我读过了如何在Ubuntu服务器上禁用密码validation 。 但是,是否可以仅为远程用户禁用?
我担心,如果我在本地和远程(按照devise)启用这个function,我最终将失去密钥并locking自己(随着时间的推移)。 如果我只能禁用远程用户的密码authentication,丢失密钥不会那么悲惨; 我可以简单地去局域网并用密码login并创build一个新的密钥。
从sshd_config(5)页:
Match Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. The arguments to Match are one or more criteria-pattern pairs. The available criteria are User, Group, Host, LocalAddress, LocalPort, and Address. The match patterns may consist of single entries or comma- separated lists and may use the wildcard and negation operators described in the PATTERNS section of ssh_config(5). The patterns in an Address criteria may additionally contain addresses to match in CIDR address/masklen format, eg “192.0.2.0/24” or “3ffe:ffff::/32”. Note that the mask length provided must be consistent with the address - it is an error to specify a mask length that is too long for the address or one with bits set in this host portion of the address. For example, “192.0.2.0/33” and “192.0.2.0/8” respectively.
这意味着,假定10.0.0.0/24是你的局域网,你可以在主configuration中禁用PasswordAuthentication ,并且可以这样做一个Match块:
.... PasswordAuthentication No .... Match Address 10.0.0.0/24 PasswordAuthentication Yes
你可以把所有的远程用户放到一个本地(附加)组中。 'remoteusr',并禁止在'sshd_config'中使用密码login
Match Group remoteusr PasswordAuthentication no
我之前见过的一个选项是从单独的configuration文件中运行两个sshd读取实例。 默认的监听正常的SSHstream量,按照您的需要进行安全configuration。
第二个例子是你的“后门”,它只监听一个单独的端口或单独的IP,可能有适当的防火墙规则,以防止从外部networking访问。 它的configuration不同; 也许允许使用密码authentication,也许允许访问主服务器中不允许使用的账户等。