Different authentication for different locations
From: Vincent Starre (thebitman_at_comcast.net)
Date: Sat, 18 Jun 2005 23:02:55 -0400 To: email@example.com
I've recently wanted to have more-secure authentication requirements for
external connections than those originating from the local network. (ie:
from 192.168.1.102, you can log in using just a password, but from
126.96.36.199(that's random numbers, don't bother), you can only get in
using keys-based authentication.) Didnt see anything similar when I was
searching for a way how online, so I figured I'd share in case anyone
else wanted to do the same thing. (or wants to say "Don't do that! It
will cause horrors from beyond time!" or wants to say "wtf? Just add
this to your sshd_config, dimwit!)
In order to achieve this, I created an extra user account
"someuser-remote" with the same UID as "someuser", the same home
directory and shell, and no password (ie: account disabled).
# useradd -o -u 1000 -g 1000 -d /home/someuser/ -s /bin/bash
(a more general but still imperfect command: )
# useradd -o -u $(grep ^someuser:|cut -d: -f3) -g $(grep
^someuser:|cut -d: -f4) -d /home/someuser/ -s /bin/bash someuser-remote
then added to my sshd_config:
AllowUsers *@192.168.1.* someuser-remote@*
(and of course various options to allow keys-based authentication, but
those are enabled by default on debian)
For multiple users, you'd probably want "... *-remote@*"
The really surprising thing for me: it actually seems to be working.
Without error. Even my prompt is saying "[someuser@servo someuser]$ "
instead of "[someuser-remote@servo someuser]$ ". That much was very
unexpected.. and a cause of minor concern, but I was planning on forcing
my PS1 for someuser-remote anyway, so it's really doing what I wanted it to.
Other than that, I've had to symlink /var/mail/someuser-remote to point
to /var/mail/someuser. There are probably other minor things like this,
but this is all I've noticed so far.
I really expect that different security for different origins is
something which I am not alone in wanting, but I also expect somebody
here thinks this is a bad idea.
I would call it "quantum entanglement of user accounts to allow spooky
action over a distance", but that's just me.