[j-nsp] limiting SSH public key authentication
Vladimir S. Blazhkun
xeroform at internet2.ru
Mon Dec 20 18:55:07 EST 2004
> Daniel Verlouw writes:
>> noc at nlambrt1# set ssh-dsa "from=\"192.168.0.1\" ssh-dss <public key in
>> here> user at machine"
>> Key format must be 'ssh-dss <base64-encoded-DSA-key> <comment>'
>> error: statement creation failed: ssh-dsa
>>
>> Is this simply a CLI parsing limitation or does the JUNOS sshd not
>> support this option at all?
>
> This error is reported when the ssh key fails our base64 encoding test.
>
> There's a "from" statement that can be configured under any ssh key
> to limit access. It was added 2002-08-28, so it should be in any
> sw image you are running.
>
> [edit system login user phil authentication]
> root at dent# show
> ssh-rsa "1024 35 secret phil at juniper.net" from 10.1.2.3; ## SECRET-DATA
>
> Thanks,
> Phil
Phil, just tested this feature, think that at least in JunOS 6.2R2.4 it doesnt work.
[edit system root-authentication]
# set ssh-dsa "ssh-dss AAAAB3NzaC1kc3MAAAEBANB[:skipped:]==" from x.x.x.84
# show
ssh-dsa "ssh-dss AAAAB3NzaC1kc3MAAAEBANB[:skipped:]== from="x.x.x.84""
# commit and-quit
commit complete
Exiting configuration mode
> show log messages | last
[:skipped:]
Dec 21 02:40:51 jm5 sshd[50600]: Accepted publickey for root from x.x.x.114 port 43873 ssh2
So i can login from any hosts with that pubkey.
Edited ~/.ssh/authorized_keys2 by hand ( moved 'from=\"x.x.x.48\"' from end of
pubkey string to begin of it ) - all works fine.
If this my mistake please point to it. Thanks.
--
Vladimir S. Blazhkun,
Lead IP NCC Specialist, OOO "PCS-Moscow",
Work phone: +7 095 7847617.
More information about the juniper-nsp
mailing list