Is it possible to have 2 ports open on SSH with 2 different authentication schemes?
So, it turns out the answer was actually way, way simpler than I thought it would be.
I do however have to thank '@jeff schaller' for his comments, if it hadn't of been for him I wouldn't have started looking into how the SSH 'Match' configuration works.
Anyway
The trick is to set your /etc/ssh/sshd_config file up as default to be the configuration you would like to have for the access coming in from the external internet connection.
In my case, this meant setting the following
PermitRootLogin no
PasswordAuthentication no
UsePAM no
By doing this, I'm forcing ALL logins no matter where they come from to need to be key based logins using an SSH key.
I then on the windows machines used 'PuttyGen' to generate a public/private key pair which I saved to disk, and an appropriate ssh entry for my "authorized_hosts" file in the external users home directory.
I pasted this ssh key into the correct place in my users home folder, then set putty up to use the private (ppk) file generated by PuttyGen for log in and saved the profile.
I then saved the profile, and sent that and the ppk key file to the external user using a secure method (Encrypted email with a password protected zip file attached)
Once the user had the ppk and profile in their copy of putty and could log in, I then added the following as the last 2 lines on my sshd_config file
Match Host server1,server1.internalnet.local,1.2.3.4
PasswordAuthentication yes
In the "Match" line I've changed the server names to protect the names of my own servers.
Note each server domain is separated by a comma and NO SPACES, this is important. If you put any spaces in it causes SSHD to not load the config and report an error, the 3 matches I have in there do the following:
server1 - matches on anyone using just 'server1' with no domain to connect EG: 'fred@server1'
server1.internalnet.local - matches on anyone using the fully qualified internal domain name EG: '[email protected]' (NOTE: you will need an internal DNS to make this work correctly)
1.2.3.4 - matches on the specific I.P. address assigned to the SSH server EG: '[email protected]' this can use wild cards, or even better net/mask cidr format EG: 1.2.* or 192.168.1.0/8 if you do use wild cards however, please read fchurca's answer below for some important notes.
If any of the patterns provided match the host being accessed, then the one and only single change to be made to the running config is to turn back on the ability to have an interactive password login.
You can also put other config directives in here too, and those directives will also be turned back on for internal hosts listed in the match list.
do however read this:
https://man.openbsd.org/OpenBSD-current/man5/ssh_config.5
carefully, as not every configuration option is allowed to be used inside a match block, I found this out when I tried to "UsePAM yes" to turn PAM authentication back on, only to be told squarely that wasn't allowed.
Once you've made your changes, type
sshd -T
followed by return to test them before attempting to restart the server, it'll report any errors you have.
In addition to everything above, I got a lot of help from the following two links too:
https://raymii.org/s/tutorials/Limit_access_to_openssh_features_with_the_Match_keyword.html
https://www.cyberciti.biz/faq/match-address-sshd_config-allow-root-loginfrom-one_ip_address-on-linux-unix/
1.2.* - matches on anyone in the local net using any address assigned to the SSH server that's in the 16 bit net mask for the server EG: '[email protected]'
Careful! Pattern matching in .ssh/config is based on string globbing, not necessarily ip addresses. According to the same manpage you are reading:
PATTERNS
A pattern consists of zero or more non-whitespace characters, ‘*’ (a wildcard that matches zero or more characters), or ‘?’ (a wildcard that matches exactly one character). For example, to specify a set of declarations for any host in the “.co.uk” set of domains, the following pattern could be used:
Host *.co.uk
The following pattern would match any host in the 192.168.0.[0-9] network range:
Host 192.168.0.?
If somebody tries to login from an IP that publicly reverse-resolves to 1.2.badguy.com
, it will match your 1.2.*
rule.
https://man.openbsd.org/OpenBSD-current/man5/ssh_config.5#PATTERNS
[Updated for completeness]
As noted elsewhere, you can use Match Address 1.2.0.0/16
instead of Match Host 1.2.*
[/Update]