限制 ssh 从某些 IP 登录( authorized_keys )

发布时间:2020-08-10 23:09:12 作者:perfychi
来源:ITPUB博客 阅读:225

Restricting SSH logins to particular IP addresses

Posted by Steve on Mon 28 Jan 2013 at 23:37

Tags: openssh, ssh

Many people use SSH keys for password-less logins, and the increase in security that keys provide over (traditionally weaker) passwords. But few people seem to realize that you can also restrict logins to known-good IP addresses, via that same mechanism.

It has to be said that if you've got root access upon a server one way to restrict people connecting to your machine is to use a firewall. The venerable iptables firewall primitive makes this easy.

However you can usefully use IP address restrictions even in combination with a firewall, for example you might wish to allow your users to login from within your network, but only allow an auto-build user to login from a remote jenkins server - to clone some source code, for example.

The basic mechanism is straight-forward enough, rather than just storing the public-part of a key to your users ~/.ssh/authorized_keys file you also store some configuration entries.

To restrict the user bob to remote logins from the single IP address 1.2.3.4 you would use this in the ~bob/.ssh/authorized_keys file:

from="1.2.3.4" ssh-rsa  ....

Here we've added the "from="1.2.3.4"" section, prior to the key for the user. This is just one of the options you can add, and the quoted value is a list of comma-separated hosts from which the login will be allowed.

If you wished to allow logins from several sources you could use something like this:

from="1.2.3.0/24,44.55.66.77" ssh-rsa ...

In addition to the IP-address restrictions you can configure several other things, such as denying the use of agent-forwarding, denying the use of port-forwards, & etc.

The other options are comma-separated too, and are documented in the manpage for sshd, under the section "AUTHORIZED_KEYS FILE FORMAT". As a good example of a secure login this is a good start:

from="1.2.3.4",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-rsa ...

This disables the use of agent-forwarding, port-forwarding, etc. whilst still allowing interactive logins. If you were using SSH for special-purpose logins you could restrict things further, by denying interactive login-shells and forcing the execution of a particular command:

command="/usr/local/bin/my-prog" ssh-rsa ..

This is useful for remote backups carried out via rsync + ssh, as it can ensure that your remote user can only execute the expected command - and not anything else.

Add Comment 限制 ssh 从某些 IP 登录( authorized_keys )
推荐阅读:
  1. C#获取本机信息(本机名称,系统版本号,联网状态,IP地址)
  2. localhost:8080 自动变成了 IP 地址

免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。

ip authorized keys

上一篇:AI助力环保遥感监测,强大算力很关键

下一篇:邮件服务系列之三实现postfix+dovecot+sasl

相关阅读

您好,登录后才能下订单哦!

密码登录
登录注册
其他方式登录
点击 登录注册 即表示同意《亿速云用户服务条款》