Bug 1765

Summary:

Error message if key not first in authorized_keys file

Product:

Portable OpenSSH

Reporter:

Anders Liljegren <anders.liljegren>

Component:

sshd

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED FIXED

Severity:

normal

CC:

djm, xavier.jodoin

Priority:

Version:

5.5p1

Hardware:

Other

OS:

Linux

Bug Depends on:

Bug Blocks:

1708

Attachments:

Description	Flags
delay-options-parse.diff	none
Diff of manually applied patch	none

Description Anders Liljegren 2010-04-29 23:29:32 AEST

If a public key with an associated IP address or domain name in the "from=" field is not on the first line in the authorized_keys file, an error message is printed twice in the log:

Apr 29 15:20:03 alaemon sshd[16333]: Authentication tried for http with correct key but not from a permitted host (host=anders.its.uu.se, ip=130.238.131.142).
Apr 29 15:20:03 alaemon sshd[16333]: Accepted publickey for http from 130.238.131.142 port 60901 ssh2
Apr 29 15:20:03 alaemon sshd[16335]: Received disconnect from 130.238.131.142: 11: disconnected by user
Apr 29 15:20:03 alaemon sshd[16347]: Authentication tried for http with correct key but not from a permitted host (host=anders.its.uu.se, ip=130.238.131.142).

The client is logged in anyway, so there is no loss of functionality, just the two annoying error messages.

This problem was not present in 5.3p1, appeared in 5.4p1, and remain in 5.5p1.

Comment 1 Damien Miller 2010-05-12 16:23:22 AEST

Created attachment 1848 [details]
delay-options-parse.diff

probable fix

Comment 2 Anders Liljegren 2010-05-12 23:06:32 AEST

Since I have openssh 5.5p1 which contains revision 1.22 of auth2-pubkey.c I could not apply the patch using patch. I therefore applied it manually. As far as I can judge the patch fixes my problem and doesn't introduce any new bugs.

Comment 3 Anders Liljegren 2010-05-12 23:47:23 AEST

Sorry!
The patch doesn't fix my problem. I had applied a couple of lines in the wrong order. After I put them in the right order, according to your patch, the problem the problem is back.

This is how I first patched the file. This version fixes my problem.

                if (key->type == KEY_RSA_CERT || key->type == KEY_DSA_CERT) {
                        if (auth_parse_options(pw, key_options, file,
                            linenum) != 1)
                                continue;
                        if (!key_is_cert_authority)
                                continue;
                        if (!key_equal(found, key->cert->signature_key))
                                continue;
                        fp = key_fingerprint(found, SSH_FP_MD5,
                            SSH_FP_HEX);
  
This is how it looks after I applied it correctly. This does NOT fix my problem.

                if (key->type == KEY_RSA_CERT || key->type == KEY_DSA_CERT) {
                        if (!key_equal(found, key->cert->signature_key))
                                continue;
                        if (auth_parse_options(pw, key_options, file,
                            linenum) != 1)
                                continue;
                        if (!key_is_cert_authority)
                                continue;
                        fp = key_fingerprint(found, SSH_FP_MD5,
                            SSH_FP_HEX);

Comment 4 Damien Miller 2010-05-13 11:56:10 AEST

Are you using certificates? The lines you quoted only apply to certificate keys.

Comment 5 Anders Liljegren 2010-05-19 17:28:06 AEST

No, I'm not. I just didn't note that this part of the patch is only used for certificates. Sorry! I must have made some mistake when testing. When I test now the problem is still there so the patch didn't help.

Comment 6 Damien Miller 2010-05-20 21:29:27 AEST

Fix committed - will be in OpenSSH-5.6

Comment 7 Anders Liljegren 2010-05-20 21:39:25 AEST

As I said, the problem is *not* fixed by the patch, at least not if applied to 5.5p1 containing version 1.22 of auth2-pubkey.c.

Comment 8 Anders Liljegren 2010-11-22 20:24:02 AEDT

Created attachment 1959 [details]
Diff of manually applied patch

Comment 9 Anders Liljegren 2010-11-22 20:29:52 AEDT

On 2010-11-21, at 02.23, Edward Z. Yang wrote:

>We noticed that you stated that the patch attached to [1] did not
>work.  This seems quite odd, and so I was wondering if you could
>construct a unified diff of your changes and post it to the
>bugtracker?

I have attached the requested diff seperately.

I have also tried the new version openssh-5.6p1 which should contain the fix. Unfortunately the problem remains:

Nov 22 10:15:57 alaemon sshd[3894]: Authentication tried for http with correct key but not from a permitted host (host=anders2.its.uu.se, ip=130.238.131.143).
Nov 22 10:15:57 alaemon sshd[3894]: Accepted publickey for http from 130.238.131.143 port 1073 ssh2
Nov 22 10:15:57 alaemon sshd[3916]: Received disconnect from 130.238.131.143: 11: disconnected by user
Nov 22 10:15:58 alaemon sshd[3925]: Authentication tried for http with correct key but not from a permitted host (host=anders2.its.uu.se, ip=130.238.131.143).

Comment 10 Damien Miller 2011-01-24 12:33:53 AEDT

Move resolved bugs to CLOSED after 5.7 release

Comment 11 Gabriel Kerneis 2012-07-21 17:26:04 AEST

*** Bug 2027 has been marked as a duplicate of this bug. ***