Handing connection depending on the client computer public key fingerprint

Iain Morgan imorgan at nas.nasa.gov
Sat Oct 22 10:19:25 EST 2011

On Fri, Oct 21, 2011 at 15:40:30 -0500, Mike Spinzer wrote:
> Hello,
> I try to find a way to handle SSH connections differently depending if it comes from a 'trusted" computer or from an unknown computer (for instance giving access to a shell versus allowing only scp/sftp in a chrooted environment).
> Using the IP address is not a solution since a trusted computer can be a laptop that is connected somewhere on Internet.
> One solution could be to use the client public key fingerprint; the server would then keep a white list of public key fingerprints that represent the trusted computers.
> However I can't find a way to implement this.
> I tried with the Match directive, but this one doesn't take such parameter
> I tried too with a ForceCommand, but fount no way to configure sshd to transmit the public key fingerprint to the script.
> Is there any way to do that?
> Thanks a lot for your help,

You first need to define what you mean by "trusted computer" in this
context. You presumably mean a set of public-keys for which you have
greater confidence and are thus willing to permit greater access.
However, unless the client and server systems are configured to use
hostbased authentication, the public key is really associated with a user _not_
a computer. In that case, you could place all "untrusted" users in a single
group and use the Match directive to force a command such as
sftp-server. Or you could set the shell for these untrusted users to
scponly; asuming that scponly is still around.

Iain Morgan

More information about the openssh-unix-dev mailing list