Re: A question about ssh RSA key connection



How is your DNS setup? How does this work when you connect with hostnames instead of IP Addresses? Do other two aliases (uplink0:1 and 0:2) have same name as primary interface's?

Sharad

--- On Mon, 24/8/09, 徐广 <xuguang181@xxxxxxxxx> wrote:

From: 徐广 <xuguang181@xxxxxxxxx>
Subject: Re: A question about ssh RSA key connection
To: "ming.zym@xxxxxxxxx" <ming.zym@xxxxxxxxx>
Cc: secureshell@xxxxxxxxxxxxxxxxx
Date: Monday, 24 August, 2009, 8:46 AM
Thanks ming for your reply

When I connect to  47.154.169.130 the from ip would
be
47.154.169.130, but when I try to connect to other servers,
the from
ip became 47.154.169.128, so this is really refusing me.



2009/8/24 ming.zym@xxxxxxxxx
<ming.zym@xxxxxxxxx>:
this is far from a ssh problem, as the connect src
address is selected
by system, mostly by the default routing set, in your
case, there are
many IP in the same vlan/ip space, that will be
choosed to be the first
ip in your ip list, .130 is the first then.

you may use the "-b" option if you really need to set
your src ip
address.


在 2009-08-22六的 12:10 +0800,徐广写道:
Hi
I recently met with a problem when trying to set
up ssh connection
through the ssh key

I first create a key through command ssh-keygen -t
rsa -f
/.ssh/pmcftp_id_rsa -P "" , two files would be
created under /.ssh
pmcftp_id_rsa and pmcftp_id_rsa.pub, then I insert
an entry into the
.pub file -
from="47.154.169.129,47.154.169.128"  this should
restrickt that the ssh key should only work for
sources of these two
ips.
Then I push the public key to another server under
~pmcftp/.ssh, after
that, I start the ssh connection through command
ssh -I pmcftp -i.
./ssh/pmcftp_id_rsa <server ip>, the ssh
connection would be set up
without asking for the passwd.
But, when I create the ssh key on a server that
has several ip
address, like following:
=====
ifconfig -a
lo0:
flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL>
mtu
8232 index 1
         inet
127.0.0.1 netmask ff000000
uplink0:
flags=1040863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,DEPRECATED,IPv4>
mtu 1500 index 2
         inet
47.154.169.130 netmask ffffff00 broadcast 47.154.169.255
         ether
0:0:bb:2e:74:e
uplink0:1:
flags=1000863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,IPv4>
mtu 1500 index 2
         inet
47.154.169.128 netmask ffffff00 broadcast 47.154.169.255
uplink0:2:
flags=1000863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,IPv4>
mtu 1500 index 2
         inet
47.154.169.129 netmask ffffff00 broadcast 47.154.169.255
uplink1:
flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu
1500 index 3
         inet
192.168.47.1 netmask ffffff00 broadcast 192.168.47.255
         ether
0:0:bb:2e:74:d
=====
And added ip 47.154.169.128  and
47.154.169.129  into the from ip list
entry in the key file, then I push the ssh key to
server
47.154.169.130 (which should be the same server as
the source)
Then when I try to start the ssh connection
through command ssh -I
pmcftp -i. ./ssh/pmcftp_id_rsa 47.154.169.130 ,
the key does not work
anymore, and the log give info like this
==
  Authentication tried for pmcftp with correct
key but not from a
permitted host (host=iems196-unit0,
ip=47.154.169.130)
==
Obviously, here the from ip list does not include
47..154.169.130, and
the ssh connection treate the from ip as
47.154.169.130 not other ips
of this server.
Then I tried another command
Ssh -b 47.154.169.128  -I pmcftp -i.
./ssh/pmcftp_id_rsa
47.154.169.130 the key works well again.
The -b option is binding the from ip to
57.154.169.128 and it's in the
from ip list in the key file.

how the ip of the from side of the ssh connection
is obtained? When
the from side of the ssh connection has several
ips how would the ip
address be determined by the to side?
Any info would be highly appreciated, thanks in
advance!

Best regards
Guang

--
徐广
13581797776





--
徐广
13581797776



Love Cricket? Check out live scores, photos, video highlights and more. Click here http://cricket.yahoo.com



Relevant Pages

  • Re: Trouble with X11 over SSH on Mandriva 2010.0
    ... If next clean install/update causes ssh to break, ... installed the sshd daemon/service package (OpenSSH Server) on the server. ... correct values for client and server. ...
    (comp.os.linux.networking)
  • Re: Apache Software Foundation Server compromised, resecured. (fwd)
    ... this was one "result" of the comromised ssh binary at sourceforge. ... a public server of the Apache Software Foundation ... > (ASF) was illegally accessed by unknown crackers. ... > exhaustive audit of all Apache source code and binary distributions ...
    (FreeBSD-Security)
  • Re: FreeBSD Crash without Errors, Warnings, or Panics
    ... I suppose I could run on stable until the driver is fixed in a release branch, but I need this box up and online, and I've always read that the stable branch is not the place for production servers. ... I'm running 6.0-RELEASE-p5 on a Toshiba built server: dual Xeon Intel motherboard with a LSILogic MegaRAID controller. ... Also, some network ports still respond, like a telnet to port 22 to test SSH will yield an SSH banner, but trying to connect with SSH just hangs. ... The box runs a web-based app and connects to a local Postgres DB which seemed to be unable to start new connections being requested by the PHP scripts. ...
    (freebsd-hackers)
  • Re: restrict ssh access
    ... > We have one ssh server which receives about 6000 failed attempts to ... > unsuccessful login attempts per client IP address? ... the remote server is also running OpenSSH. ...
    (comp.security.ssh)
  • Re: SSH as root
    ... Subject: SSH as root ... but it doesn't require having a key on the server that could be ... If they compromise a server, and the passphrase, etc. is there, they only ... private key to anyone. ...
    (SSH)