[clug] ~/.ssh/authorized_keys and dynDNS
Kim Holburn
kim.holburn at gmail.com
Tue Jul 24 15:15:22 GMT 2007
You might want to look at fail2ban. There are probably others. This
is a much better way of locking baddies out.
There are also sshd options like:
MaxStartups 10:30:60
There are a number of obscure ssh and sshd options and they seem to
change with different versions. Two I have used are:
#UseDNS no
#ReversMappingCheck no
MaxStartups 10:30:60
and
in ssh_config:
CheckHostIP no
sshd will complain if you use an option it doesn't understand.
On 2007/Jul/24, at 2:20 PM, Andrew Janke wrote:
> Hi all,
>
> Just wondering if someone else has got around this problem once
> before..
>
> I use dynDNS at home and want to set up an rsync from work (static IP)
> to home (dynamic with port-forwarding from cheap router to Linux
> machine) without passwords. Ideally I will use dirvish once I have
> this all sorted out.
>
> So, I set up the key, set up a command filter and it all works nicely.
> The key looks as such in ~/.ssh/authorized_keys on the work (Static
> IP) machine:
>
> command="~/bin/vrsync.sh",no-port-forwarding,no-X11-forwarding,no-
> agent-forwarding
> ssh-rsa AAAAB3NzaC1yc2EA.......
>
> where ~/bin/vrsync.sh looks like this:
>
> #! /bin/sh
> #
> # Yes the error message is misleading
>
> case "$SSH_ORIGINAL_COMMAND" in
> *\&*)
> echo "Destination Host Unreachable"
> ;;
> *\(*)
> echo "Destination Host Unreachable"
> ;;
> *\{*)
> echo "Destination Host Unreachable"
> ;;
> *\;*)
> echo "Destination Host Unreachable"
> ;;
> *\<*)
> echo "Destination Host Unreachable"
> ;;
> *\`*)
> echo "Destination Host Unreachable"
> ;;
>
> rsync\ --server\ --sender\ -vlogDtpr\ *)
> $SSH_ORIGINAL_COMMAND
> ;;
>
> *)
> echo "ssh: Destination Host Unreachable"
> ;;
> esac
>
> So this all works nicely, but I am paranoid so want to add
> something like this:
>
> command="~/bin/vrsync.sh",from="xxxxx.selfip.com",no-port-
> forwarding,no-X11-forwarding,no-agent-forwarding
> ssh-rsa AAAAB3NzaC....
>
> Note the added from="" thingo. Now this fails as the hostname does
> not resolve correctly.. I get errors in /var/log/auth.log as such:
>
> Jul 24 22:14:47 xxxxx sshd[6174]: Authentication tried for xxxx with
> correct key but not from a permitted host
> (host=WW-XX-YY-ZZ.dyn.iinet.net.au, ip=WW.XX.YY.ZZ).
>
> In this case the WW.XX.YY.ZZ does match in the log, so it is not that.
> I suspect it is the reverse lookup of xxxxx.selfip.com
>
> Is there some way to turn this of in authorized_keys or should I just
> write some other script that updates authorized_keys with the correct
> IP from time to time? (which incidentally is how I currently update
> /etc/hosts.allow on the static IP work machine so that I can log in
> from home, unless someone can suggest something better).
>
> ta
>
>
> --
> Andrew Janke (a.janke at gmail.com || http://a.janke.googlepages.com/)
> Canberra->Australia +61 (402) 700 883
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294 M: +39 3494957443
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
Democracy imposed from without is the severest form of tyranny.
-- Lloyd Biggle, Jr. Analog, Apr 1961
More information about the linux
mailing list