TransWikia.com

Creating port-specific SSH authentication for the same user

Information Security Asked by Brill on January 14, 2021

I have a Linux server running SSHD and would like to know if its possible to configure it, such that from within the LAN you only need a RSA key to authenticate (on port X), but from outside the LAN the user would need to authenticate with both a RSA key and an OTP password generated by a PAM module (via port Y)?

I tried configuring /etc/ssh/sshd_config with the match condition:

match user XX
   LocalPort 22
   PasswordAuthentication no
   RSAAuthentication yes

match user XX
   LocalPort 12345
   PasswordAuthentication yes
   RSAAuthentication no

It gives me the error: bad parameter implying that this command isn’t supported, although in the sshd_config manual it says that it is.

In summary, my question is: Is it possible to have different authentication methods for the same user depending on which port they SSH into?

authenticationmulti factorportsssh

3 Answers

You could run two ssh daemons listening on separate ports by using two sshd_config files and the -f option of sshd. One configuration file would include the OTP/pam module whilst the other would only allow key-based authentication..

Both would then authenticate the user against their own private key regardless.

One word of caution: you'll have to manually track updates of the SSH daemon, as it's likely that your system would only update one configuration file and not the other.

Correct answer by lorenzog on January 14, 2021

In fact match expression must be on the same first line. So this should work as expected in /etc/ssh/sshd_config:

Match User XX LocalPort 22
   PasswordAuthentication no
   RSAAuthentication yes

Match User XX LocalPort 12345
   PasswordAuthentication yes
   RSAAuthentication no

Beware that the Match block ends with end of configuration file or another Match directive. Indentation is only there for prettyness. As a result, DO NOT add some Match lines in the middle of existing configuration file. So simply put your Match blocks at the end of the file.

Warning OpenSSH is compiled with hard-coded limit of listen ports, by default 8 (Debian, Ubuntu...) and startup logic appears to open ports in reverse order compared to configuration directives, with consequence to reject to open default SSH 22 port when you declare more ports than allowed... and you have already guessed you just lose your SSH access to your system! If you need more than 8 SSH ports, I recommend to keep only 22 handled by regular service/daemon, and setup your additional SSH ports thanks to xinetd.

Answered by Yves Martin on January 14, 2021

Here's a link to a post for a similar situation: https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-configure-wikid-with-putty-and-ssh-for-vnc. Two sshd setups, one forwarding to the other, one using keys, the other an OTP. Not quite what you want, but might help.

Answered by nowen on January 14, 2021

Add your own answers!

Ask a Question

Get help from others!

Recent Questions

Recent Answers

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP