Restricting SSH logins to particular IP addresses
Posted by Steve on Mon 28 Jan 2013 at 23:37
Many people use SSH keys for password-less logins, and the increase in security that keys provide over (traditionally weaker) passwords. But few people seem to realize that you can also restrict logins to known-good IP addresses, via that same mechanism.
It has to be said that if you've got root access upon a server one way to restrict people connecting to your machine is to use a firewall. The venerable iptables firewall primitive makes this easy.
However you can usefully use IP address restrictions even in combination with a firewall, for example you might wish to allow your users to login from within your network, but only allow an auto-build user to login from a remote jenkins server - to clone some source code, for example.
The basic mechanism is straight-forward enough, rather than just storing the public-part of a key to your users ~/.ssh/authorized_keys file you also store some configuration entries.
To restrict the user bob to remote logins from the single IP address 1.2.3.4 you would use this in the ~bob/.ssh/authorized_keys file:
from="1.2.3.4" ssh-rsa ....
Here we've added the "from="1.2.3.4"" section, prior to the key for the user. This is just one of the options you can add, and the quoted value is a list of comma-separated hosts from which the login will be allowed.
If you wished to allow logins from several sources you could use something like this:
from="1.2.3.0/24,44.55.66.77" ssh-rsa ...
In addition to the IP-address restrictions you can configure several other things, such as denying the use of agent-forwarding, denying the use of port-forwards, & etc.
The other options are comma-separated too, and are documented in the manpage for sshd, under the section "AUTHORIZED_KEYS FILE FORMAT". As a good example of a secure login this is a good start:
from="1.2.3.4",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-rsa ...
This disables the use of agent-forwarding, port-forwarding, etc. whilst still allowing interactive logins. If you were using SSH for special-purpose logins you could restrict things further, by denying interactive login-shells and forcing the execution of a particular command:
command="/usr/local/bin/my-prog" ssh-rsa ..
This is useful for remote backups carried out via rsync + ssh, as it can ensure that your remote user can only execute the expected command - and not anything else.
To restrict the user bob to remote logins from the single IP address 1.2.3.4 you would use this in the ~bob/.ssh/authorized_keys file:
Please note that the user will be able to remove this restriction (since he is able to edit his authorized_keys file).
So this doesn't really restrict a user to logins from a single IP address.
Instead, it allows a user to restrict remote logins to his account to a single IP address.
That may be an important difference.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
i guess i will have to try it!
I like the idea of restricting the SSH account, you could do this for a transactionsal account that runs a batch job like rsync or backup....
[ Parent | Reply to this comment ]
www.markus-gattol.name/ws/ssh.html#allow_users_groups
www.markus-gattol.name/ws/ssh.html#~/.ssh/authorized_keys
[ Parent | Reply to this comment ]