Daniel Freedman
2002-Mar-18 04:46 UTC
Block ssh logins for specific hostnames (CNAMES) all bound to same IP ???
Hi, I'm interested in the ability to block ssh logins (or alternatively, not have sshd answer client requests) for certain hostnames that are DNS CNAME aliases to the canonical name for a given IP address. To tell you the truth, I don't think this is currently possible through this setup, and may look further to try to block it at the firewall, but that's a different discussion... :) Essentially, let's say I have: public.domain.com IN CNAME myserver.domain.com www.domain.com IN CNAME myserver.domain.com myserver.domain.com IN A 1.2.3.4 I don't want (for abstraction purposes, and ability to later change internal names) users to be able to 'ssh www.domain.com' or 'ssh myserver.domain.com', but instead require that they 'ssh public.domain.com'. I've searched the mail archives without much success, other than the following slightly orthogonal message: List: openssh-unix-dev Subject: Re: OpenSSH Key Storage From: Carson Gaspar <carson at taltos.org> Date: 2002-02-01 18:18:08 [Download message RAW] If you want to bind identity to a server, you have only 2 valid options: - Pass the server's identity in-band, and have the client use that when validating keys. This avoids a layering violation. - Have the client validate the key against the layer 3/4 info - i.e. the IP:PORT pair. Nothing else is sane. Servers on different ports are different servers, that may, or may not, have the same keys. Requiring config file gymnastics is bogus. Sadly, after reading the RFC, it looks like the server never sends its name during the key exchange, making the first (and better) option impossible. I hope I'm wrong and just mis-understood the documents. -- Carson I've also examined what I thought would do the trick: ListenAddress: Specifies the local addresses sshd should listen on. The following forms may be used: ListenAddress host|IPv4_addr|IPv6_addr ListenAddress host|IPv4_addr:port ListenAddress [host|IPv6_addr]:port If port is not specified, sshd will listen on the address and all prior Port options specified. The default is to listen on all local addresses. Multiple ListenAddress options are permitted. Additionally, any Port options must precede this option for non port qualified addresses. But it seemed to still pick up all connections to any CNAME, and probably for the following reason: I'm pretty sure that the ssh client contacts the server based upon the DNS resolution of the hostname to IP address, and the sshd server only sees an incoming client request, so I imagine that the only possibility that sshd would know what hostname the client requested were if the client passed this argument to the server. Finally, I'm obviously aware that I could simply register separate IP addresses for these hostnames, and either include multiple NIC's in the server or simply bind multiple distinct IP addresses to the same NIC, and then have sshd easily achieve the distinction between hostnames on IP addresses, but I'd still first prefer to see if I could achieve my goals as above. Anyway, thanks so much for producing such a fine tool, and thanks also for any suggestions. Take care, Daniel -- Daniel A. Freedman Laboratory for Atomic and Solid State Physics Department of Physics Cornell University
Reasonably Related Threads
- [PATCH] display ipv6 address in networking details page, also fix ipv6 netmask configurations.
- [PATCH] display ipv6 address in networking details page, also fix ipv6 netmask configurations
- [Bug 1309] New: Error: Hostname resolves to multiple addresses
- [Bug 1282] New: SIGSEGV on loading tables
- AD/DNS: Cannot Create a CNAME record with a blank name...