In this post I would like to show you how to restrict a ssh connection for a specific host only.
Nowadays, its very popular that you query or run some scripts from an IBM i machine against a HMC or Virtual I/O Server . Most likely you exchange ssh keys.
The rule number one is to secure a private key, but you can improve the security, if on the client machine you will define a hostname/s which are allowed to connect with the specific public key. You can do it editing the public key entry.
So probably your public key looks similar to this:
ssh-rsa AAAA4iosfvasjY&34f/ANMuQCeHIb57DIaqgittI/3ir+i+4Ina4iVVakr4kaTviyvgGyhiTIFe1xDLWirE/EpTCL896wY3b/cCB9/XPmwFuhynW02/IE6tfcNbJHSYdfsdfvknsrfgR$iNMEFsdg#qFKUmXIDb7oI3kqElGvGXObsTJpNoK00N63wc4EnIluQ0/5794IsdjaeEjkCS4IW4T/Min3839Acvir745qnmxJA99vr5J4Ae8KCzYb5moCefM1ObIXVHcXw3tO7mQGy9Sxh3KIfA+C/nhQQ834UxilcdlgqE== Bart key
If you add following string before the key begins, a SSH daemon on a client (VIOS, HMC) allows to use the key only by hosts hostname1.domain.com and hostname2.domain.com
from=“hostname1.domain.com,198.1111.123.1,hostname2.domain.com,198.111.123.2”,no-agent-forwarding,no-port-forwarding,no-X11-forwarding
So, the whole string which need to be added to the .ssh/authorized_keys2 file is following
from=“hostname1.domain.com,198.1111.123.1,hostname2.domain.com,198.111.123.2”,no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-rsa AAAA4iosfvasjY&34f/ANMuQCeHIb57DIaqgittI/3ir+i+4Ina4iVVakr4kaTviyvgGyhiTIFe1xDLWirE/EpTCL896wY3b/cCB9/XPmwFuhynW02/IE6tfcNbJHSYdfsdfvknsrfgR$iNMEFsdg#qFKUmXIDb7oI3kqElGvGXObsTJpNoK00N63wc4EnIluQ0/5794IsdjaeEjkCS4IW4T/Min3839Acvir745qnmxJA99vr5J4Ae8KCzYb5moCefM1ObIXVHcXw3tO7mQGy9Sxh3KIfA+C/nhQQ834UxilcdlgqE== Bart key
IBMi.org - Bart's blog 