# Way to set sshd_config to selectively set auth policy based on source address



## ctengel (Aug 11, 2013)

Hi,

I have a FreeBSD box that sits on a trusted network behind a router/NAT to the Internet. The router/NAT device has port forwarding set up to allow SSH access from outside. If I understand correctly, use of keys is preferable to passwords from a security standpoint. I do understand that passwordless login can be enforced by setting sshd_config(5). What I would like to do though is permit password login from within the trusted subnet, but require a key when coming in from the outside. I tried this a while ago and ran into some issues; I think I am getting confused with all the SSHv1 vs SSHv2 options, PAM, challenge/resp vs password, etc, etc. I guess I am thinking something like this:

```
Protocol 2
UsePAM yes
ChallengeResponseAuthentication no
PasswordAuthentication no
PubkeyAuthentication yes

Match Address 192.168.2.0/24
    ChallengeResponseAuthentication yes
```
Would this work? Is it secure? Does it make sense?

Thanks!
Chris
PS: I am on 9.1-RELEASE-p5, OpenSSH_5.8p2_hpn13v11


----------



## wblock@ (Aug 11, 2013)

This works:


```
ChallengeResponseAuthentication no

Match Address 192.168.2.0/24
  PasswordAuthentication yes
```


----------



## ctengel (Aug 11, 2013)

OK...it is coming back to me now that I tried this before and found that ChallengeResponseAuthentication cannot be set within a Match... for some reason hidden deep within the semantics of the OpenSSH code which I dare not touch   Are there any issues security-wise with enabling PasswordAuthentication in FreeBSD? (It seems to be disabled by default, correct?)


----------

