A question about ssh RSA key connection

> Hi
> I recently met with a problem when trying to set up ssh connection
> through the ssh key
>
> I first create a key through command ssh-keygen -t rsa -f
> /.ssh/pmcftp_id_rsa -P "" , two files would be created under /.ssh
> pmcftp_id_rsa and pmcftp_id_rsa.pub, then I insert an entry into the
> .pub file - from="47.154.169.129,47.154.169.128"  this should
> restrickt that the ssh key should only work for sources of these two
> ips.
> Then I push the public key to another server under ~pmcftp/.ssh, after
> that, I start the ssh connection through command ssh -I pmcftp -i.
> ./ssh/pmcftp_id_rsa <server ip>, the ssh connection would be set up
> without asking for the passwd.
> But, when I create the ssh key on a server that has several ip
> address, like following:
> =====
> ifconfig -a
> lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu
> 8232 index 1
>         inet 127.0.0.1 netmask ff000000
> uplink0: flags=1040863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,DEPRECATED,IPv4>
> mtu 1500 index 2
>         inet 47.154.169.130 netmask ffffff00 broadcast 47.154.169.255
>         ether 0:0:bb:2e:74:e
> uplink0:1: flags=1000863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,IPv4>
> mtu 1500 index 2
>         inet 47.154.169.128 netmask ffffff00 broadcast 47.154.169.255
> uplink0:2: flags=1000863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,IPv4>
> mtu 1500 index 2
>         inet 47.154.169.129 netmask ffffff00 broadcast 47.154.169.255
> uplink1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
>         inet 192.168.47.1 netmask ffffff00 broadcast 192.168.47.255
>         ether 0:0:bb:2e:74:d
> =====
> And added ip 47.154.169.128  and 47.154.169.129  into the from ip list
> entry in the key file, then I push the ssh key to server
> 47.154.169.130 (which should be the same server as the source)
> Then when I try to start the ssh connection through command ssh -I
> pmcftp -i. ./ssh/pmcftp_id_rsa 47.154.169.130 , the key does not work
> anymore, and the log give info like this
> ==
>  Authentication tried for pmcftp with correct key but not from a
> permitted host (host=iems196-unit0, ip=47.154.169.130)
> ==
> Obviously, here the from ip list does not include 47.154.169.130, and
> the ssh connection treate the from ip as 47.154.169.130 not other ips
> of this server.
> Then I tried another command
> Ssh -b 47.154.169.128  -I pmcftp -i. ./ssh/pmcftp_id_rsa
> 47.154.169.130 the key works well again.
> The -b option is binding the from ip to 57.154.169.128 and it's in the
> from ip list in the key file.
>
> how the ip of the from side of the ssh connection is obtained? When
> the from side of the ssh connection has several ips how would the ip
> address be determined by the to side?
> Any info would be highly appreciated, thanks in advance!
>
> Best regards
> Guang
>
> --
> 徐广
> 13581797776

> this is far from a ssh problem, as the connect src address is selected
> by system, mostly by the default routing set, in your case, there are
> many IP in the same vlan/ip space, that will be choosed to be the first
> ip in your ip list, .130 is the first then.
>
> you may use the "-b" option if you really need to set your src ip
> address.
>
>
> 在 2009-08-22六的 12:10 +0800，徐广写道：
>> Hi
>> I recently met with a problem when trying to set up ssh connection
>> through the ssh key
>>
>> I first create a key through command ssh-keygen -t rsa -f
>> /.ssh/pmcftp_id_rsa -P "" , two files would be created under /.ssh
>> pmcftp_id_rsa and pmcftp_id_rsa.pub, then I insert an entry into the
>> .pub file - from="47.154.169.129,47.154.169.128"  this should
>> restrickt that the ssh key should only work for sources of these two
>> ips.
>> Then I push the public key to another server under ~pmcftp/.ssh, after
>> that, I start the ssh connection through command ssh -I pmcftp -i.
>> ./ssh/pmcftp_id_rsa <server ip>, the ssh connection would be set up
>> without asking for the passwd.
>> But, when I create the ssh key on a server that has several ip
>> address, like following:
>> =====
>> ifconfig -a
>> lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu
>> 8232 index 1
>>         inet 127.0.0.1 netmask ff000000
>> uplink0: flags=1040863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,DEPRECATED,IPv4>
>> mtu 1500 index 2
>>         inet 47.154.169.130 netmask ffffff00 broadcast 47.154.169.255
>>         ether 0:0:bb:2e:74:e
>> uplink0:1: flags=1000863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,IPv4>
>> mtu 1500 index 2
>>         inet 47.154.169.128 netmask ffffff00 broadcast 47.154.169.255
>> uplink0:2: flags=1000863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,IPv4>
>> mtu 1500 index 2
>>         inet 47.154.169.129 netmask ffffff00 broadcast 47.154.169.255
>> uplink1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
>>         inet 192.168.47.1 netmask ffffff00 broadcast 192.168.47.255
>>         ether 0:0:bb:2e:74:d
>> =====
>> And added ip 47.154.169.128  and 47.154.169.129  into the from ip list
>> entry in the key file, then I push the ssh key to server
>> 47.154.169.130 (which should be the same server as the source)
>> Then when I try to start the ssh connection through command ssh -I
>> pmcftp -i. ./ssh/pmcftp_id_rsa 47.154.169.130 , the key does not work
>> anymore, and the log give info like this
>> ==
>>  Authentication tried for pmcftp with correct key but not from a
>> permitted host (host=iems196-unit0, ip=47.154.169.130)
>> ==
>> Obviously, here the from ip list does not include 47.154.169.130, and
>> the ssh connection treate the from ip as 47.154.169.130 not other ips
>> of this server.
>> Then I tried another command
>> Ssh -b 47.154.169.128  -I pmcftp -i. ./ssh/pmcftp_id_rsa
>> 47.154.169.130 the key works well again.
>> The -b option is binding the from ip to 57.154.169.128 and it's in the
>> from ip list in the key file.
>>
>> how the ip of the from side of the ssh connection is obtained? When
>> the from side of the ssh connection has several ips how would the ip
>> address be determined by the to side?
>> Any info would be highly appreciated, thanks in advance!
>>
>> Best regards
>> Guang
>>
>> --
>> 徐广
>> 13581797776
>
>

> From: 徐广 <xuguang181@...>
> Subject: Re: A question about ssh RSA key connection
> To: "ming.zym@..." <ming.zym@...>
> Cc: secureshell@...
> Date: Monday, 24 August, 2009, 8:46 AM
> Thanks ming for your reply
>
> When I connect to  47.154.169.130 the from ip would
> be
> 47.154.169.130, but when I try to connect to other servers,
> the from
> ip became 47.154.169.128, so this is really refusing me.
>
>
>
> 2009/8/24 ming.zym@...
> <ming.zym@...>:
> > this is far from a ssh problem, as the connect src
> address is selected
> > by system, mostly by the default routing set, in your
> case, there are
> > many IP in the same vlan/ip space, that will be
> choosed to be the first
> > ip in your ip list, .130 is the first then.
> >
> > you may use the "-b" option if you really need to set
> your src ip
> > address.
> >
> >
> > 在 2009-08-22六的 12:10 +0800，徐广写道：
> >> Hi
> >> I recently met with a problem when trying to set
> up ssh connection
> >> through the ssh key
> >>
> >> I first create a key through command ssh-keygen -t
> rsa -f
> >> /.ssh/pmcftp_id_rsa -P "" , two files would be
> created under /.ssh
> >> pmcftp_id_rsa and pmcftp_id_rsa.pub, then I insert
> an entry into the
> >> .pub file -
> from="47.154.169.129,47.154.169.128"  this should
> >> restrickt that the ssh key should only work for
> sources of these two
> >> ips.
> >> Then I push the public key to another server under
> ~pmcftp/.ssh, after
> >> that, I start the ssh connection through command
> ssh -I pmcftp -i.
> >> ./ssh/pmcftp_id_rsa <server ip>, the ssh
> connection would be set up
> >> without asking for the passwd.
> >> But, when I create the ssh key on a server that
> has several ip
> >> address, like following:
> >> =====
> >> ifconfig -a
> >> lo0:
> flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL>
> mtu
> >> 8232 index 1
> >>         inet
> 127.0.0.1 netmask ff000000
> >> uplink0:
> flags=1040863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,DEPRECATED,IPv4>
> >> mtu 1500 index 2
> >>         inet
> 47.154.169.130 netmask ffffff00 broadcast 47.154.169.255
> >>         ether
> 0:0:bb:2e:74:e
> >> uplink0:1:
> flags=1000863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,IPv4>
> >> mtu 1500 index 2
> >>         inet
> 47.154.169.128 netmask ffffff00 broadcast 47.154.169.255
> >> uplink0:2:
> flags=1000863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,IPv4>
> >> mtu 1500 index 2
> >>         inet
> 47.154.169.129 netmask ffffff00 broadcast 47.154.169.255
> >> uplink1:
> flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu
> 1500 index 3
> >>         inet
> 192.168.47.1 netmask ffffff00 broadcast 192.168.47.255
> >>         ether
> 0:0:bb:2e:74:d
> >> =====
> >> And added ip 47.154.169.128  and
> 47.154.169.129  into the from ip list
> >> entry in the key file, then I push the ssh key to
> server
> >> 47.154.169.130 (which should be the same server as
> the source)
> >> Then when I try to start the ssh connection
> through command ssh -I
> >> pmcftp -i. ./ssh/pmcftp_id_rsa 47.154.169.130 ,
> the key does not work
> >> anymore, and the log give info like this
> >> ==
> >>  Authentication tried for pmcftp with correct
> key but not from a
> >> permitted host (host=iems196-unit0,
> ip=47.154.169.130)
> >> ==
> >> Obviously, here the from ip list does not include
> 47..154.169.130, and
> >> the ssh connection treate the from ip as
> 47.154.169.130 not other ips
> >> of this server.
> >> Then I tried another command
> >> Ssh -b 47.154.169.128  -I pmcftp -i.
> ./ssh/pmcftp_id_rsa
> >> 47.154.169.130 the key works well again.
> >> The -b option is binding the from ip to
> 57.154.169.128 and it's in the
> >> from ip list in the key file.
> >>
> >> how the ip of the from side of the ssh connection
> is obtained? When
> >> the from side of the ssh connection has several
> ips how would the ip
> >> address be determined by the to side?
> >> Any info would be highly appreciated, thanks in
> advance!
> >>
> >> Best regards
> >> Guang
> >>
> >> --
> >> 徐广
> >> 13581797776
> >
> >
>
>
>
> --
> 徐广
> 13581797776
>