How to restrict an SSH key to certain IP addresses?

Yes.

In the file ~/.ssh/authorized_keys on the server, each entry now probably looks like

ssh-ed25519 AAAAC3NzaC1lZSOMEKEYFINGERPRINT comment

(or similar)

There is an optional first column that may contain options. These are described in the sshd manual.

One of the options is

from="pattern-list"

Specifies that in addition to public key authentication, either the canonical name of the remote host or its IP address must be present in the comma-separated list of patterns. See PATTERNS in ssh_config(5) for more information on patterns.

In addition to the wildcard matching that may be applied to hostnames or addresses, a from stanza may match IP addresses using CIDR address/masklen notation.

The purpose of this option is to optionally increase security: public key authentication by itself does not trust the network or name servers or anything (but the key); however, if somebody somehow steals the key, the key permits an intruder to log in from anywhere in the world. This additional option makes using a stolen key more difficult (name servers and/or routers would have to be compromised in addition to just the key).

This means that you should be able to modify ~/.ssh/authorized_keys from

ssh-ed25519 AAAAC3NzaC1lZSOMEKEYFINGERPRINT comment

to

from="pattern" ssh-ed25519 AAAAC3NzaC1lZSOMEKEYFINGERPRINT comment

Where pattern is a pattern matching the client host that you're connecting from, for example by its public DNS name, IP address, or some network block:

from="192.168.1.0/24" ssh-ed25519 AAAAC3NzaC1lZSOMEKEYFINGERPRINT comment

(this would only allow the use of this key from a host in the 192.168.1.* network)


You can achieve this by adding from="192.168.1.0/24" in front of the public key in the .authorized_keys file. The entire row should look like this:

from="192.168.1.0/24" ssh-rsa AAAA....

Tags:

Ssh