is there a way to restrict ssh sessions to a specific ssh client?
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
is there a way to restrict ssh sessions to a specific ssh client?
Hi,
I am looking at ways in which I can restrict the SSH session requests come by specific SSH client (say Putty or NX Client). Is it possible to restrict SSH client login to a client application?
I am looking at ways in which I can restrict the SSH session requests come by specific SSH client (say Putty or NX Client). Is it possible to restrict SSH client login to a client application?
Specific client? Not that I know of. You can use the AllowUsers directive (see the sshd_config man page here http://linux.die.net/man/5/sshd_config), but there's no real way of detecting the client-type on the other end.
The only way to do it is to use a custom compiled server and custom compiled client that you wrote specific changes to that have a server expect a specific string when the client connects, that custom client then sends the expected string. Otherwise, no it can not be done.
This is something I have done in the past and it can be done.
Thanks for the responses. I was thinking that there could be directive which will allow me to restrict the user to use a particular SSH client. As Ken replied, probably, I need to customize the sshd and expect a key particular to a ssh client.
Please let me know if there is a simple or better approach than this.
You could ensure that only certain clients can authenticate by requiring pubkey authentication (and disallowing all other authentication forms).
Frankly, this is much more secure than saying "only putty users can connect" -- anyone can download putty. It's also a common practice and doesn't require you to fool around with source code (which is a pain to maintain in the long run).
I think, I did not make my requirement very clear earlier.
I have developed a web app, which allows my users to connect to a set of Linux box. I want them to connect using the ssh (in my case its NXclient) client that gets launched from the web app using ssh keypair authentication.
However, user can save this key and connect to servers from outside of the web app. Using NX client, certain restrictions are applied for the user, which does not apply when user connects using any other ssh clients.
Yes you could restrict it with iptables. SSH will not know about which hosts are trying to connect but iptables will and if the ip matches the rules then it will allow connection to sshd.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.