Using different sshd options for different origin hosts

January 9, 2014

Suppose, hypothetically, that you have a need to both expose some hosts to incoming SSH traffic from the Internet and to allow root access (either direct or through automated means like authorized key permissions) to them over SSH. However, you certainly don't need both at once; you'll never be doing root access from the Internet. Wouldn't it be nice if you could have some sshd settings that varied based on where the connection was coming from?

Well, you can. Modern versions of OpenSSH support a Match directive in /etc/ssh/sshd_config and this can be used to allow or disallow a whole set of things based on the connection origin. In the case I gave above you could do this with:

PermitRootLogin no
Match 127.0.0.0/8,10.0.0.0/16
    PermitRootLogin without-password

(The IP address ranges here are an example.)

Match allows you to match connections based on various characteristics of both the connection (eg origin IP address or hostname) and the local target (eg the target local user and group). It can be used for a lot more than denying root access, of course; you can turn off password authentication, disallow access to specific local users, only allow access to specific local users, and so on. There are a lot of tricks that you can do here, so many that I'm going to leave them to your imagination (and reading of all of the sshd_config manpage).

Of course there are limits on how much additional security this will get you against a determined attacker who is specifically targeting your users. At least around here, if we made it very hard to get in by SSH from the outside Internet a targeted attacker would just switch to compromising the user's VPN access and going from there with 'inside' access. But at least we can configure sshd to absolutely rule out certain sorts of brute force attacks against selected accounts.

Written on 09 January 2014.
« The good and bad of Linux's NetworkManager
An interesting recent spam run against one of my machines »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Thu Jan 9 01:28:01 2014
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.