仅对远程用户禁用密码验证

仅对远程用户禁用密码验证

我读过如何禁用密码验证在 Ubuntu 服务器上。但是,是否可以仅为远程用户禁用此功能?

我担心,如果我在本地和远程都启用此功能(按照设计),我最终会丢失密钥并将自己锁定(随着时间的推移)。如果我能够仅对远程用户禁用密码验证,那么丢失密钥就不会那么悲惨了;我只需进入 LAN 并使用密码登录并创建新密钥即可。

答案1

来自sshd_config(5)手册页:

 Match   Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another
         Match line or the end of the file.

         The arguments to Match are one or more criteria-pattern pairs.  The available criteria are User, Group, Host, LocalAddress, LocalPort, and Address.  The match patterns may consist of single entries or comma-
         separated lists and may use the wildcard and negation operators described in the PATTERNS section of ssh_config(5).

         The patterns in an Address criteria may additionally contain addresses to match in CIDR address/masklen format, e.g. “192.0.2.0/24” or “3ffe:ffff::/32”.  Note that the mask length provided must be consistent
         with the address - it is an error to specify a mask length that is too long for the address or one with bits set in this host portion of the address.  For example, “192.0.2.0/33” and “192.0.2.0/8” respectively.

这意味着,假设 10.0.0.0/24 是您的 LAN,您可以PasswordAuthentication在主配置中禁用它并Match进行如下阻止:

    ....
    PasswordAuthentication No
    ....
Match Address 10.0.0.0/24
    PasswordAuthentication Yes

答案2

您可以将所有远程用户放入本地(附加)组(例如“remoteusr”),并在“sshd_config”中禁止使用密码登录

Match Group remoteusr
      PasswordAuthentication no

答案3

我以前见过的一个选项是运行两个 sshd 实例,从不同的配置文件读取数据。您的默认实例会监听正常的 SSH 流量,并按您的需要进行安全配置。

第二个实例是您的“后门”,它只监听单独的端口或单独的 IP,可能使用适当的防火墙规则来阻止来自网络外部的访问。它的配置不同;可能允许密码验证,可能允许访问主服务器中不允许的帐户,等等。

相关内容