James G. Sack (jim) wrote: > James G. Sack (jim) wrote: >> Gus Wirth wrote: >>> The documentation for ssh and sshd has me a bit confused about >>> configuring options for multiple interfaces. >>> >>> I have a box with two interfaces: >>> eth0 - outside, the Internet >>> eth1 - inside , the office LAN, 192.168.1.* >>> >>> For the outside connection eth0 I only want to allow ssh logins using >>> authorized keys and NOT passwords. >>> >>> For the inside connection I want to be able to use password logins as >>> well as authorized keys. >>> >>> For my .ssh/config file I'm guessing I should have something like this: >>> ------------ >>> Host 192.168.1.* >>> PasswordAuthentication yes >>> >>> Host * >>> PasswordAuthentication no >>> >>> -------------------- >>> >>> Does this seem right? I don't want to accidentally lock myself out of >>> the box before I do this :/ >> I'm not sure of the format but, a first thought is shouldn't this be a >> server configuration setting, ie, in file: >> /etc/ssh/sshd_config > > Ah well, maybe not -- I guess I was thinking of the match > conditional-block, but docs say that can only control a limited set of > override parms. > > If you wanted it to be a server policy rather than a user policy, I > suppose you could always run 2 servers (on different ports). Still, it > seem that one _ought to be_ able to do what you ask within one server > and one sshd_config. >
The snail book (O'Reilly "SSH The Secure Shell, Barrett & Silverman) explains that all matching sections apply (additively, I guess you would say), and for conflicting specs, the first match takes precedence in OpenSSH. (They point out that SSH2 has the opposite convention to OpenSSH, in this precedence rule -- so beware!) ((( They also answer my earlier thought fairly explicitly by saying that the server config file tolerates what look like section labels, but ignores those that contain anything except '*:' -- and so recommends against use even of that line, which is the default, anyway! ))) Regards, ..jim -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
