Bug 1841

Summary:

Error message if key occurs twice in authorized_keys file

Product:

Portable OpenSSH

Reporter:

Anders Liljegren <anders.liljegren>

Component:

sshd

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED WORKSFORME

Severity:

normal

CC:

djm

Priority:

Version:

5.6p1

Hardware:

All

OS:

Linux

Attachments:

Description	Flags
authorized_keys	none
sshd -ddd	none

Description Anders Liljegren 2010-11-23 03:07:56 AEDT

If a public key occurs twice in the authorized_keys file but with different IP addresses or domain names in the "from=" field, and if the a connection is made from the IP address or domain name of the latter, then the following error message is printed twice in the log:

Nov 22 16:31:27 alaemon sshd[11763]: Authentication tried for anders with correct key but not from a permitted host (host=anders2.its.uu.se, ip=130.238.131.143).
Nov 22 16:31:33 alaemon sshd[11763]: Authentication tried for anders with correct key but not from a permitted host (host=anders2.its.uu.se, ip=130.238.131.143).

The authorized_keys file is attached.

This bug is related to bug 1765 and explains why the fix for that bug didn't solve my problem.

Comment 1 Anders Liljegren 2010-11-23 03:16:52 AEDT

Created attachment 1960 [details]
authorized_keys

Comment 2 Anders Liljegren 2010-11-23 19:08:53 AEDT

Changed title to something more appropriate.

Comment 3 Damien Miller 2010-11-24 10:14:37 AEDT

Please attach a debug trace of the server accepting such a connection (run the server using "sshd -ddd").

Comment 4 Anders Liljegren 2010-11-24 17:08:25 AEDT

Created attachment 1967 [details]
sshd -ddd

Comment 5 Damien Miller 2010-11-26 07:51:29 AEDT

Public keys are usually tried twice during authentication, initially to query the server to determine whether it will accept the key and then again, after generating a signature using the private half, to actually authenticate.

As such, each line in authorized_keys will be evaluated twice. You configuration is set up to cause this noise by listing the same key with different access rules. To avoid the noise in your logs, combine the two lines as

from="anders.its.uu.se,anders2.its.uu.se" ssh-dss AAAAB3N...

Comment 6 Anders Liljegren 2010-11-26 20:46:33 AEDT

(In reply to comment #5)
> Public keys are usually tried twice during authentication, initially to
> query the server to determine whether it will accept the key and then
> again, after generating a signature using the private half, to actually
> authenticate.
> 
> As such, each line in authorized_keys will be evaluated twice.

I guessed that this was the problem. If sshd both times looked up the
keys using both key and ip-address it would be no problem. It would
only get one hit.

> Your
> configuration is set up to cause this noise by listing the same key
> with different access rules. To avoid the noise in your logs, combine
> the two lines as
> 
> from="anders.its.uu.se,anders2.its.uu.se" ssh-dss AAAAB3N...

Yes, this is the obvious work around. There is however some problems
with this. Firstly, if the file is big it's easy to overlook that  a certain
key is already in the file with some other ip address. Secondly, it's not easy
to understand at once what's wrong. The user may think something else
is wrong and start out on a wild goose chase.

I think that this should be fixed in the code so that is works as most
people would expect it to work.

Comment 7 Anders Liljegren 2010-11-26 20:57:52 AEDT

(In reply to comment #5)

I just remembered why I use the same key on multiple
lines in the authorized_keys file.  If I want different
commands to be executed for different ip addresses, 
then I can't combine the lines into one.

Comment 8 Damien Miller 2011-01-24 12:34:00 AEDT

Move resolved bugs to CLOSED after 5.7 release