Separate Level Security

While I’m quite a fan of having the server set up so that it uses the authorized keys rather than passwords for logging in via SSH, I still want to have a method to get in if those keys ever fail. I could probably set something up to do it via the console, but I was searching for some way to tell the server to treat logins differently depending on where they originated from. Anything coming from the local network, and it can be treated as slightly more trusted than anything that we get from the wider internet.

I’m sure that there are still possible exploits with this setup, but at least I’m trying to minimize them and make it as hard as possible for anyone to break in to the system while still not putting up too many barriers to being able to use it and administer it myself.

You would think that this would be something others would also want, so I did a little searching, and of course there are settings to be able to do exactly this. I just wanted to get a copy of the settings written down here so it would be easy for me to copy them and get a new server set up in just this way anytime I have a need to.

Here are the lines that I had to change in /etc/ssh/sshd_config :

PermitRootLogin no     *Not strictly required, but just one more added security setting*
PasswordAuthentication no
UsePAM no
# Allow passwords and root login only from local network
Match Address 192.168.1.*
        PermitRootLogin yes
        PasswordAuthentication yes

Admittedly, I’m not entirely clear on what PAM is, but I don’t have it set up to use, so I disabled it to reduce the attack surface. The Match Address line changes the settings that apply. So in the global section I have password login disabled, but anything that matches the address will have the following settings apply, overriding the same ones from the global section. According to this site, any line from the Match Address line until either the end of the file or the next Match Address, if there is one, will apply to any client that matches the address pattern.

With this set up, I now have both the increased security facing the internet and the increased ease of use when I’m using the local network. It seems to me that the only increased risk is of some other machine on the local network being compromised. At that point I believe I would have larger problems to deal with, so at least for now I’ll keep it this way.

Leave a Reply