2014-01-09
Using different sshd options for different origin hosts
Suppose, hypothetically, that you have a need to both expose some
hosts to incoming SSH traffic from the Internet and to allow root
access (either direct or through automated means like authorized
key permissions) to them over SSH. However, you certainly don't
need both at once; you'll never be doing root access from the
Internet. Wouldn't it be nice if you could have some sshd settings
that varied based on where the connection was coming from?
Well, you can. Modern versions of OpenSSH support a Match directive
in /etc/ssh/sshd_config and this can be used to allow or disallow
a whole set of things based on the connection origin. In the case I
gave above you could do this with:
PermitRootLogin no
Match 127.0.0.0/8,10.0.0.0/16
PermitRootLogin without-password
(The IP address ranges here are an example.)
Match allows you to match connections based on various characteristics
of both the connection (eg origin IP address or hostname) and the local
target (eg the target local user and group). It can be used for a lot
more than denying root access, of course; you can turn off password
authentication, disallow access to specific local users, only allow
access to specific local users, and so on. There are a lot of tricks
that you can do here, so many that I'm going to leave them to your
imagination (and reading of all of the sshd_config manpage).
Of course there are limits on how much additional security this will get you against a determined attacker who is specifically targeting your users. At least around here, if we made it very hard to get in by SSH from the outside Internet a targeted attacker would just switch to compromising the user's VPN access and going from there with 'inside' access. But at least we can configure sshd to absolutely rule out certain sorts of brute force attacks against selected accounts.