Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Users Search
Help Dashboard Sign In Sign Up
Q&A Meta
Q&A
Posts Tags Edits
Ask Question

Nerf an SSH login outside expected IP range

+2
−0

Can I restrict myself from certain actions when I SSH in from outside a certain IP range? For instance no sudo?

Maybe with ~/.ssh/authorized_keys having a from="!1.2.3.4/26" option with some kind of command="???"?

ssh
posted 22 days ago
user card
Michael‭
171 reputation 1 7 18 26
History
Why does this post require moderator attention?
You might want to add some details to your flag.
Why should this post be closed?

0 comment threads

1 answer

Score Active Age
+0
−0

authorized_keys

You can make restrictions, but it's clunky and not well-standardized. A command stanza on an authorized key works like the ForceCommand on SSHD Config. It runs the one specified command instead of your requested command or interactive session and then closes the connection. Obviously this is pretty restrictive, and no one would want to make one key per allowlisted command. But SSH sets an environment variable, $SSH_ORIGINAL_COMMAND, to the user's requested command.

If the ForceCommand is a script, it can validate the original command and choose whether to execute it, to execute something else, or to just quit. There doesn't seem to be a standard for performing this validation.

from="1.2.3.4/26"                  ssh-rsa AAAAB3N9Q== Normal IP for you@example
from="!1.2.3.4/26",command="sshdo" ssh-rsa AAAAB3N9Q== Weird  IP for you@example

Care should be taken not to allow the user to escalate their own privileges or learn things to formulate a subsequent attack. If they can edit their authorized_keys to remove the hobbling, they can do anything else, right after.

sudoers doesn't work

In the specific case of sudo, one might notice that there are IP and host restrictions mentioned in the documentation for the sudoers file. Those restrictions do not help here. They are for the IP or resolved name of the computer you SSH into, not the place you SSH from. Those restrictions help administrators make a single sudoers policy and push it to a whole network of computers.

posted 18 days ago
10d ago
user card
Michael‭
171 reputation 1 7 18 26
History
Why does this post require moderator attention?
You might want to add some details to your flag.

0 comment threads

Sign up to answer this question »