Secure Shell (SSH) is a cryptographic network protocol that allows secure remote login from one computer to another. By default, SSH allows password authentication from any IP address. However, in certain scenarios, you may want to restrict this to only certain IP addresses. This article will guide you on how to allow SSH password authentication from specific IP addresses.
To allow SSH password authentication from certain IP addresses, you can modify the SSH configuration file /etc/ssh/sshd_config by disabling global password authentication and using the Match directive to specify the IP address range. Additionally, you can allow password authentication for specific users from certain IP addresses using the AllowUsers directive. Remember to back up your original configuration file before making any changes.
Understanding SSH Password Authentication
SSH password authentication is a method that allows users to establish an SSH connection using their username and password. While this method is straightforward, it also poses a potential security risk if the password is weak or compromised. Hence, it’s recommended to restrict SSH password authentication to specific IP addresses to enhance security.
Configuring SSH for Password Authentication
To allow SSH password authentication from certain IP addresses, we need to modify the SSH configuration file, /etc/ssh/sshd_config.
Before making any changes, it’s recommended to back up the original configuration file. You can do this by running the following command:
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bakThis command creates a backup of the sshd_config file named sshd_config.bak.
Disabling Global Password Authentication
To disable the global password authentication, open the sshd_config file with a text editor of your choice. Look for the line that contains PasswordAuthentication and set its value to no. If the line is commented out (starts with a #), remove the #.
PasswordAuthentication noThis configuration disables password authentication for all users and IP addresses.
Allowing Password Authentication for Certain IP Addresses
To allow password authentication for certain IP addresses, add a Match block at the end of the sshd_config file. The Match directive allows more specific configurations for users or addresses.
Here’s an example of how to use it:
Match address 192.0.2.0/24
PasswordAuthentication yesIn this example, 192.0.2.0/24 is the IP address range for which password authentication is allowed. You can replace this with your desired subnet.
Applying the Changes
After making the changes, save and close the file. To apply the changes, reload the SSH configuration by running the following command:
service ssh reloadThis command reloads the SSH service, applying the new configuration without disrupting active connections.
Allowing Password Authentication for Specific Users from Certain IP Addresses
In some cases, you may want to allow password authentication for specific users from certain IP addresses. You can do this using the AllowUsers directive. Here’s an example:
AllowUsers user1@192.168.*.*, user2@192.168.*.*This configuration allows password authentication for user1 and user2 from any IP address in the 192.168 subnet.
Conclusion
Restricting SSH password authentication to specific IP addresses is a good practice to enhance the security of your SSH server. Remember to always back up your original configuration file before making any changes. Also, keep a shell running until you’ve validated the new configuration to avoid locking yourself out of the server.
For more information about SSH, you can visit the OpenSSH website.
The SSH configuration file is located at /etc/ssh/sshd_config. You can access it using a text editor of your choice.
Yes, you can allow SSH password authentication from multiple IP addresses by adding multiple Match blocks in the sshd_config file. Each Match block can specify a different IP address or IP range.
Yes, you can configure SSH to allow password authentication for specific users and key-based authentication for others. You can use the Match User directive in the sshd_config file to specify different authentication methods for different users.
After making changes to the SSH configuration file, you can test if the changes are working by opening a new terminal window and attempting to establish an SSH connection to the server from the allowed IP address. If the connection is successful using password authentication, then the changes have been applied correctly.
If you get locked out of the server after making SSH configuration changes, you can access the server through an alternative method, such as a console or physical access. Once you have access, revert the changes made to the SSH configuration file and restart the SSH service to regain remote access.
