private IP ranges. See the sshd_config manpage for more details.
PasswordAuthentication no
ChallengeResponseAuthentication no
Match Address 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
PasswordAuthentication yes
Note that Match block should be added to the end of the file otherwise everything that follows it would be matched until the next Match block. The bad positioning of Match block may cause inability to connect.