Home / server / Questions / 888454
Accepted
Déjà vu
Asked: 2017-12-17 08:10:18 +0800 CST

sshd_config AllowUsers and IPv6

  • 772

Have two servers communicating via ssh and crontab, a "master" and a "slave". Only the master can connect (execute command) on the slave.

Authentication was done automatically (IPv4) thanks to

  • master's ~/.ssh/id_rsa.pub added to slave's ~/.ssh/authorized_keys
  • slave's sshd_config having AllowUsers [email protected]

It was working fine until IPv6 was added

  • both master and slave have IPv6 enabled
  • both servers have had DNS reverse setup for both protocols
  • sshd_config changed to AllowUsers [email protected]

and was hoping sshd slave does a reverse lookup of the incoming IPv6 IP (to get myhost.tld) but auth.log shows

User me from 2103:cc11::...:fe93:4a10 not allowed because not listed in AllowUsers

I'd have two questions

  1. does sshd perform an IPv6 reverse lookup to find out if the host matches? (if yes, there is another problem)
  2. what is the correct way to add an IPv6 address hard-coded in AllowUsers? It seems me@[2103:cc11::...:fe93:4a10] doesn't work. (edit works without the [])
ssh

1 Answers

  1. Best Answer

    Have a look at the UseDNS directive.

    "UseDNS Specifies whether sshd(8) should look up the remote host name, and to check that the resolved hostname for the remote IP address maps back to the very same IP address.

    If this option is set to no (the default) then only addresses and not host names may be used in ~/.ssh/authorized_keys from and sshd_config Match Host directives."

    As a side-note you could always configure the client to force IPv4 for connection to that particular host in your ssh_config. I mostly used AllowUsers to match usernames, if you want to match on hostnames and IP you might want to have a look at using TCP wrapper instead.

    See: https://www.akadia.com/services/ssh_tcp_wrapper.html

    • 1