Restricting SSH Authentication to the Local Network Using Match in OpenSSH (Ubuntu)
Starting with OpenSSH 6.5, the Match keyword in sshd_config allows more flexible and simpler SSH configuration. For example, you can disable all authentication methods by default and selectively enable them for specific IP ranges (e.g., a local network like 192.168.1.*). You can also restrict access to certain users. It’s best practice to place these custom rules in separate files under /etc/ssh/sshd_config.d/ to avoid conflicts during package updates.
✅ 1. Disable All SSH Authentication Globally
Edit your SSH daemon config file:
sudo nano /etc/ssh/sshd_config
Add the following lines to disable all authentication by default:
PasswordAuthentication no PubkeyAuthentication no
✅ 2. Allow Authentication for the Local Network
At the end of the same file, or in a separate config file (recommended), add:
Match Address 192.168.1.* PubkeyAuthentication yes AllowUsers yourusername
Replace 192.168.1.* with your local subnet and yourusername with your actual username.
✅ 3. (Recommended) Use a Separate Config File
Create a separate file to keep your config safe during upgrades:
sudo nano /etc/ssh/sshd_config.d/local_network_only.conf
Add the same block:
Match Address 192.168.1.* PubkeyAuthentication yes AllowUsers yourusername
Then restart SSH:
sudo systemctl restart ssh
🔍 Notes
- You can also match on user, group, or host using
Match User,Match Group, etc. - Use
man sshd_configto explore more options and syntax. - This method enhances security by only allowing SSH from trusted IP ranges.
