Re: A question about ssh RSA key connection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



this is far from a ssh problem, as the connect src address is selected
by system, mostly by the default routing set, in your case, there are
many IP in the same vlan/ip space, that will be choosed to be the first
ip in your ip list, .130 is the first then.

you may use the "-b" option if you really need to set your src ip
address.


在 2009-08-22六的 12:10 +0800,徐广写道:
> Hi
> I recently met with a problem when trying to set up ssh connection
> through the ssh key
> 
> I first create a key through command ssh-keygen -t rsa -f
> /.ssh/pmcftp_id_rsa -P "" , two files would be created under /.ssh
> pmcftp_id_rsa and pmcftp_id_rsa.pub, then I insert an entry into the
> .pub file - from="47.154.169.129,47.154.169.128"  this should
> restrickt that the ssh key should only work for sources of these two
> ips.
> Then I push the public key to another server under ~pmcftp/.ssh, after
> that, I start the ssh connection through command ssh -I pmcftp -i.
> ./ssh/pmcftp_id_rsa <server ip>, the ssh connection would be set up
> without asking for the passwd.
> But, when I create the ssh key on a server that has several ip
> address, like following:
> =====
> ifconfig -a
> lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu
> 8232 index 1
>         inet 127.0.0.1 netmask ff000000
> uplink0: flags=1040863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,DEPRECATED,IPv4>
> mtu 1500 index 2
>         inet 47.154.169.130 netmask ffffff00 broadcast 47.154.169.255
>         ether 0:0:bb:2e:74:e
> uplink0:1: flags=1000863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,IPv4>
> mtu 1500 index 2
>         inet 47.154.169.128 netmask ffffff00 broadcast 47.154.169.255
> uplink0:2: flags=1000863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,IPv4>
> mtu 1500 index 2
>         inet 47.154.169.129 netmask ffffff00 broadcast 47.154.169.255
> uplink1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
>         inet 192.168.47.1 netmask ffffff00 broadcast 192.168.47.255
>         ether 0:0:bb:2e:74:d
> =====
> And added ip 47.154.169.128  and 47.154.169.129  into the from ip list
> entry in the key file, then I push the ssh key to server
> 47.154.169.130 (which should be the same server as the source)
> Then when I try to start the ssh connection through command ssh -I
> pmcftp -i. ./ssh/pmcftp_id_rsa 47.154.169.130 , the key does not work
> anymore, and the log give info like this
> ==
>  Authentication tried for pmcftp with correct key but not from a
> permitted host (host=iems196-unit0, ip=47.154.169.130)
> ==
> Obviously, here the from ip list does not include 47.154.169.130, and
> the ssh connection treate the from ip as 47.154.169.130 not other ips
> of this server.
> Then I tried another command
> Ssh -b 47.154.169.128  -I pmcftp -i. ./ssh/pmcftp_id_rsa
> 47.154.169.130 the key works well again.
> The -b option is binding the from ip to 57.154.169.128 and it's in the
> from ip list in the key file.
> 
> how the ip of the from side of the ssh connection is obtained? When
> the from side of the ssh connection has several ips how would the ip
> address be determined by the to side?
> Any info would be highly appreciated, thanks in advance!
> 
> Best regards
> Guang
> 
> --
> 徐广
> 13581797776


[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux