限制 ssh 從某些 IP 登入( authorized_keys )
Restricting SSH logins to particular IP addresses
Posted by on Mon 28 Jan 2013 at 23:37
Many people use SSH keys for password-less logins, and the increase in security that keys provide over (traditionally weaker) passwords. But few people seem to realize that you can also restrict logins to known-good IP addresses, via that same mechanism.
It has to be said that if you've got root access upon a server one way to restrict people connecting to your machine is to use a firewall. The venerable iptables firewall primitive makes this easy.
However you can usefully use IP address restrictions even in combination with a firewall, for example you might wish to allow your users to login from within your network, but only allow an auto-build user to login from a remote jenkins server - to clone some source code, for example.
The basic mechanism is straight-forward enough, rather than just storing the public-part of a key to your users ~/.ssh/authorized_keys file you also store some configuration entries.
To restrict the user bob to remote logins from the single IP address 1.2.3.4 you would use this in the ~bob/.ssh/authorized_keys file:
from="1.2.3.4" ssh-rsa ....
Here we've added the "from="1.2.3.4"" section, prior to the key for the user. This is just one of the options you can add, and the quoted value is a list of comma-separated hosts from which the login will be allowed.
If you wished to allow logins from several sources you could use something like this:
from="1.2.3.0/24,44.55.66.77" ssh-rsa ...
In addition to the IP-address restrictions you can configure several other things, such as denying the use of agent-forwarding, denying the use of port-forwards, & etc.
The other options are comma-separated too, and are documented in the manpage for sshd, under the section "AUTHORIZED_KEYS FILE FORMAT". As a good example of a secure login this is a good start:
from="1.2.3.4",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-rsa ...
This disables the use of agent-forwarding, port-forwarding, etc. whilst still allowing interactive logins. If you were using SSH for special-purpose logins you could restrict things further, by denying interactive login-shells and forcing the execution of a particular command:
command="/usr/local/bin/my-prog" ssh-rsa ..
This is useful for remote backups carried out via rsync + ssh, as it can ensure that your remote user can only execute the expected command - and not anything else.
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/27042095/viewspace-2135229/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- iOS逆向之三 authorized_keys ssh登入越獄手機免驗證設定iOSZed
- ssh設定使用者從指定的IP登陸
- [20210518]ssh ip登入緩慢問題解決.txt
- vscode ssh key登入VSCode
- 關於SSH登入
- ssh免密登入
- ssh免密登入原理
- SSH遠端登入原理
- Linux 遠端 ssh 登入Linux
- 不用 Vagrant SSH 登入 Homestead
- ssh進階,免密登入
- ssh遠端登入協議協議
- python中如何寫ssh登入Python
- ssh安全的自動登入
- SSH免密登入詳解
- Mac 上 ssh 別名登入Mac
- Linux伺服器---ssh登入Linux伺服器
- linux 設定ssh 免密登入Linux
- ansible 統計 ssh 登入資訊
- Linux——ssh登入很慢解決方法Linux
- hadoop-SSH免密登入配置Hadoop
- ssh免密登入簡單操作
- CentOS監控ssh免密登入CentOS
- ssh 遠端登入報錯:Unable to negotiate with IP port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss 解決辦法Go
- Linux - 配置SSH免密登入 - “ssh-keygen”的基本用法Linux
- 【備忘錄】配置ssh公鑰登入
- Paramiko SSH登入裝置儲存配置
- SSH 遠端登入「記住密碼」密碼
- Linux更改SSH遠端登入埠教程Linux
- virtual box中ubuntu ssh 登入設定Ubuntu
- SSH登入:WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!REMIDE
- SSH登入很慢問題的解決
- 小技巧:如何突破某些網站只能登陸後才能進行文字拷貝的限制網站
- ssh-copy-id三步實現SSH免密登入
- Linux Debian11伺服器安裝SSH,建立新使用者並允許SSH遠端登入,及SSH安全登入配置!Linux伺服器
- springboot + shiro 嘗試登入次數限制與併發登入人數控制Spring Boot
- 配置h3c裝置ssh登入
- Linux 配置 SSH 秘鑰免密碼登入Linux密碼
- Ubuntu開啟ssh服務遠端登入Ubuntu