对内网穿透ssh关闭密码认证

背景

某台设备在内网使用ssh密码认证登陆
内网穿透转发22端口暴露于公网时希望关闭密码验证
外部连接仅保允许钥认证提高安全性
需求转化为：强制ssh对某ip使用密钥认证

方案

查阅man sshd_config发现关键字Match可以满足需求

Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following
lines override those set in the global section of the config file, until either another Match line or the end of the
file. If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.

The arguments to Match are one or more criteria-pattern pairs or the single token All which matches all criteria.
The available criteria are User, Group, Host, LocalAddress,LocalPort, RDomain, and Address (with RDomain
representing the rdomain(4) on which the connection was received).

可用条件包括User, Group, Host, LocalAddress, LocalPort, RDomain and Address
因此可以这样配置

# Global settings
…
PasswordAuthentication yes
…

# Settings that override the global settings for matching IP addresses only
Match address 127.0.0.1
    PasswordAuthentication no

重启服务生效sudo service ssh reload

保险

为控制权限，我们希望这个key只能用来登陆隧道，不可用于本地认证。
进一步地，还需要在authorized_keys中使用from限制key适用范围。

The purpose of this option is to optionally increase security: public key authentication by itself does not
trust the network or name servers or anything (but the key); however, if somebody somehow steals the key, the
key permits an intruder to log in from anywhere in the world. This additional option makes using a stolen
key more difficult (name servers and/or routers would have to be compromised in addition to just the key).

修改如下

from="127.0.0.1" ssh-ed25519 AAAAC3NzaC1lZSOMEKEYFINGERPRINT comment

参考

configuration - How can I allow SSH password authentication from only certain IP addresses? - Ask Ubuntu
How to restrict an SSH key to certain IP addresses? - Unix & Linux Stack Exchange