openssh-unix-dev October 2011 archive
Main Archive Page > Month Archives  > openssh-unix-dev archives
openssh-unix-dev: Re: Handing connection depending on the client

Re: Handing connection depending on the client computer public key fingerprint

From: Iain Morgan <imorgan_at_nospam>
Date: Fri Oct 21 2011 - 23:19:25 GMT
To: Mike Spinzer <>

On Fri, Oct 21, 2011 at 15:40:30 -0500, Mike Spinzer wrote:
> Hello,
> I try to find a way to handle SSH connections differently depending if it comes from a 'trusted" computer or from an unknown computer (for instance giving access to a shell versus allowing only scp/sftp in a chrooted environment).
> Using the IP address is not a solution since a trusted computer can be a laptop that is connected somewhere on Internet.
> One solution could be to use the clientpublic key fingerprint;the server would then keep a white list of public key fingerprints that represent the trusted computers.
> However I can't find a way to implement this.
> I tried with the Match directive, but this one doesn't take such parameter
> I tried too with a ForceCommand, but fount no way to configure sshd to transmit thepublic key fingerprint to the script.
> Is there any way to do that?
> Thanks a lot for your help,

You first need to define what you mean by "trusted computer" in this
context. You presumably mean a set of public-keys for which you have
greater confidence and are thus willing to permit greater access.
However, unless the client and server systems are configured to use
hostbased authentication, the public key is really associated with a user _not_
a computer. In that case, you could place all "untrusted" users in a single
group and use the Match directive to force a command such as
sftp-server. Or you could set the shell for these untrusted users to
scponly; asuming that scponly is still around.

-- Iain Morgan _______________________________________________ openssh-unix-dev mailing list