Re: from= option of authorized keys

On May 22, 2:23 am, phil-news-nos...@xxxxxxxx wrote:
On Tue, 20 May 2008 05:26:20 -0700 (PDT) rahul <rahulsin...@xxxxxxxxx> wrote:
| On May 20, 5:22 pm, Jan-Frode Myklebust <janfr...@xxxxxxxxx> wrote:
|> On 2008-05-19, Ignoramus31588 <ignoramus31...@xxxxxxxxxxxxxxxxxxxx> wrote:
|>
|> > What is the syntax, can I use hostnames or more than one IP?
|>
|> Yes, you can use multiple ip-addresses, I use this in my authorized_keys file
|> to limit logins from these two hosts:
|>
|> from="172.20.4.3,172.20.4.2" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAs98tZJEXd1Njhp4xhcw+IVQ4kLUlYmnRb5Nvms590GZiEwnC6NOdQ6ib7ukfgujNP4uSZo8LGeYmmMkwhocYABCsRufRlHirdTJfs+7997yF85yRJ2c9pRQwq5OnxEqDneKk64bv2xt8w8C8ENAylpjln9HO8TFE1I1dkR1aROM= janfr...@xxxxxxxxx
|>
|> -jf
|
| For further information, you can read through 'man sshd'. If the host
| is not in the from= field, then the server will fall back to password
| authentication.

What if there are 2 entries, and the client first tries a key that has a from=
entry that does not match, and later tries a different key that does match?

Or, what about 2 identical key entries (same key) that have different from=
entries? Would that work?

--
|WARNING: Due to extreme spam, googlegroups.com is blocked. Due to ignorance |
| by the abuse department, bellsouth.net is blocked. If you post to |
| Usenet from these places, find another Usenet provider ASAP. |
| Phil Howard KA9WGN (email for humans: first name in lower case at ipal.net) |

* and ? work as wild-cards in the pattern list in the 'from field'.
They have their usual meanings. Consider :
from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334
ylo@niksula
The negation in !pc.niksual.hut.fi means that if the key comes from
this host, it should be denied the access. Your key begins with 1024
onwards. The
last part is just a comment( ylo@niksula ). It does not have any
functional significance.

Regarding 2 identical keys having two different from fields, isn't it
the same thing as the same key having multiple hosts in the from
field? That means
the hosts in the 'from' field can login with the matching keys.

For authentication to happen, both the from field and key has to
match. Otherwise, it will fall back to password authentication. You
may see it at work
if you switch on the verbose option.

.

Relevant Pages

  • Re: from= option of authorized keys
    ... can I use hostnames or more than one IP? ... |> Yes, you can use multiple ip-addresses, I use this in my authorized_keys file ... |> to limit logins from these two hosts: ... What if there are 2 entries, and the client first tries a key that has a from= ...
    (comp.security.ssh)
  • Re: from= option of authorized keys
    ... Yes, you can use multiple ip-addresses, I use this in my authorized_keys file ... to limit logins from these two hosts: ... authentication. ...
    (comp.security.ssh)
  • Re: A problem with "hosts" file: hostnames with dots are not being resolved
    ... When I include the following two entries into my "hosts" file ... but the second hostname isn't. ... Instead of the website you're using, I suggest to use OEx (Outlook Express ...
    (microsoft.public.win2000.dns)
  • Re: hosts files and google pretender
    ... If those tools don't restore the hosts ... delete all entries except the localhost 127.0.0.1 entry. ... "Joe" wrote in ... > me from reaching google and to go into the hosts files ...
    (microsoft.public.windowsxp.security_admin)
  • Re: hosts files and google pretender
    ... If those tools don't restore the hosts ... delete all entries except the localhost 127.0.0.1 entry. ... "Joe" wrote in ... > me from reaching google and to go into the hosts files ...
    (microsoft.public.windowsxp.security_admin)