[clug] ~/.ssh/authorized_keys and dynDNS

Kim Holburn kim.holburn at gmail.com
Tue Jul 24 15:15:22 GMT 2007


You might want to look at fail2ban.  There are probably others.  This  
is a much better way of locking baddies out.

There are also sshd options like:
MaxStartups 10:30:60

There are a number of obscure ssh and sshd options and they seem to  
change with different versions.  Two I have used are:
#UseDNS no
#ReversMappingCheck no

MaxStartups 10:30:60

and

in ssh_config:
CheckHostIP no

sshd will complain if you use an option it doesn't understand.

On 2007/Jul/24, at 2:20 PM, Andrew Janke wrote:

> Hi all,
>
> Just wondering if someone else has got around this problem once  
> before..
>
> I use dynDNS at home and want to set up an rsync from work (static IP)
> to home (dynamic with port-forwarding from cheap router to Linux
> machine) without passwords.  Ideally I will use dirvish once I have
> this all sorted out.
>
> So, I set up the key, set up a command filter and it all works nicely.
> The key looks as such in ~/.ssh/authorized_keys on the work (Static
> IP) machine:
>
> command="~/bin/vrsync.sh",no-port-forwarding,no-X11-forwarding,no- 
> agent-forwarding
> ssh-rsa AAAAB3NzaC1yc2EA.......
>
> where ~/bin/vrsync.sh looks like this:
>
> #! /bin/sh
> #
> # Yes the error message is misleading
>
> case "$SSH_ORIGINAL_COMMAND" in
>   *\&*)
>      echo "Destination Host Unreachable"
>      ;;
>   *\(*)
>      echo "Destination Host Unreachable"
>      ;;
>   *\{*)
>      echo "Destination Host Unreachable"
>      ;;
>   *\;*)
>      echo "Destination Host Unreachable"
>      ;;
>   *\<*)
>      echo "Destination Host Unreachable"
>      ;;
>   *\`*)
>      echo "Destination Host Unreachable"
>      ;;
>
>   rsync\ --server\ --sender\ -vlogDtpr\ *)
>      $SSH_ORIGINAL_COMMAND
>      ;;
>
>   *)
>      echo "ssh: Destination Host Unreachable"
>      ;;
> esac
>
> So this all works nicely, but I am paranoid so want to add  
> something like this:
>
> command="~/bin/vrsync.sh",from="xxxxx.selfip.com",no-port- 
> forwarding,no-X11-forwarding,no-agent-forwarding
> ssh-rsa AAAAB3NzaC....
>
> Note the added from="" thingo.  Now this fails as the hostname does
> not resolve correctly.. I get errors in /var/log/auth.log as such:
>
> Jul 24 22:14:47 xxxxx sshd[6174]: Authentication tried for xxxx with
> correct key but not from a permitted host
> (host=WW-XX-YY-ZZ.dyn.iinet.net.au, ip=WW.XX.YY.ZZ).
>
> In this case the WW.XX.YY.ZZ does match in the log, so it is not that.
> I suspect it is the reverse lookup of xxxxx.selfip.com
>
> Is there some way to turn this of in authorized_keys or should I just
> write some other script that updates authorized_keys with the correct
> IP from time to time? (which incidentally is how I currently update
> /etc/hosts.allow on the static IP work machine so that I can log in
> from home, unless someone can suggest something better).
>
> ta
>
>
> -- 
> Andrew Janke   (a.janke at gmail.com || http://a.janke.googlepages.com/)
> Canberra->Australia    +61 (402) 700 883
> -- 
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux

--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3494957443
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

Democracy imposed from without is the severest form of tyranny.
                           -- Lloyd Biggle, Jr. Analog, Apr 1961





More information about the linux mailing list