[j-nsp] limiting SSH public key authentication

Vladimir S. Blazhkun xeroform at internet2.ru
Mon Dec 20 18:55:07 EST 2004


> Daniel Verlouw writes:
>> noc at nlambrt1# set ssh-dsa "from=\"192.168.0.1\" ssh-dss <public key in
>> here> user at machine"
>> Key format must be 'ssh-dss <base64-encoded-DSA-key> <comment>'
>> error: statement creation failed: ssh-dsa
>>
>> Is this simply a CLI parsing limitation or does the JUNOS sshd not
>> support this option at all?
>
> This error is reported when the ssh key fails our base64 encoding test.
>
> There's a "from" statement that can be configured under any ssh key
> to limit access.  It was added 2002-08-28, so it should be in any
> sw image you are running.
>
>    [edit system login user phil authentication]
>    root at dent# show
>    ssh-rsa "1024 35 secret phil at juniper.net" from 10.1.2.3; ## SECRET-DATA
>
> Thanks,
> Phil

Phil, just tested this feature, think that at least in JunOS 6.2R2.4 it doesnt work.

[edit system root-authentication]
# set ssh-dsa "ssh-dss AAAAB3NzaC1kc3MAAAEBANB[:skipped:]==" from x.x.x.84 
# show
ssh-dsa "ssh-dss AAAAB3NzaC1kc3MAAAEBANB[:skipped:]== from="x.x.x.84""
# commit and-quit
commit complete
Exiting configuration mode

> show log messages | last

[:skipped:]
Dec 21 02:40:51  jm5 sshd[50600]: Accepted publickey for root from x.x.x.114 port 43873 ssh2

So i can login from any hosts with that pubkey.

Edited ~/.ssh/authorized_keys2 by hand ( moved 'from=\"x.x.x.48\"' from end of
pubkey string to begin of it ) - all works fine.

If this my mistake please point to it. Thanks.

-- 
Vladimir S. Blazhkun,
Lead IP NCC Specialist, OOO "PCS-Moscow",
Work phone: +7 095 7847617.


More information about the juniper-nsp mailing list