9

I have an OpenWrt router, I want to disable password authentication on SSH, so that one can only authenticate with keys. This is easily achieved by following the guide in the documentation, however, I want to only disable password authentication on the WAN interface, is this possible?

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
Hegla79
  • 93
  • 1
  • 4

2 Answers2

13

This answer applies to OpenSSH. OpenWRT includes Dropbear by default, so you would need to need to replace it, as per this link (basically, install openssh-server and disable dropbear).

With OpenSSH, what you'd like is possible using two possible mechanisms:

  1. Separate sshd configurations for your LAN and WAN interfaces. This will only work well if you have a static WAN IP (it's not possible to tell sshd to listen to a specific interface, only a specific IP).
  2. Only allow password authentication for clients in your LAN.

Option 1:

In the LAN configuration file (eg, /etc/ssh/sshd_config, the default file) you'd have something like:

PasswordAuthentication yes
Listen 192.168.1.1:22

In the WAN configuration file (eg, /etc/ssh/sshd_config_wan:

PasswordAuthentication no
Listen 10.1.1.1:22

In the above, 192.168.1.1 is your LAN interface IP, 10.1.1.1 your WAN IP address and in both cases, 22 the port to listen to. You can specify the configuration file to load by using the -f option to sshd. You'll need to copy the default init script to a new one and amend it to call sshd with -f /etc/ssh/sshd_config_wan.

Option 2:

In /etc/ssh/sshd_config, put this at the end of the file:

PasswordAuthentication no

Match address 192.168.1.0/24
    PasswordAuthentication yes

Here, you're disabling password authentication, except for addresses on your LAN (assumed here to be 192.168.1.0/24).

mjturner
  • 7,082
  • 1
  • 26
  • 32
0

You can run two instances of the SSH server, with different configurations, each listening on a different interface.

200_success
  • 5,496
  • 1
  • 26
  • 34