New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Will AllowUsers user@domain work or do I have to use an IP?
As one of many security measures on my servers I use sshd_config to add the users and IP that is allowed to login via SSH (and SFTP).
Since I'm now has to use SFTP more and more, I wonder if I can use a domain name instead of a IP in AllowUsers user@IP or domain?
The reason is that on of my main IP for SFTP is dynamic, so if I can use a domain, I have a domain that always is updated with the latest IP.
Is it possible? Or do only IPs work there?
Comments
Also interested in knowing about this, because i only have dedicated IP at the office. When at home my ISP only provides dynamic IP addresses. I have not yet try anything but maybe with a external service like noip.com?
I guess if it is actually possible, sshd would look at the PTR record. In most cases, this is as dynamic as the IP is.
I just tested, Allowusers user@ip works, user@hostname doesn't
If the function is any sane forward and reverse need to match - and the reverse is verified first, so it fails there already on dynamic.
yup, just tested with hostname rDNS enabled, connection established (static IP)
Ok, tnx for testing. It had been nice with a domain, but I can live with IPs.
Why don't you test it yourself? Keep a separate ssh window open so you can revert the sshd_config changes and restart the sshd service.
According to the man pages, it should work (username@domain). I tested it myself, and it worked - I changed the domain on the username in AllowUsers to a different one, and it blocked access, just as expected. After that, I tried something else, and it stopped working, and I can no longer replicate my success. I am tired of trying to debug the issue (which I think is related to reusing the same public/private keypair for multiple accounts, but logging in from one account on my local computer). I have more important things to do. Sorry.
Keep in mind that if you are connecting from a dynamic IP address, the remote server will cache the DNS lookup for a while. Therefore, attempted connections will fail immediately after the local computer has an IP address change if the remote server's DNS lookup has the old IP address in its cache.
Took you advice @emg and tested now, but it will not work with a domain. At least not via SSH/SFTP. But thank you for trying to find out of this issue.