LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   sshd configuration with match and 2 record (https://www.linuxquestions.org/questions/linux-software-2/sshd-configuration-with-match-and-2-record-4175689718/)

avner.sib 02-02-2021 04:43 AM
sshd configuration with match and 2 record
 
Hi All,

I have a issue with hostname and ssh resolver.
I'm config ssh match with Address.
but the a target server has 2 A Record, And he always checks only one.


getent hosts 172.16.50.1
172.16.50.1 bb.lian.co.il cc.lian.co.il

Feb 2 05:17:46 zabbix-agentless sshd[2126348]: debug1: PAM: initializing for "root"
Feb 2 05:17:46 zabbix-agentless sshd[2126348]: debug1: PAM: setting PAM_RHOST to "bb.lian.co.il"

berndbausch 02-02-2021 11:53 PM
If you have a question, please formulate it. It's not quite clear to me what you want.

avner.sib 02-04-2021 01:53 PM
I'll try to explain.
When I'm configure sshd service with section of match.
Example.
Match host aaaa.domain.com
Rootlogin yes

But to an aaaa host has 2 record. so the ssh always get only one, and I want to use the second record

berndbausch 02-06-2021 07:13 PM
I would try

Code:
match host 172.16.50.1
or

Code:
match host bb.lian.co.il cc.lian.co.il

avner.sib 02-06-2021 08:42 PM
Thanks for reply.

It's was only example, of course I used this syntax.
that is not the question
BTW
if you want to use with ip the code is
match address,
there is a different ;)

lazydog 02-07-2021 12:22 AM
You could try the following:

Code:
Match Address 192.168.1.100
        PermitRootLogin yes
This way you can leave PremitRootLogin set to 'no'.

But that would allow anyone connecting to that IP to login as root. Root login is a bad idea and you really shouldn't allow it. Make everyone log in with their user account and then switch to root using either 'su -' or 'sudo'.

ondoho 02-07-2021 01:31 AM
^ Agreed.

I'm confused by the conflagration of DNS and SSH here.
I understand the connection and issue now, but these are two separate things and should be considered separately.
Quote:
Originally Posted by avner.sib (Post 6216155)
host has 2 record. so the ssh always get only one, and I want to use the second record
Why don't you just ssh to cc.lian.co.il instead of the numerical IP?
Or use cc.lian.co.il instead of the numerical IP in your sshd_config?

avner.sib 02-07-2021 04:50 AM
Because I want to use in cname record,
And not with hostname of computer.

Turbocapitalist 02-07-2021 05:07 AM
So if I understand correctly, you have several names that resolve in DNS to the same IP address, but you would like only one of the names to be acknowledged by the SSH server?

Code:
Match Address nametwo.example.com
 ...
Perhaps instead of using match ... you could try allowusers ... with a FQDN. I have not tried it but from the documentation it should look something like this:

Code:
AllowUsers avner@nametwo.example.com
See "man sshd_config" and scroll down to "AllowUsers"

Don't lock yourself out during the testing, though. Be sure to have another means of accessing the system while you adjust the configuration file.


All times are GMT -5. The time now is 08:33 PM.