Disable SSH password authentication on specific interface
This answer applies to OpenSSH. OpenWRT includes Dropbear by default, so you would need to need to replace it, as per this link (basically, install openssh-server
and disable dropbear
).
With OpenSSH, what you'd like is possible using two possible mechanisms:
- Separate
sshd
configurations for your LAN and WAN interfaces. This will only work well if you have a static WAN IP (it's not possible to tellsshd
to listen to a specific interface, only a specific IP). - Only allow password authentication for clients in your LAN.
Option 1:
In the LAN configuration file (eg, /etc/ssh/sshd_config
, the default file) you'd have something like:
PasswordAuthentication yes
Listen 192.168.1.1:22
In the WAN configuration file (eg, /etc/ssh/sshd_config_wan
:
PasswordAuthentication no
Listen 10.1.1.1:22
In the above, 192.168.1.1 is your LAN interface IP, 10.1.1.1 your WAN IP address and in both cases, 22 the port to listen to. You can specify the configuration file to load by using the -f
option to sshd
. You'll need to copy the default init script to a new one and amend it to call sshd
with -f /etc/ssh/sshd_config_wan
.
Option 2:
In /etc/ssh/sshd_config
, put this at the end of the file:
PasswordAuthentication no
Match address 192.168.1.0/24
PasswordAuthentication yes
Here, you're disabling password authentication, except for addresses on your LAN (assumed here to be 192.168.1.0/24).
Related videos on Youtube
Hegla79
Updated on September 18, 2022Comments
-
Hegla79 over 1 year
I have an OpenWrt router, I want to disable password authentication on SSH, so that one can only authenticate with keys. This is easily achieved by following the guide in the documentation, however, I want to only disable password authentication on the WAN interface, is this possible?
-
kamae about 10 years'PasswordAuthentication' in 'Match' was supported from around 4.6. Older openssh does not support it.
-
mjturner about 10 years@kamae Thanks. Indeed, it's only supported since 4.6 - openssh.com/txt/release-4.6
-
Admin almost 2 yearsI think the "Option 1" should be considered historical or compatibility solution. The "Option 2" is the clear winner today.