from= option of authorized keys - SSH

This is a discussion on from= option of authorized keys - SSH ; What is the syntax, can I use hostnames or more than one IP? -- Due to extreme spam originating from Google Groups, and their inattention to spammers, I and many others block all articles originating from Google Groups. If you ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: from= option of authorized keys

  1. from= option of authorized keys

    What is the syntax, can I use hostnames or more than one IP?
    --
    Due to extreme spam originating from Google Groups, and their inattention
    to spammers, I and many others block all articles originating
    from Google Groups. If you want your postings to be seen by
    more readers you will need to find a different means of
    posting on Usenet.
    http://improve-usenet.org/

  2. Re: from= option of authorized keys

    On 2008-05-19, Ignoramus31588 wrote:
    > What is the syntax, can I use hostnames or more than one IP?


    Yes, you can use multiple ip-addresses, I use this in my authorized_keys file
    to limit logins from these two hosts:

    from="172.20.4.3,172.20.4.2" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAs98tZJEXd1Njhp4xhcw+IV Q4kLUlYmnRb5Nvms590GZiEwnC6NOdQ6ib7ukfgujNP4uSZo8L GeYmmMkwhocYABCsRufRlHirdTJfs+7997yF85yRJ2c9pRQwq5 OnxEqDneKk64bv2xt8w8C8ENAylpjln9HO8TFE1I1dkR1aROM= janfrode@tanso.net



    -jf

  3. Re: from= option of authorized keys

    On May 20, 5:22 pm, Jan-Frode Myklebust wrote:
    > On 2008-05-19, Ignoramus31588 wrote:
    >
    > > What is the syntax, can I use hostnames or more than one IP?

    >
    > Yes, you can use multiple ip-addresses, I use this in my authorized_keys file
    > to limit logins from these two hosts:
    >
    > from="172.20.4.3,172.20.4.2" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAs98tZJEXd1Njhp4xhcw+IV Q4kLUlYmnRb5Nvms590GZiEwnC6NOdQ6ib7ukfgujNP4uSZo8L GeYmmMkwhocYABCsRufRlHirdTJfs+7997yF85yRJ2c9pRQwq5 OnxEqDneKk64bv2xt8w8C8ENAylpjln9HO8TFE1I1dkR1aROM= janfr...@tanso.net
    >
    > -jf


    For further information, you can read through 'man sshd'. If the host
    is not in the from= field, then the server will fall back to password
    authentication.

  4. Re: from= option of authorized keys

    On 2008-05-20, Jan-Frode Myklebust wrote:
    > On 2008-05-19, Ignoramus31588 wrote:
    >> What is the syntax, can I use hostnames or more than one IP?

    >
    > Yes, you can use multiple ip-addresses, I use this in my authorized_keys file
    > to limit logins from these two hosts:
    >
    > from="172.20.4.3,172.20.4.2" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAs98tZJEXd1Njhp4xhcw+IV Q4kLUlYmnRb5Nvms590GZiEwnC6NOdQ6ib7ukfgujNP4uSZo8L GeYmmMkwhocYABCsRufRlHirdTJfs+7997yF85yRJ2c9pRQwq5 OnxEqDneKk64bv2xt8w8C8ENAylpjln9HO8TFE1I1dkR1aROM= janfrode@tanso.net
    >
    >



    Great!

    Can you use subnets and hostnames?

    ie "10.*,192.168.*,mydesktop.example.com"

    --
    Due to extreme spam originating from Google Groups, and their inattention
    to spammers, I and many others block all articles originating
    from Google Groups. If you want your postings to be seen by
    more readers you will need to find a different means of
    posting on Usenet.
    http://improve-usenet.org/

  5. Re: from= option of authorized keys

    On Tue, 20 May 2008 05:26:20 -0700 (PDT) rahul wrote:
    | On May 20, 5:22 pm, Jan-Frode Myklebust wrote:
    |> On 2008-05-19, Ignoramus31588 wrote:
    |>
    |> > What is the syntax, can I use hostnames or more than one IP?
    |>
    |> Yes, you can use multiple ip-addresses, I use this in my authorized_keys file
    |> to limit logins from these two hosts:
    |>
    |> from="172.20.4.3,172.20.4.2" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAs98tZJEXd1Njhp4xhcw+IV Q4kLUlYmnRb5Nvms590GZiEwnC6NOdQ6ib7ukfgujNP4uSZo8L GeYmmMkwhocYABCsRufRlHirdTJfs+7997yF85yRJ2c9pRQwq5 OnxEqDneKk64bv2xt8w8C8ENAylpjln9HO8TFE1I1dkR1aROM= janfr...@tanso.net
    |>
    |> -jf
    |
    | For further information, you can read through 'man sshd'. If the host
    | is not in the from= field, then the server will fall back to password
    | authentication.

    What if there are 2 entries, and the client first tries a key that has a from=
    entry that does not match, and later tries a different key that does match?

    Or, what about 2 identical key entries (same key) that have different from=
    entries? Would that work?

    --
    |WARNING: Due to extreme spam, googlegroups.com is blocked. Due to ignorance |
    | by the abuse department, bellsouth.net is blocked. If you post to |
    | Usenet from these places, find another Usenet provider ASAP. |
    | Phil Howard KA9WGN (email for humans: first name in lower case at ipal.net) |

  6. Re: from= option of authorized keys

    On May 22, 2:23 am, phil-news-nos...@ipal.net wrote:
    > On Tue, 20 May 2008 05:26:20 -0700 (PDT) rahul wrote:
    > | On May 20, 5:22 pm, Jan-Frode Myklebust wrote:
    > |> On 2008-05-19, Ignoramus31588 wrote:
    > |>
    > |> > What is the syntax, can I use hostnames or more than one IP?
    > |>
    > |> Yes, you can use multiple ip-addresses, I use this in my authorized_keys file
    > |> to limit logins from these two hosts:
    > |>
    > |> from="172.20.4.3,172.20.4.2" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAs98tZJEXd1Njhp4xhcw+IV Q4kLUlYmnRb5Nvms590GZiEwnC6NOdQ6ib7ukfgujNP4uSZo8L GeYmmMkwhocYABCsRufRlHirdTJfs+7997yF85yRJ2c9pRQwq5 OnxEqDneKk64bv2xt8w8C8ENAylpjln9HO8TFE1I1dkR1aROM= janfr...@tanso.net
    > |>
    > |> -jf
    > |
    > | For further information, you can read through 'man sshd'. If the host
    > | is not in the from= field, then the server will fall back to password
    > | authentication.
    >
    > What if there are 2 entries, and the client first tries a key that has a from=
    > entry that does not match, and later tries a different key that does match?
    >
    > Or, what about 2 identical key entries (same key) that have different from=
    > entries? Would that work?
    >
    > --
    > |WARNING: Due to extreme spam, googlegroups.com is blocked. Due to ignorance |
    > | by the abuse department, bellsouth.net is blocked. If you post to |
    > | Usenet from these places, find another Usenet provider ASAP. |
    > | Phil Howard KA9WGN (email for humans: first name in lower case at ipal.net) |


    * and ? work as wild-cards in the pattern list in the 'from field'.
    They have their usual meanings. Consider :
    from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334
    ylo@niksula
    The negation in !pc.niksual.hut.fi means that if the key comes from
    this host, it should be denied the access. Your key begins with 1024
    onwards. The
    last part is just a comment( ylo@niksula ). It does not have any
    functional significance.

    Regarding 2 identical keys having two different from fields, isn't it
    the same thing as the same key having multiple hosts in the from
    field? That means
    the hosts in the 'from' field can login with the matching keys.

    For authentication to happen, both the from field and key has to
    match. Otherwise, it will fall back to password authentication. You
    may see it at work
    if you switch on the verbose option.


+ Reply to Thread