Restricting custom domains to specific SSH keys

[wdhdev]

I am having some trouble setting up custom domains and restricting them to specific SSH keys.

For context this is my setup:

• sish domain: t.hrsn.net - this is the domain used in the SSH command to connect to sish and is the default hostname when not using a custom domain (e.g. tunnel123.t.hrsn.net).
• Custom domain: t.wdh.gg - this is the domain I'm trying to restrict to a specific SSH key. A CNAME record is configured for t.wdh.gg and *.t.wdh.gg pointing to t.hrsn.net.
• Cloudflare proxy is disabled.
• I am using Docker compose to host sish.

In my config file I have the following:

bind-any-host: false
bind-hosts: t.wdh.gg

Now, this config works and I can setup subdomains on t.wdh.gg like tunnel123.t.wdh.gg however even though I have a TXT record set at _sish.t.wdh.gg with the content:

SHA256:yQ2G5ra7npl6ROKw3BJQWULROIG37u14aMfbfKoWFqQ

Even though that TXT record is in place, anyone regardless if they are using that SSH key are able to use t.wdh.gg subdomains even though it should be restricted to that specific key.

I have tried the following, none of which worked:

• Removing the bind-hosts key entirely, however when attempting to use a subdomain of t.wdh.gg like tunnel123.t.wdh.gg it would instead bind to tunnel123.t.wdh.gg.t.hrsn.net.
• Removing the SHA256: bit from the TXT record, which did not work.
• Using the old DNS configuration by creating the following TXT record at t.wdh.gg (attempted with and without the SHA256: bit):

  sish=SHA256:yQ2G5ra7npl6ROKw3BJQWULROIG37u14aMfbfKoWFqQ

Please let me know how I can setup custom domains and restrict them using TXT records to specific SSH keys. Thanks!

[wdhdev]

Hey @antoniomika, no rush, but are you able to look into this? Thanks 😄