sshd configuration with match and 2 record

avner.sib · 02-02-2021, 04:43 AM

Hi All,

I have a issue with hostname and ssh resolver.
I'm config ssh match with Address.
but the a target server has 2 A Record, And he always checks only one.

getent hosts 172.16.50.1
172.16.50.1 bb.lian.co.il cc.lian.co.il

Feb 2 05:17:46 zabbix-agentless sshd[2126348]: debug1: PAM: initializing for "root"
Feb 2 05:17:46 zabbix-agentless sshd[2126348]: debug1: PAM: setting PAM_RHOST to "bb.lian.co.il"

berndbausch · 02-02-2021, 11:53 PM

If you have a question, please formulate it. It's not quite clear to me what you want.

avner.sib · 02-04-2021, 01:53 PM

I'll try to explain.
When I'm configure sshd service with section of match.
Example.
Match host aaaa.domain.com
Rootlogin yes

But to an aaaa host has 2 record. so the ssh always get only one, and I want to use the second record

berndbausch · 02-06-2021, 07:13 PM

I would try

Code:

match host 172.16.50.1

or

Code:

match host bb.lian.co.il cc.lian.co.il

avner.sib · 02-06-2021, 08:42 PM

Thanks for reply.

It's was only example, of course I used this syntax.
that is not the question
BTW
if you want to use with ip the code is
match address,
there is a different

lazydog · 02-07-2021, 12:22 AM

You could try the following:

Code:

Match Address 192.168.1.100
        PermitRootLogin yes

This way you can leave PremitRootLogin set to 'no'.

But that would allow anyone connecting to that IP to login as root. Root login is a bad idea and you really shouldn't allow it. Make everyone log in with their user account and then switch to root using either 'su -' or 'sudo'.

ondoho · 02-07-2021, 01:31 AM

^ Agreed.

I'm confused by the conflagration of DNS and SSH here.
I understand the connection and issue now, but these are two separate things and should be considered separately.

Quote:

Originally Posted by avner.sib

host has 2 record. so the ssh always get only one, and I want to use the second record

Why don't you just ssh to cc.lian.co.il instead of the numerical IP?
Or use cc.lian.co.il instead of the numerical IP in your sshd_config?

avner.sib · 02-07-2021, 04:50 AM

Because I want to use in cname record,
And not with hostname of computer.

Turbocapitalist · 02-07-2021, 05:07 AM

So if I understand correctly, you have several names that resolve in DNS to the same IP address, but you would like only one of the names to be acknowledged by the SSH server?

Code:

Match Address nametwo.example.com
 ...

Perhaps instead of using match ... you could try allowusers ... with a FQDN. I have not tried it but from the documentation it should look something like this:

Code:

AllowUsers avner@nametwo.example.com

See "man sshd_config" and scroll down to "AllowUsers"

Don't lock yourself out during the testing, though. Be sure to have another means of accessing the system while you adjust the configuration file.