Is there a way to set up passwordless / passphraseless ssh so can only come from one client?

Question

I know how to set up passwordless / passphraseless ssh. But my understanding is that setting it up that way means that if someone get ahold of the id_dsa file, they can then log in from any machine.

Is it possible to set up, on server X, that Y is an "authorized key" only when it's coming from client Z?

Artem Budaev · Answer 1 · 2018-01-26T16:48:18.033

3

You may restrict access by IP for every authorized_key. Just add the following line into authorized_keys on X something like:

from="Z_IP" Y_id_rsa.pub

In this case server X will be accessible via SSH using Y's key only when accessing from Z's IP-address.

Also, you may add additional parameters. Here is examples: https://debian-administration.org/article/685/Restricting_SSH_logins_to_particular_IP_addresses

edited Jan 26 '18 at 16:48

answered Jan 26 '18 at 16:46

Artem Budaev

41
3

Can I use a DNS entry "foo.com" as well, or does it have to be an ip address? – Greg Dougherty Jan 26 '18 at 16:47
2

Yes, you can. But you should have `UseDNS` enabled in `sshd_config`: `UseDNS yes` But it may take some seconds for DNS-query finish on connection. – Artem Budaev Jan 26 '18 at 16:51

Is there a way to set up passwordless / passphraseless ssh so can only come from one client?

1 Answers1