Restricting SSH logins to particular IP addresses

Posted by Steve on Mon 28 Jan 2013 at 23:37

Tags: ,

Many people use SSH keys for password-less logins, and the increase in security that keys provide over (traditionally weaker) passwords. But few people seem to realize that you can also restrict logins to known-good IP addresses, via that same mechanism.

It has to be said that if you've got root access upon a server one way to restrict people connecting to your machine is to use a firewall. The venerable iptables firewall primitive makes this easy.

However you can usefully use IP address restrictions even in combination with a firewall, for example you might wish to allow your users to login from within your network, but only allow an auto-build user to login from a remote jenkins server - to clone some source code, for example.

The basic mechanism is straight-forward enough, rather than just storing the public-part of a key to your users ~/.ssh/authorized_keys file you also store some configuration entries.

To restrict the user bob to remote logins from the single IP address 1.2.3.4 you would use this in the ~bob/.ssh/authorized_keys file:

from="1.2.3.4" ssh-rsa  ....

Here we've added the "from="1.2.3.4"" section, prior to the key for the user. This is just one of the options you can add, and the quoted value is a list of comma-separated hosts from which the login will be allowed.

If you wished to allow logins from several sources you could use something like this:

from="1.2.3.0/24,44.55.66.77" ssh-rsa ...

In addition to the IP-address restrictions you can configure several other things, such as denying the use of agent-forwarding, denying the use of port-forwards, & etc.

The other options are comma-separated too, and are documented in the manpage for sshd, under the section "AUTHORIZED_KEYS FILE FORMAT". As a good example of a secure login this is a good start:

from="1.2.3.4",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-rsa ...

This disables the use of agent-forwarding, port-forwarding, etc. whilst still allowing interactive logins. If you were using SSH for special-purpose logins you could restrict things further, by denying interactive login-shells and forcing the execution of a particular command:

command="/usr/local/bin/my-prog" ssh-rsa ..

This is useful for remote backups carried out via rsync + ssh, as it can ensure that your remote user can only execute the expected command - and not anything else.

 

 


Posted by Anonymous (172.22.xx.xx) on Tue 29 Jan 2013 at 08:21
In this regard I think those two links might be of interest to people as they show you how to even specify a username along an IP address, or how to specify/deny a certain domain:

www.markus-gattol.name/ws/ssh.html#allow_users_groups
www.markus-gattol.name/ws/ssh.html#~/.ssh/authorized_keys

[ Parent | Reply to this comment ]

Posted by Anonymous (87.165.xx.xx) on Wed 20 Feb 2013 at 14:31

To restrict the user bob to remote logins from the single IP address 1.2.3.4 you would use this in the ~bob/.ssh/authorized_keys file:

Please note that the user will be able to remove this restriction (since he is able to edit his authorized_keys file).

So this doesn't really restrict a user to logins from a single IP address.

Instead, it allows a user to restrict remote logins to his account to a single IP address.

That may be an important difference.

[ Parent | Reply to this comment ]

Posted by Anonymous (92.118.xx.xx) on Sat 2 Mar 2013 at 06:39
That's not true. You can chmod the file and just let the user have read permissions. If he doesn't have root access there's nothing he can do about it. If he does, there's no point in wanting to restrict him.

[ Parent | Reply to this comment ]

Posted by Anonymous (10.142.xx.xx) on Mon 8 Apr 2013 at 18:34
Would this work for a DNS name that it could resolve? e.g could you put myserver.dyndns.org?
i guess i will have to try it!
I like the idea of restricting the SSH account, you could do this for a transactionsal account that runs a batch job like rsync or backup....

[ Parent | Reply to this comment ]

Posted by Anonymous (190.128.xx.xx) on Mon 25 Aug 2014 at 21:02
The user can delete the file and create another file without restrictions.

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

What do you use for configuration management?








( 530 votes ~ 7 comments )