Handing connection depending on the client computer public key fingerprint

Mike Spinzer mspinzer at yahoo.com
Sat Oct 22 07:40:30 EST 2011


I try to find a way to handle SSH connections differently depending if it comes from a 'trusted" computer or from an unknown computer (for instance giving access to a shell versus allowing only scp/sftp in a chrooted environment).
Using the IP address is not a solution since a trusted computer can be a laptop that is connected somewhere on Internet.
One solution could be to use the client public key fingerprint; the server would then keep a white list of public key fingerprints that represent the trusted computers.

However I can't find a way to implement this.
I tried with the Match directive, but this one doesn't take such parameter
I tried too with a ForceCommand, but fount no way to configure sshd to transmit the public key fingerprint to the script.

Is there any way to do that?

Thanks a lot for your help,

Mike S.

More information about the openssh-unix-dev mailing list