Linux

僅對遠端使用者禁用密碼驗證

  • September 28, 2013

我已經閱讀瞭如何在 Ubuntu 伺服器上禁用密碼身份驗證。但是,是否可以僅對遠端使用者禁用此功能?

恐怕,如果我在本地和遠端(按設計)啟用此功能,我最終會失去密鑰並將自己鎖定(隨著時間的推移)。如果我能夠只為遠端使用者禁用密碼驗證,那麼失去密鑰就不會那麼悲慘了;我可以簡單地進入區域網路並使用密碼登錄並創建一個新密鑰。

sshd_config(5)手冊頁:

Match   Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another
        Match line or the end of the file.

        The arguments to Match are one or more criteria-pattern pairs.  The available criteria are User, Group, Host, LocalAddress, LocalPort, and Address.  The match patterns may consist of single entries or comma-
        separated lists and may use the wildcard and negation operators described in the PATTERNS section of ssh_config(5).

        The patterns in an Address criteria may additionally contain addresses to match in CIDR address/masklen format, e.g. “192.0.2.0/24” or “3ffe:ffff::/32”.  Note that the mask length provided must be consistent
        with the address - it is an error to specify a mask length that is too long for the address or one with bits set in this host portion of the address.  For example, “192.0.2.0/33” and “192.0.2.0/8” respectively.

這意味著,假設 10.0.0.0/24 是您的 LAN,您可以PasswordAuthentication在主配置中禁用,Match如下所示:

   ....
   PasswordAuthentication No
   ....
Match Address 10.0.0.0/24
   PasswordAuthentication Yes

引用自:https://serverfault.com/questions/542327