Block ssh logins for specific hostnames (CNAMES) all bound to same IP ???
Daniel Freedman
freedman at physics.cornell.edu
Mon Mar 18 15:46:21 EST 2002
Hi,
I'm interested in the ability to block ssh logins (or alternatively, not
have sshd answer client requests) for certain hostnames that are DNS CNAME
aliases to the canonical name for a given IP address.
To tell you the truth, I don't think this is currently possible through this
setup, and may look further to try to block it at the firewall, but that's a
different discussion... :)
Essentially, let's say I have:
public.domain.com IN CNAME myserver.domain.com
www.domain.com IN CNAME myserver.domain.com
myserver.domain.com IN A 1.2.3.4
I don't want (for abstraction purposes, and ability to later change internal
names) users to be able to 'ssh www.domain.com' or 'ssh
myserver.domain.com', but instead require that they 'ssh public.domain.com'.
I've searched the mail archives without much success, other than the
following slightly orthogonal message:
List: openssh-unix-dev
Subject: Re: OpenSSH Key Storage
From: Carson Gaspar <carson at taltos.org>
Date: 2002-02-01 18:18:08
[Download message RAW]
If you want to bind identity to a server, you have only 2 valid options:
- Pass the server's identity in-band, and have the client use that when
validating keys. This avoids a layering violation.
- Have the client validate the key against the layer 3/4 info - i.e. the
IP:PORT pair.
Nothing else is sane. Servers on different ports are different servers,
that may, or may not, have the same keys. Requiring config file gymnastics
is bogus.
Sadly, after reading the RFC, it looks like the server never sends its name
during the key exchange, making the first (and better) option impossible. I
hope I'm wrong and just mis-understood the documents.
--
Carson
I've also examined what I thought would do the trick:
ListenAddress:
Specifies the local addresses sshd should listen on. The following forms
may be used:
ListenAddress host|IPv4_addr|IPv6_addr
ListenAddress host|IPv4_addr:port
ListenAddress [host|IPv6_addr]:port
If port is not specified, sshd will listen on the address and all prior Port
options specified. The default is to listen on all local addresses.
Multiple ListenAddress options are permitted. Additionally, any Port options
must precede this option for non port qualified addresses.
But it seemed to still pick up all connections to any CNAME, and probably
for the following reason:
I'm pretty sure that the ssh client contacts the server based upon the DNS
resolution of the hostname to IP address, and the sshd server only sees an
incoming client request, so I imagine that the only possibility that sshd
would know what hostname the client requested were if the client passed this
argument to the server.
Finally, I'm obviously aware that I could simply register separate IP
addresses for these hostnames, and either include multiple NIC's in the
server or simply bind multiple distinct IP addresses to the same NIC, and
then have sshd easily achieve the distinction between hostnames on IP
addresses, but I'd still first prefer to see if I could achieve my goals as
above.
Anyway, thanks so much for producing such a fine tool, and thanks also for
any suggestions.
Take care,
Daniel
--
Daniel A. Freedman
Laboratory for Atomic and Solid State Physics
Department of Physics
Cornell University
More information about the openssh-unix-dev
mailing list