Re : Re: Sshd skey authentication forced if outside lan

[Didier Wiroth <didier.wiroth@mcesr.etat.lu>]

Hi, thanks for anwering!

Actually I use the "UseLogin=yes" feature as this was the only way I was able to force skey authentication for one user and not the other (with a login class). Well, the sshd privilege separation is then disabled, I guess this is more or less a security problem (I'm not an expert)?!

Running a second sshd instance with a second sshd_config file is a  good idea but, ... the problem is:
"ListenAddress" 
The second nic connects with pppoe via dsl to the provider and has never the same ip address.

Perhaps the creators of sshd could add a "ListenInterface"  feature, so it might be possible to have:
"ListenInterface=tun0" for example

Perhaps you have an idea how I can handle this problem?

Many thanks
Didier

----- Message d'origine -----
De: Stefan Kell <skba.opbsd@gmx.de>
Date: Mardi, Fivrier 1, 2005 8:20 pm
Objet: Re: Sshd skey authentication forced if outside lan

> Hi,
> 
> as far as I know this is practically not possible: there is simply no
> option for sshd to accomplish this (see man sshd_config). It might be
> possible if you are using sshd-option "UseLogin" but this disables
> X-Forwarding and has other implications and should not be used.
> 
> It might be better to force public-key authentication on the outside
> interface of the firewall. This can easily be done with two sshd-
> processeswith different configurations.