I have a server in an internal network (login there via VPN) from where I login to the server via SSH with OpenSSH public/private key authentication. From a security point of view, I want to tie the MAC addresses of my three used clients via iptables
on the server so that only these clients can login with it.
iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT
iptables -A INPUT -p tcp --destination-port 22 -j DROP
However, is it recommended though to do it this way? What other (better) methods can I use to tie the SSH login to the used clients?
(If someone wants to request 2FA, unfortunately 2FA is not possible as potential solution.)
Thanks.
Best Answer
I am supposing that you want to prevent your SSH server from accepting connections from untrusted hosts even though they supply valid user credentials. Is it right?
A possible solution to tie users' public key authentication to selected client hosts is via host-based authentication. By setting up host-based authentication and defining
AuthenticationMethods
parameter in/etc/ssh/sshd_config
to either:Or:
That will instruct SSH daemon to request clients to authenticate the hosts they are connecting from before checking users' keys or passwords. The former alternative allows password-based authentication, while the latter restricts it to public keys only. Since host-based authentication is based on keypairs, SSH server will be able to authenticate clients with dynamic IP addresses.
Here follows complete instructions. The documentation of how SSH performs host-based authentication is written in
ssh(1)
man-page. Please note how SSH identifies users and check whether it is applicable to your case.To enable host-based authentication in OpenSSH:
/etc/ssh/sshd_config
:HostbasedUsesNameFromPacketOnly yes
in/etc/ssh/sshd_config
:/etc/hosts
file or PTR records in network's DNS server:/etc/ssh/shosts.equiv
file. Create it manually if it doesn't exist. The syntax of the file is almost the same as documented in man host.equiv(5), however SSH daemon does not accept empty hostnames./etc/ssh/ssh_known_hosts
file. A convenient way to do so is viassh-keyscan
:After configuring OpenSSH server to accept host-based authentication requests, clients must also be configured to request host-based authentication:
/etc/ssh/ssh_config
:ssh-keysign
executable grant read permission to host's private key files: