Restricting public key authentication by client IP address in authorized_keys
When we use public key authentication for SSH login, there exists a problem with private key leaks. Generally, in order to prevent the second accident caused by cracking on other machines that store private keys, we set a passphrase to each private key. However, we would sometimes like to use empty passphrase, for example, in case loging in servers via batch script to skip entering passphrase. A main problem with this empty passphrase is that any users can login servers using the corresponding public key by using a leaked private key once the private key leaks. One solution for this problem is to use IP address-based authentication.
In authorized_keys, we can use IP address-based authentication like following:
In case you permit IP addresses in a subnet, you can use the slash (/) notation:
When you want to add two or more premitted IP addresses or ranges, you can use commas (,) for the separator like this:
Note that you can also use this authentication for IPv6 addresses.
Changing the passphrase of a private key
To change the passphrase of a private key, you can use ssh-keygen with -p option:
$ ssh-keygen -p [-f /path/to/your/private/key]
Note that you can specify the path to the private key with -f option.
Checking fingerprint of a public key
If you want to check fingerprint of a public key, you can use ssh-keygen command with option -l.
$ ssh-keygen -l -f /path/to/your/public/key