– Bart's blog

IBM i and PowerVM features and tools

How to restrict usage of ssh keys for specific hosts only.

In this post I would like to show you how to restrict a ssh connection for a specific host only.

Nowadays, its very popular that you query or run some scripts from an IBM i machine against a HMC or  Virtual I/O Server . Most likely you exchange ssh keys.

The rule number one is to secure a private key, but you can improve the security, if on the client machine you will define a hostname/s which are allowed to connect with the specific public key. You can do it editing the public key entry.

So probably your public key looks similar to this:

ssh-rsa AAAA4iosfvasjY&34f/ANMuQCeHIb57DIaqgittI/3ir+i+4Ina4iVVakr4kaTviyvgGyhiTIFe1xDLWirE/EpTCL896wY3b/cCB9/XPmwFuhynW02/IE6tfcNbJHSYdfsdfvknsrfgR$iNMEFsdg#qFKUmXIDb7oI3kqElGvGXObsTJpNoK00N63wc4EnIluQ0/5794IsdjaeEjkCS4IW4T/Min3839Acvir745qnmxJA99vr5J4Ae8KCzYb5moCefM1ObIXVHcXw3tO7mQGy9Sxh3KIfA+C/nhQQ834UxilcdlgqE== Bart key

If you add following string before the key begins, a SSH daemon on a client (VIOS, HMC) allows to use the key only by hosts and


So, the whole string which need to be added to the .ssh/authorized_keys2 file is following

from=“,198.1111.123.1,,”,no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-rsa AAAA4iosfvasjY&34f/ANMuQCeHIb57DIaqgittI/3ir+i+4Ina4iVVakr4kaTviyvgGyhiTIFe1xDLWirE/EpTCL896wY3b/cCB9/XPmwFuhynW02/IE6tfcNbJHSYdfsdfvknsrfgR$iNMEFsdg#qFKUmXIDb7oI3kqElGvGXObsTJpNoK00N63wc4EnIluQ0/5794IsdjaeEjkCS4IW4T/Min3839Acvir745qnmxJA99vr5J4Ae8KCzYb5moCefM1ObIXVHcXw3tO7mQGy9Sxh3KIfA+C/nhQQ834UxilcdlgqE== Bart key


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: