Disable SSH password authentication on specific interface

ssh openwrt dropbear
7,383

This answer applies to OpenSSH. OpenWRT includes Dropbear by default, so you would need to need to replace it, as per this link (basically, install openssh-server and disable dropbear).

With OpenSSH, what you'd like is possible using two possible mechanisms:

  1. Separate sshd configurations for your LAN and WAN interfaces. This will only work well if you have a static WAN IP (it's not possible to tell sshd to listen to a specific interface, only a specific IP).
  2. Only allow password authentication for clients in your LAN.

Option 1:

In the LAN configuration file (eg, /etc/ssh/sshd_config, the default file) you'd have something like:

PasswordAuthentication yes
Listen 192.168.1.1:22

In the WAN configuration file (eg, /etc/ssh/sshd_config_wan:

PasswordAuthentication no
Listen 10.1.1.1:22

In the above, 192.168.1.1 is your LAN interface IP, 10.1.1.1 your WAN IP address and in both cases, 22 the port to listen to. You can specify the configuration file to load by using the -f option to sshd. You'll need to copy the default init script to a new one and amend it to call sshd with -f /etc/ssh/sshd_config_wan.

Option 2:

In /etc/ssh/sshd_config, put this at the end of the file:

PasswordAuthentication no

Match address 192.168.1.0/24
    PasswordAuthentication yes

Here, you're disabling password authentication, except for addresses on your LAN (assumed here to be 192.168.1.0/24).

Share:
7,383

Related videos on Youtube

Hegla79
Author by

Hegla79

Updated on September 18, 2022

Comments

  • Hegla79
    Hegla79 over 1 year

    I have an OpenWrt router, I want to disable password authentication on SSH, so that one can only authenticate with keys. This is easily achieved by following the guide in the documentation, however, I want to only disable password authentication on the WAN interface, is this possible?

  • kamae
    kamae about 10 years
    'PasswordAuthentication' in 'Match' was supported from around 4.6. Older openssh does not support it.
  • mjturner
    mjturner about 10 years
    @kamae Thanks. Indeed, it's only supported since 4.6 - openssh.com/txt/release-4.6
  • Admin
    Admin almost 2 years
    I think the "Option 1" should be considered historical or compatibility solution. The "Option 2" is the clear winner today.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

`ssh -NfR` equivalent with dropbear
dropbear ssh server won't let me connect
OpenWRT: failed to connect to ubus
OpenWrt and blocking addresses from china
OpenWRT - how to do initial login (ssh) if 192.168.1.1 can't be routed?
Paswordless public key-based SSH login on router with Asus Merlin firmware
ssh + tinyproxy: poor performance
Add authentication keys to dropbear ssh?
Luks, ssh unlock, Strange behaviour, Invalid authorized_keys file
Are dropbear and OpenSSH host keys compatible?