| Summary: | SSH generates misleading errors when using public key authentication | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Xavier Jodoin <xavier.jodoin> | ||||
| Component: | sshd | Assignee: | Assigned to nobody <unassigned-bugs> | ||||
| Status: | CLOSED DUPLICATE | ||||||
| Severity: | normal | CC: | gabriel | ||||
| Priority: | P5 | ||||||
| Version: | 6.0p1 | ||||||
| Hardware: | Other | ||||||
| OS: | Linux | ||||||
| Attachments: |
|
||||||
This bug is related to the following issue: http://travaux.ovh.net/?do=details&id=7060 The spurious therefore is: > Authentication tried for root with correct key but not from a permitted host (host=AAAA, ip=XXXX). even when the key is *incorrect*, provided there is a "from=" field in authorized_keys. The bug is very real, but I'm afraid your patch is wrong: - First, the spurious message is about identifiying with a key, not a certificate. You are patching the wrong warning - at least wrt. to the issue linked above (there might also be an issue with certificates but it has not been reported AFAIK). - Then, even if this were the right warning to patch, you modified the string to remove the %.100s for the host but you kept pw->pw_name in logit. It cannot work. > auth-options.c: In function ‘parse_option_list’: > auth-options.c:518:10: warning: too many arguments for format [-Wformat-extra-args] I know there has been a lot of unfortunate buzz about this yesterday, but this in no excuse to release a patch that has obviously been done in a hurry and never tested. In fact, this bug has already been fixed in OpenSSH 6.0p1. It is only present in 5.5p1 (which is in Debian stable), because auth_parse_options used to be called before key_equal in user_key_allowed2 (file auth2-pubkey.c). In the latest cvs snapshot, I cannot reproduce the bug and key_found is indeed called before auth_parse_options, which is correct. *** This bug has been marked as a duplicate of bug 1765 *** Thanks for the rapid feedback on this issue. And I confirm it's fix on the version 6.0p1. Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1 |
Created attachment 2176 [details] message patch The log message is wrong when you authenticate with a public key and the account is protected with an ip address.