OpenSSH tips

This page provides some tips on OpenSSH, which is one of the most common SSH client and server implementation.

Custom Search

OpenSSH tips

Restricting public key authentication by client IP address in authorized_keys

When we use public key authentication for SSH login, there exists a problem with private key leaks. Generally, in order to prevent the second accident caused by cracking on other machines that store private keys, we set a passphrase to each private key. However, we would sometimes like to use empty passphrase, for example, in case loging in servers via batch script to skip entering passphrase. A main problem with this empty passphrase is that any users can login servers using the corresponding public key by using a leaked private key once the private key leaks. One solution for this problem is to use IP address-based authentication.

In authorized_keys, we can use IP address-based authentication like following:

from="192.0.2.11" [SSH-PUBLIC-KEY]

In case you permit IP addresses in a subnet, you can use the slash (/) notation:

from="192.0.2.0/24" [SSH-PUBLIC-KEY]

When you want to add two or more premitted IP addresses or ranges, you can use commas (,) for the separator like this:

from="192.0.2.0/25,192.0.2.128/29" [SSH-PUBLIC-KEY]

Note that you can also use this authentication for IPv6 addresses.

Changing the passphrase of a private key

To change the passphrase of a private key, you can use ssh-keygen with -p option:

$ ssh-keygen -p [-f /path/to/your/private/key]

Note that you can specify the path to the private key with -f option.

Checking fingerprint of a public key

If you want to check fingerprint of a public key, you can use ssh-keygen command with option -l.

$ ssh-keygen -l -f /path/to/your/public/key