大数据集群,互相配置了免密登录。
为了提高安全性,修改了 /etc/ssh/sshd_config 文件,要求登录方式为 AuthenticationMethods publickey,password 意思是秘钥+密码同时才能登录。
这种安全方式,之前集群之间互相的免密登录就不好使了。有没有什么配置,可以在此前提之下,设置某一个 ip 访问,不需要验证呢?
1
PbCopy111 2020-09-18 17:33:31 +08:00
https://unix.stackexchange.com/questions/353044/how-to-restrict-an-ssh-key-to-certain-ip-addresses
Yes. In the file ~/.ssh/authorized_keys on the server, each entry now probably looks like ssh-ed25519 AAAAC3NzaC1lZSOMEKEYFINGERPRINT comment (or similar) There is an optional first column that may contain options. These are described in the sshd manual. One of the options is from="pattern-list" Specifies that in addition to public key authentication, either the canonical name of the remote host or its IP address must be present in the comma-separated list of patterns. See PATTERNS in ssh_config(5) for more information on patterns. In addition to the wildcard matching that may be applied to hostnames or addresses, a from stanza may match IP addresses using CIDR address/masklen notation. The purpose of this option is to optionally increase security: public key authentication by itself does not trust the network or name servers or anything (but the key); however, if somebody somehow steals the key, the key permits an intruder to log in from anywhere in the world. This additional option makes using a stolen key more difficult (name servers and/or routers would have to be compromised in addition to just the key). This means that you should be able to modify ~/.ssh/authorized_keys from ssh-ed25519 AAAAC3NzaC1lZSOMEKEYFINGERPRINT comment to from="pattern" ssh-ed25519 AAAAC3NzaC1lZSOMEKEYFINGERPRINT comment Where pattern is a pattern matching the client host that you're connecting from, for example by its public DNS name, IP address, or some network block: from="192.168.1.0/24" ssh-ed25519 AAAAC3NzaC1lZSOMEKEYFINGERPRINT comment (this would only allow the use of this key from a host in the 192.168.1.* network) |