How to restrict an SSH key to certain IP addresses?
Yes.
In the file ~/.ssh/authorized_keys
on the server, each entry now probably looks like
ssh-ed25519 AAAAC3NzaC1lZSOMEKEYFINGERPRINT comment
(or similar)
There is an optional first column that may contain options. These are described in the sshd
manual.
One of the options is
from="pattern-list"
Specifies that in addition to public key authentication, either the canonical name of the remote host or its IP address must be present in the comma-separated list of patterns. See PATTERNS in ssh_config(5) for more information on patterns.
In addition to the wildcard matching that may be applied to hostnames or addresses, a from stanza may match IP addresses using CIDR address/masklen notation.
The purpose of this option is to optionally increase security: public key authentication by itself does not trust the network or name servers or anything (but the key); however, if somebody somehow steals the key, the key permits an intruder to log in from anywhere in the world. This additional option makes using a stolen key more difficult (name servers and/or routers would have to be compromised in addition to just the key).
This means that you should be able to modify ~/.ssh/authorized_keys
from
ssh-ed25519 AAAAC3NzaC1lZSOMEKEYFINGERPRINT comment
to
from="pattern" ssh-ed25519 AAAAC3NzaC1lZSOMEKEYFINGERPRINT comment
Where pattern
is a pattern matching the client host that you're connecting from, for example by its public DNS name, IP address, or some network block:
from="192.168.1.0/24" ssh-ed25519 AAAAC3NzaC1lZSOMEKEYFINGERPRINT comment
(this would only allow the use of this key from a host in the 192.168.1.*
network)
You can achieve this by adding from="192.168.1.0/24"
in front of the public key in the .authorized_keys
file. The entire row should look like this:
from="192.168.1.0/24" ssh-rsa AAAA....