If a public key with an associated IP address or domain name in the "from=" field is not on the first line in the authorized_keys file, an error message is printed twice in the log: Apr 29 15:20:03 alaemon sshd[16333]: Authentication tried for http with correct key but not from a permitted host (host=anders.its.uu.se, ip=130.238.131.142). Apr 29 15:20:03 alaemon sshd[16333]: Accepted publickey for http from 130.238.131.142 port 60901 ssh2 Apr 29 15:20:03 alaemon sshd[16335]: Received disconnect from 130.238.131.142: 11: disconnected by user Apr 29 15:20:03 alaemon sshd[16347]: Authentication tried for http with correct key but not from a permitted host (host=anders.its.uu.se, ip=130.238.131.142). The client is logged in anyway, so there is no loss of functionality, just the two annoying error messages. This problem was not present in 5.3p1, appeared in 5.4p1, and remain in 5.5p1.
Created attachment 1848 [details] delay-options-parse.diff probable fix
Since I have openssh 5.5p1 which contains revision 1.22 of auth2-pubkey.c I could not apply the patch using patch. I therefore applied it manually. As far as I can judge the patch fixes my problem and doesn't introduce any new bugs.
Sorry! The patch doesn't fix my problem. I had applied a couple of lines in the wrong order. After I put them in the right order, according to your patch, the problem the problem is back. This is how I first patched the file. This version fixes my problem. if (key->type == KEY_RSA_CERT || key->type == KEY_DSA_CERT) { if (auth_parse_options(pw, key_options, file, linenum) != 1) continue; if (!key_is_cert_authority) continue; if (!key_equal(found, key->cert->signature_key)) continue; fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); This is how it looks after I applied it correctly. This does NOT fix my problem. if (key->type == KEY_RSA_CERT || key->type == KEY_DSA_CERT) { if (!key_equal(found, key->cert->signature_key)) continue; if (auth_parse_options(pw, key_options, file, linenum) != 1) continue; if (!key_is_cert_authority) continue; fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
Are you using certificates? The lines you quoted only apply to certificate keys.
No, I'm not. I just didn't note that this part of the patch is only used for certificates. Sorry! I must have made some mistake when testing. When I test now the problem is still there so the patch didn't help.
Fix committed - will be in OpenSSH-5.6
As I said, the problem is *not* fixed by the patch, at least not if applied to 5.5p1 containing version 1.22 of auth2-pubkey.c.
Created attachment 1959 [details] Diff of manually applied patch
On 2010-11-21, at 02.23, Edward Z. Yang wrote: >We noticed that you stated that the patch attached to [1] did not >work. This seems quite odd, and so I was wondering if you could >construct a unified diff of your changes and post it to the >bugtracker? I have attached the requested diff seperately. I have also tried the new version openssh-5.6p1 which should contain the fix. Unfortunately the problem remains: Nov 22 10:15:57 alaemon sshd[3894]: Authentication tried for http with correct key but not from a permitted host (host=anders2.its.uu.se, ip=130.238.131.143). Nov 22 10:15:57 alaemon sshd[3894]: Accepted publickey for http from 130.238.131.143 port 1073 ssh2 Nov 22 10:15:57 alaemon sshd[3916]: Received disconnect from 130.238.131.143: 11: disconnected by user Nov 22 10:15:58 alaemon sshd[3925]: Authentication tried for http with correct key but not from a permitted host (host=anders2.its.uu.se, ip=130.238.131.143).
Move resolved bugs to CLOSED after 5.7 release
*** Bug 2027 has been marked as a duplicate of this bug. ***