Hi,
I have a FreeBSD box that sits on a trusted network behind a router/NAT to the Internet. The router/NAT device has port forwarding set up to allow SSH access from outside. If I understand correctly, use of keys is preferable to passwords from a security standpoint. I do understand that passwordless login can be enforced by setting sshd_config(5). What I would like to do though is permit password login from within the trusted subnet, but require a key when coming in from the outside. I tried this a while ago and ran into some issues; I think I am getting confused with all the SSHv1 vs SSHv2 options, PAM, challenge/resp vs password, etc, etc. I guess I am thinking something like this:
Would this work? Is it secure? Does it make sense?
Thanks!
Chris
PS: I am on 9.1-RELEASE-p5, OpenSSH_5.8p2_hpn13v11
I have a FreeBSD box that sits on a trusted network behind a router/NAT to the Internet. The router/NAT device has port forwarding set up to allow SSH access from outside. If I understand correctly, use of keys is preferable to passwords from a security standpoint. I do understand that passwordless login can be enforced by setting sshd_config(5). What I would like to do though is permit password login from within the trusted subnet, but require a key when coming in from the outside. I tried this a while ago and ran into some issues; I think I am getting confused with all the SSHv1 vs SSHv2 options, PAM, challenge/resp vs password, etc, etc. I guess I am thinking something like this:
Code:
Protocol 2
UsePAM yes
ChallengeResponseAuthentication no
PasswordAuthentication no
PubkeyAuthentication yes
Match Address 192.168.2.0/24
ChallengeResponseAuthentication yes
Thanks!
Chris
PS: I am on 9.1-RELEASE-p5, OpenSSH_5.8p2_hpn13v11