Archive for January 2014

Another way to limit SSH key access to a specific IP

There are a couple ways to limit where users can and cannot use SSH keys for quick access to systems. The most common I have found is to put access requirements in the sshd_config file. While this is a great method, and has quite a few ways to customize it. What if you only want to limit access for one user? Or maybe you don’t have root/sudo access on the machine and you want to limit your own account. Well, these might be the best examples, but here is another nifty way to limit access with SSH keys. Please note that this will only block access with the key, but will still allow you to provide a password!

Lets get started. I’m going to assume you already have generated your key and used ssh-copy-id to get it to your remote host. SSH into your remote host and open your user’s authorized_keys file. This is usually in ~/.ssh/. You are going to see something like this.

ssh-rsa AAAAB3Nza...LiPk== user@host

Simply add from=”host” in front of it and you are set! Seriously, it is that easy.

from="" ssh-rsa AAAAB3Nza...LiPk== user@host

The best part here is you don’t need to do anything for the changes to take effect. No restarting sshd or even logging out of the machine! It just works right away.

You can add other options in authorized_keys and not just limit by IP. What if your IP changes? Maybe you are always in a particular domain range somewhere, perhaps you want to force a VPN connection before allowing SSH (I’m just throwing out ideas here). I use it for my backup system. I allow root access only from that one machine and otherwise you can’t login via root at all. I only allow the one key and no password. So right there is a good use.

To see more options and additional syntax, open a terminal and type “man authorized_keys” and scroll down to the section titled Authorized_keys File Format. There is a lot of good information there.