How can I allow SSH password authentication from only certain IP addresses?

I'd like to allow SSH password authentication from only a certain subnet. I see the option to disallow it globally in /etc/ssh/sshd_config:

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

Is there a way to apply this configuration to a select range of IP addresses?

2 Answers

Use a Match block at the end of /etc/ssh/sshd_config:

# Global settings
…
PasswordAuthentication no
…
# Settings that override the global settings for matching IP addresses only
Match address 192.0.2.0/24 PasswordAuthentication yes

Then tell the sshd service to reload its configuration:

service ssh reload

9

you can add:

AllowUsers user1@192.168.*.*, user2@192.168.*.*

this changes default behaviour, really deny all other users from all hosts. Match block available on OpenSsh version 5.1 and above.

2

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password Submit

Post as a guest

Post Your Answer Discard

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy