this is far from a ssh problem, as the connect src address is selected by system, mostly by the default routing set, in your case, there are many IP in the same vlan/ip space, that will be choosed to be the first ip in your ip list, .130 is the first then. you may use the "-b" option if you really need to set your src ip address. 在 2009-08-22六的 12:10 +0800,徐广写道: > Hi > I recently met with a problem when trying to set up ssh connection > through the ssh key > > I first create a key through command ssh-keygen -t rsa -f > /.ssh/pmcftp_id_rsa -P "" , two files would be created under /.ssh > pmcftp_id_rsa and pmcftp_id_rsa.pub, then I insert an entry into the > .pub file - from="47.154.169.129,47.154.169.128" this should > restrickt that the ssh key should only work for sources of these two > ips. > Then I push the public key to another server under ~pmcftp/.ssh, after > that, I start the ssh connection through command ssh -I pmcftp -i. > ./ssh/pmcftp_id_rsa <server ip>, the ssh connection would be set up > without asking for the passwd. > But, when I create the ssh key on a server that has several ip > address, like following: > ===== > ifconfig -a > lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu > 8232 index 1 > inet 127.0.0.1 netmask ff000000 > uplink0: flags=1040863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,DEPRECATED,IPv4> > mtu 1500 index 2 > inet 47.154.169.130 netmask ffffff00 broadcast 47.154.169.255 > ether 0:0:bb:2e:74:e > uplink0:1: flags=1000863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,IPv4> > mtu 1500 index 2 > inet 47.154.169.128 netmask ffffff00 broadcast 47.154.169.255 > uplink0:2: flags=1000863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,IPv4> > mtu 1500 index 2 > inet 47.154.169.129 netmask ffffff00 broadcast 47.154.169.255 > uplink1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 > inet 192.168.47.1 netmask ffffff00 broadcast 192.168.47.255 > ether 0:0:bb:2e:74:d > ===== > And added ip 47.154.169.128 and 47.154.169.129 into the from ip list > entry in the key file, then I push the ssh key to server > 47.154.169.130 (which should be the same server as the source) > Then when I try to start the ssh connection through command ssh -I > pmcftp -i. ./ssh/pmcftp_id_rsa 47.154.169.130 , the key does not work > anymore, and the log give info like this > == > Authentication tried for pmcftp with correct key but not from a > permitted host (host=iems196-unit0, ip=47.154.169.130) > == > Obviously, here the from ip list does not include 47.154.169.130, and > the ssh connection treate the from ip as 47.154.169.130 not other ips > of this server. > Then I tried another command > Ssh -b 47.154.169.128 -I pmcftp -i. ./ssh/pmcftp_id_rsa > 47.154.169.130 the key works well again. > The -b option is binding the from ip to 57.154.169.128 and it's in the > from ip list in the key file. > > how the ip of the from side of the ssh connection is obtained? When > the from side of the ssh connection has several ips how would the ip > address be determined by the to side? > Any info would be highly appreciated, thanks in advance! > > Best regards > Guang > > -- > 徐广 > 13581797776
