仅对远程用户禁用密码验证

从sshd_config(5)手册页：

 Match   Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another
         Match line or the end of the file.

         The arguments to Match are one or more criteria-pattern pairs.  The available criteria are User, Group, Host, LocalAddress, LocalPort, and Address.  The match patterns may consist of single entries or comma-
         separated lists and may use the wildcard and negation operators described in the PATTERNS section of ssh_config(5).

         The patterns in an Address criteria may additionally contain addresses to match in CIDR address/masklen format, e.g. “192.0.2.0/24” or “3ffe:ffff::/32”.  Note that the mask length provided must be consistent
         with the address - it is an error to specify a mask length that is too long for the address or one with bits set in this host portion of the address.  For example, “192.0.2.0/33” and “192.0.2.0/8” respectively.

这意味着，假设 10.0.0.0/24 是您的 LAN，您可以PasswordAuthentication在主配置中禁用，Match如下所示：

    ....
    PasswordAuthentication No
    ....
Match Address 10.0.0.0/24
    PasswordAuthentication Yes

您可以将所有远程用户放入本地（附加）组 ex。'remoteusr' 并禁止在 'sshd_config' 中使用密码登录

Match Group remoteusr
      PasswordAuthentication no

我以前见过的一个选项是运行两个从单独的配置文件读取的 sshd 实例。您的默认设置会侦听正常的 SSH 流量，并根据需要进行安全配置。

第二个实例是您的“后门”，它只侦听单独的端口或单独的 IP，可能使用适当的防火墙规则来防止来自网络外部的访问。它的配置不同；也许允许密码验证，也许允许访问主帐户中不允许的帐户，等等。