Re: key based authentication except from certain hosts



On 15 May 2006 04:38:58 -0700, wilma2002@xxxxxxxx wrote:
Hello,

I have tried to find information on this but no luck yet. I hope
someone in this group can give me some pointers or advice.

We use public/private key authentication on all our linux and unix
hosts. We don't allow password authentication, only key authentication.
Now, we have a monitoring software that use SSH to collect metrics from
linux and unix hosts, but I'm unable to use it since it lacks support
for SSH key authentication. It can at the moment only work with a
username and a password.

The question - Is there some way in openssh to allow logins from
certain hosts/IP addresses to authenticate with username and password
rather than by a key?
At the same time, key authentication should be enforced for all other
logins.

Thank you
Wilma

Whenever you need two (or more) distinct setups in sshd, the simplest
way is to run a second ssh daemon listening on its own port. I did
this on a RH9 system.

Without going into too much detail, here's how:

1. Copy the normal ssh config files to a new "privatessh" config:
cd /etc/ssh
cp -p ssh_config privatessh_config
cp -p sshd_config privatesshd_config
Then modify the new config files as necessary, make sure it
uses a different port (sshd_config).
2. Copy the ssh init script:
cd /etc/rc.d/init.d
cp -p sshd privatesshd
and modify as required. Anything which points to ssh* must
point to privatessh*
3. Copy the ssh daemon and the pam module:
cd /usr/sbin
cp -p sshd privatesshd
cd /etc/pam.d
cp -p sshd privatesshd
Do not modify.

At this point you have a new, private ssh daemon available. You can
start it (again, remember this is RH9):
chkconfig --add privatesshd
chkconfig --level 2345 privatesshd on
service privatesshd start
This should create the necessary keys if the files created in steps
1 and 2 were modified correctly.

The most important item is correctly modifying the files created in
steps 1 and 2 above.

--
Dale Dellutri <ddelQQQlutr@xxxxxxxxxxxx> (lose the Q's)
.



Relevant Pages

  • RE: Disable SSH authentication
    ... You can still use SSH with PAM and skip both password and key authentication by changing the following entry in /etc/pam.d/sshd file and commenting other auth entries. ... My question is that can we disable the SSH authentication so that we don't need to either provide user account or the public key? ...
    (SSH)
  • Re: SSH hacked?
    ... Why use passwords at all with SSH? ... public key authentication is several orders of magnitude harder to crack ... key authentication will protect you from brute force attacks on SSH. ...
    (Ubuntu)
  • Re: [opensuse] Clueless about SSH
    ... setting up key authentication. ... I do all my passwordless ssh configs the same way. ... desktop machine, added the public key to authorized_keys, copied that file to ... my laptop ~/.ssh and made an ssh connection from desktop to laptop, ...
    (SuSE)
  • Re: [opensuse] Clueless about SSH
    ... setting up key authentication. ... ssh is usually 'fire-and-forget' simple. ... allow access between your machines. ... exit $E_NOTROOT ...
    (SuSE)