[j-nsp] limiting SSH public key authentication

[Daniel Verlouw]

Hi guys,

Does anyone know if it's possible to limit access for SSH public keys 
to certain source IP addresses?

For example, in the OpenSSH daemon it's possible to add options to the 
authorized_keys file. The sshd man page describes the following:

      from="pattern-list"
              Specifies that in addition to public key authentication, 
the canonical name of the remote host must be present in the 
comma-separated list of patterns ('*' and '?' serve as
              wildcards).  The list may also contain patterns negated by 
prefixing them with '!'; if the canonical host name matches a negated 
pattern, the key is not accepted.  The pur-
              pose of this option is to optionally increase security: 
public key authentication by itself does not trust the network or name 
servers or anything (but the key); however, if
              somebody somehow steals the key, the key permits an 
intruder to log in from anywhere in the world.  This additional option 
makes using a stolen key more difficult (name
              servers and/or routers would have to be compromised in 
addition to just the key).


However, when trying this option on Juniper M-series with 6.1-domestic, 
it gives me the following error message:

noc at nlambrt1# set ssh-dsa "from=\"192.168.0.1\" ssh-dss <public key in 
here> user at machine"
Key format must be 'ssh-dss <base64-encoded-DSA-key> <comment>'
error: statement creation failed: ssh-dsa


Is this simply a CLI parsing limitation or does the JUNOS sshd not 
support this option at all?

Thanks,

--
Daniel Verlouw
Network Engineer

TACHYON Europe BV
Orly Plaza Building, Orly Plein 149
1043 DV Amsterdam, The Netherlands
Direct Line: +31 (0)20 581 77 95
Fax Number : +31 (0)20 682 25 78
http://www.tachyon.net

Technical Support: +31 (0)20 581 77 91 / support at tachyon.net