We can already inject 'from=' restrictions in the output of ``AuthorizedKeyCommand`` but we can not change the behavior of this command based on the source address. With the source address, it is possible for example to build a "Trust on first use" mechanism similar to the ``StrictHostKeyChecking=accept-new`` This is useful in scenarios where a cluster of computers is automatically provisioned in a trusted environment and then sent in the field. Signed-off-by: Jean-Tiare Le Bigot <jean-tiare.le-bigot@xxxxxxxxxxxx> --- auth2-pubkey.c | 1 + sshd_config.5 | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 2fb5950e..b61706e8 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -933,6 +933,7 @@ user_key_command_allowed2(struct ssh *ssh, struct passwd *user_pw, "t", sshkey_ssh_name(key), "f", key_fp, "k", keytext, + "a", ssh_remote_ipaddr(ssh), (char *)NULL); if (tmp == NULL) fatal("%s: percent_expand failed", __func__); diff --git a/sshd_config.5 b/sshd_config.5 index c6484370..61dd180c 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -1773,10 +1773,12 @@ The key or certificate type. The numeric user ID of the target user. .It %u The username. +.It %a +The connection source IP address. .El .Pp .Cm AuthorizedKeysCommand -accepts the tokens %%, %f, %h, %k, %t, %U, and %u. +accepts the tokens %%, %f, %h, %k, %t, %U, %u and %a. .Pp .Cm AuthorizedKeysFile accepts the tokens %%, %h, %U, and %u. -- 2.17.1 _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev