Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

ssh key from field

Posted on 2011-02-17
5
Medium Priority
?
375 Views
Last Modified: 2012-05-11
In authorized key, if we put from option, only the listed host can come to this host. Even if we put the private key in different location, only
host1, host2 and host3 can come from my example? Is this host based access control?

from="list"
    The sshd server can globally limit which hosts can connect to this machine by using TCP Wrappers, but cannot act on a host-user level. Using the from option, you can allow a given identity to be used only from specific hosts. Hosts are separated by commas, may contain wildcards "*" and "?", or may disallow hosts that are prefixed with "!". As an example, you may have

      from="host1.my_isp.net,host2,host3example.com"
0
Comment
Question by:mokkan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 

Author Comment

by:mokkan
ID: 34916476
Also, do we need to do anything with tcp_wrapper?
0
 
LVL 80

Accepted Solution

by:
arnold earned 2000 total points
ID: 34916724
tcp_wrapper will reject the connection.
The from="" entry deals with whether the keys can be used depending on the from="" rule.
http://www.manpagez.com/man/5/ssh_config/
It might rely on the setting within sshd_config for VerifyHostKeyDNS
If the key can not be applied/provided the interactive login will be the fallthrough position.
0
 

Author Comment

by:mokkan
ID: 34916823
Does this from field  option work with tcp_wrapper functionality ?
0
 
LVL 80

Assisted Solution

by:arnold
arnold earned 2000 total points
ID: 34917112
The two are two separate things.
tcp_wrappers are used by sshd based on the /etc/hosts.deny /etc/hosts.allow list for the various application on whether the connection should be accepted or rejected.
i.e. you have hosts.deny SSHD: 192.168.12.5
if a user on system 192.168.12.5 tries to ssh to the system, the connection will be refused by sshd.

the from= line within the authorized_keys* seems to deal with whether publickey authentication is permitted from this location.
i.e. lets say all your users have a company laptop and their ssh identity keys are stored on servers for quick logins. The users do not have/know their passwords. You add this entry to prevent the users from accessing the systems when they are outside the LAN.
from="!on_LAN"
0
 

Author Closing Comment

by:mokkan
ID: 35062907
thank you
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question