stribika.github.io icon indicating copy to clipboard operation
stribika.github.io copied to clipboard
verified publisher icon stribika

hint to restrict authorized_keys to known DNS Names and IPv4/IPv6 adresses

Open fsteinel opened this issue 11 years ago • 1 comments

while hardening my authorized_keys to known DNS Names and IPv4/IPv6 addresses, i found a hwoto on University of Cambridge - Computer Laboratory: Using SSH to connect to the Lab . It is also possible to disable ssh functions per public key like "no-X11-forwarding" Example:

from="localhost.localnet,localhost.localdomain,*.dialup.example.com,203.0.113.0/24,2001:DB8::/32",no-X11-forwarding ssh-rsa AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA== [email protected]

(example uses IPv4 TESTNET-3 from RFC5737 and IPv6 from RFC3849 with a comment)

fsteinel avatar Jan 07 '15 12:01 fsteinel

If you have an SSH hidden service then you will see everyone connecting from localhost. Restricting features for keys is still useful, thanks.

stribika avatar Jan 07 '15 18:01 stribika