If a public key occurs twice in the authorized_keys file but with different IP addresses or domain names in the "from=" field, and if the a connection is made from the IP address or domain name of the latter, then the following error message is printed twice in the log: Nov 22 16:31:27 alaemon sshd[11763]: Authentication tried for anders with correct key but not from a permitted host (host=anders2.its.uu.se, ip=130.238.131.143). Nov 22 16:31:33 alaemon sshd[11763]: Authentication tried for anders with correct key but not from a permitted host (host=anders2.its.uu.se, ip=130.238.131.143). The authorized_keys file is attached. This bug is related to bug 1765 and explains why the fix for that bug didn't solve my problem.
Created attachment 1960 [details] authorized_keys
Changed title to something more appropriate.
Please attach a debug trace of the server accepting such a connection (run the server using "sshd -ddd").
Created attachment 1967 [details] sshd -ddd
Public keys are usually tried twice during authentication, initially to query the server to determine whether it will accept the key and then again, after generating a signature using the private half, to actually authenticate. As such, each line in authorized_keys will be evaluated twice. You configuration is set up to cause this noise by listing the same key with different access rules. To avoid the noise in your logs, combine the two lines as from="anders.its.uu.se,anders2.its.uu.se" ssh-dss AAAAB3N...
(In reply to comment #5) > Public keys are usually tried twice during authentication, initially to > query the server to determine whether it will accept the key and then > again, after generating a signature using the private half, to actually > authenticate. > > As such, each line in authorized_keys will be evaluated twice. I guessed that this was the problem. If sshd both times looked up the keys using both key and ip-address it would be no problem. It would only get one hit. > Your > configuration is set up to cause this noise by listing the same key > with different access rules. To avoid the noise in your logs, combine > the two lines as > > from="anders.its.uu.se,anders2.its.uu.se" ssh-dss AAAAB3N... Yes, this is the obvious work around. There is however some problems with this. Firstly, if the file is big it's easy to overlook that a certain key is already in the file with some other ip address. Secondly, it's not easy to understand at once what's wrong. The user may think something else is wrong and start out on a wild goose chase. I think that this should be fixed in the code so that is works as most people would expect it to work.
(In reply to comment #5) I just remembered why I use the same key on multiple lines in the authorized_keys file. If I want different commands to be executed for different ip addresses, then I can't combine the lines into one.
Move resolved bugs to CLOSED after 5.7 release