Our Lady of Sleeping Through It
When implementing SSH private key login on my server, I realized this would not work with one use case: using my firewall as a jump box while at work. The previous way to login to my server from work was to:
· SSH into my firewall (TCP 22 is only exposed externally to 2 static work IPs).
· SSH into the server from the firewall.
I didn't want to install WireGuard on the laptop, nor do I have GlobalProtect set up yet on my PA-220 at home, so I appeared to be SCREWED. [1]
Or was I?
opensshd allows you to match specific things like users and IP addresses and apply custom rules to them. So I ended up enabling PAM and disabling password login except from my firewall's management IP.
Match address 10.0.99.94/32
PasswordAuthentication yes
One sudo systemctl restart opensshd command later, et voila, we have access again.
Fin
Hey Thom, why the fuck are you even SSH'ing into your server from your work computer? Isn't that a certified Reddit moment? Yeah, it is. ↩︎