On 10/23/20 4:32 AM, Jan Bergner wrote: > Hello Damien, Brian and all, > > thanks for the suggestions. I actually had not considered host-based authentication and looked it up. > As I understand from my first quick reading, I would need to specify the clients which are allowed to use host-based auth on the server with a DNS name or an IP, which would not work for a client behind a CG NAT or in a cellular network. > Or did I get this wrong? You can use dynamic DNS to obtain a static DNS name. As your IP address changes, the DNS record is updated accordingly. DNS spoofing is not a security risk (beyond DoS) because the host must prove possession of its secret key. This is the approach I recommend. > So, this is also an answer to Brian. Right now, I cannot simply use IPs. > (However, it would not be out of reach to simply put all clients on a private VPN. But I would consider that more of a work-around to the original problem.) Using IP addresses is not a good idea, unless you are using a VPN that prevents spoofing. > Thanks and best, > Jan Sincerely, Demi
Attachment:
OpenPGP_0xB288B55FFF9C22C1.asc
Description: application/pgp-keys
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev