On Thu, Aug 10, 2000 at 12:15:09PM -0400, Noel L Yap wrote:
> [EMAIL PROTECTED] on 2000.08.10 08:43:36
> >I *highly* recommend not using world-accessable authorized_keys files;
> >restrict them by IP address.
>
> I've been wondering, how does this restriction work? Does the
> client send over its IP address to the server? If so, can't someone
> patch the client to send over a different IP address?
It just make the server check the source IP address of the socket the
authentication is coming in over (ie, your ssh connection.) Similar
to a .rhosts file, sort of.
If I have a restriction in my authorized_keys file saying e.g.
from="222.111.0.99,192.168.1.1" 1024 33 <public key data>
then I will only be able to use ssh's RSA-based challenge
authentication (the one ssh-agent use, usually based on
~/.ssh/identity) directly from the machines with the IP adresses
222.111.0.99 and 192.168.1.1 (both of which are made up.)
Eivind.
