Re: A question about ssh RSA key connection



How is your DNS setup? How does this work when you connect with hostnames instead of IP Addresses? Do other two aliases (uplink0:1 and 0:2) have same name as primary interface's?

Sharad

--- On Mon, 24/8/09, 徐广 <xuguang181@xxxxxxxxx> wrote:

From: 徐广 <xuguang181@xxxxxxxxx>
Subject: Re: A question about ssh RSA key connection
To: "ming.zym@xxxxxxxxx" <ming.zym@xxxxxxxxx>
Cc: secureshell@xxxxxxxxxxxxxxxxx
Date: Monday, 24 August, 2009, 8:46 AM
Thanks ming for your reply

When I connect to  47.154.169.130 the from ip would
be
47.154.169.130, but when I try to connect to other servers,
the from
ip became 47.154.169.128, so this is really refusing me.



2009/8/24 ming.zym@xxxxxxxxx
<ming.zym@xxxxxxxxx>:
this is far from a ssh problem, as the connect src
address is selected
by system, mostly by the default routing set, in your
case, there are
many IP in the same vlan/ip space, that will be
choosed to be the first
ip in your ip list, .130 is the first then.

you may use the "-b" option if you really need to set
your src ip
address.


在 2009-08-22六的 12:10 +0800,徐广写道:
Hi
I recently met with a problem when trying to set
up ssh connection
through the ssh key

I first create a key through command ssh-keygen -t
rsa -f
/.ssh/pmcftp_id_rsa -P "" , two files would be
created under /.ssh
pmcftp_id_rsa and pmcftp_id_rsa.pub, then I insert
an entry into the
.pub file -
from="47.154.169.129,47.154.169.128"  this should
restrickt that the ssh key should only work for
sources of these two
ips.
Then I push the public key to another server under
~pmcftp/.ssh, after
that, I start the ssh connection through command
ssh -I pmcftp -i.
./ssh/pmcftp_id_rsa <server ip>, the ssh
connection would be set up
without asking for the passwd.
But, when I create the ssh key on a server that
has several ip
address, like following:
=====
ifconfig -a
lo0:
flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL>
mtu
8232 index 1
         inet
127.0.0.1 netmask ff000000
uplink0:
flags=1040863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,DEPRECATED,IPv4>
mtu 1500 index 2
         inet
47.154.169.130 netmask ffffff00 broadcast 47.154.169.255
         ether
0:0:bb:2e:74:e
uplink0:1:
flags=1000863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,IPv4>
mtu 1500 index 2
         inet
47.154.169.128 netmask ffffff00 broadcast 47.154.169.255
uplink0:2:
flags=1000863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,IPv4>
mtu 1500 index 2
         inet
47.154.169.129 netmask ffffff00 broadcast 47.154.169.255
uplink1:
flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu
1500 index 3
         inet
192.168.47.1 netmask ffffff00 broadcast 192.168.47.255
         ether
0:0:bb:2e:74:d
=====
And added ip 47.154.169.128  and
47.154.169.129  into the from ip list
entry in the key file, then I push the ssh key to
server
47.154.169.130 (which should be the same server as
the source)
Then when I try to start the ssh connection
through command ssh -I
pmcftp -i. ./ssh/pmcftp_id_rsa 47.154.169.130 ,
the key does not work
anymore, and the log give info like this
==
  Authentication tried for pmcftp with correct
key but not from a
permitted host (host=iems196-unit0,
ip=47.154.169.130)
==
Obviously, here the from ip list does not include
47..154.169.130, and
the ssh connection treate the from ip as
47.154.169.130 not other ips
of this server.
Then I tried another command
Ssh -b 47.154.169.128  -I pmcftp -i.
./ssh/pmcftp_id_rsa
47.154.169.130 the key works well again.
The -b option is binding the from ip to
57.154.169.128 and it's in the
from ip list in the key file.

how the ip of the from side of the ssh connection
is obtained? When
the from side of the ssh connection has several
ips how would the ip
address be determined by the to side?
Any info would be highly appreciated, thanks in
advance!

Best regards
Guang

--
徐广
13581797776





--
徐广
13581797776



Love Cricket? Check out live scores, photos, video highlights and more. Click here http://cricket.yahoo.com