Settting up SSH access question

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

on all of our servers SSH is installed and configured. SSH is setup to
use only pub/priv keys, no password.

I have created a non-privileged account on each server. For this
account the 'authorized_keys' file contains 1 pub key for a specific
unix system.
The purpose is to have central system that we can use to fetch
information on all servers via SSH and via the cron. Thus this central
system contains the private key of the user which public key is in the
'authorized_keys' of the account I created on each server.
This works great (since the private key is on the central system, I
can put entries in the cron that use SSH to go on every server) but
this is also a security risk since the when the central system is
hacked, one could get on every system (albeit as a non privileged user
but still ...). I can harden the central system enough to limit the
chance of hacking.

However, what I want to prevent is that people copy the private of the
user on the central system over to their system and start accessing
all servers from their system. Therefore I would like to specify on
all the servers that the account I created can only be used from a
specific server.
I looked at host based authentication but this is not what I want
since it will authenticate the users only based upon the hosts from
where they are trying to access the system.
I would like to have the authentication based upon the pub/priv keys
AND specify the hosts that are allowed to connect as that specific
user to the servers.

Is this possible?

Any help much appreciated.


Re: Settting up SSH access question

% man sshd
             Specifies that in addition to RSA authentication, the canonical
             name of the remote host must be present in the comma-separated
             list of patterns (`*' and `'?  serve as wildcards)...

  Richard Silverman

Site Timeline