openssh bugs - Apr 2010 - [Bug 1765] New: Error message if key not first in authorized_keys file

https://bugzilla.mindrot.org/show_bug.cgi?id=1765

           Summary: Error message if key not first in authorized_keys file
           Product: Portable OpenSSH
           Version: 5.5p1
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: anders.liljegren at uadm.uu.se


If a public key with an associated IP address or domain name in the
"from=" field is not on the first line in the authorized_keys file, an
error message is printed twice in the log:

Apr 29 15:20:03 alaemon sshd[16333]: Authentication tried for http with
correct key but not from a permitted host (host=anders.its.uu.se,
ip=130.238.131.142).
Apr 29 15:20:03 alaemon sshd[16333]: Accepted publickey for http from
130.238.131.142 port 60901 ssh2
Apr 29 15:20:03 alaemon sshd[16335]: Received disconnect from
130.238.131.142: 11: disconnected by user
Apr 29 15:20:03 alaemon sshd[16347]: Authentication tried for http with
correct key but not from a permitted host (host=anders.its.uu.se,
ip=130.238.131.142).

The client is logged in anyway, so there is no loss of functionality,
just the two annoying error messages.

This problem was not present in 5.3p1, appeared in 5.4p1, and remain in
5.5p1.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1765

--- Comment #1 from Damien Miller <djm at mindrot.org>  ---
Created attachment 1848
  --> https://bugzilla.mindrot.org/attachment.cgi?id=1848
delay-options-parse.diff

probable fix

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1765

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Blocks|                            |1708

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1765

--- Comment #2 from Anders Liljegren <anders.liljegren at uadm.uu.se>  ---
Since I have openssh 5.5p1 which contains revision 1.22 of
auth2-pubkey.c I could not apply the patch using patch. I therefore
applied it manually. As far as I can judge the patch fixes my problem
and doesn't introduce any new bugs.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1765

--- Comment #3 from Anders Liljegren <anders.liljegren at uadm.uu.se>  ---
Sorry!
The patch doesn't fix my problem. I had applied a couple of lines in
the wrong order. After I put them in the right order, according to your
patch, the problem the problem is back.

This is how I first patched the file. This version fixes my problem.

                if (key->type == KEY_RSA_CERT || key->type =KEY_DSA_CERT)
{
                        if (auth_parse_options(pw, key_options, file,
                            linenum) != 1)
                                continue;
                        if (!key_is_cert_authority)
                                continue;
                        if (!key_equal(found,
key->cert->signature_key))
                                continue;
                        fp = key_fingerprint(found, SSH_FP_MD5,
                            SSH_FP_HEX);

This is how it looks after I applied it correctly. This does NOT fix my
problem.

                if (key->type == KEY_RSA_CERT || key->type =KEY_DSA_CERT)
{
                        if (!key_equal(found,
key->cert->signature_key))
                                continue;
                        if (auth_parse_options(pw, key_options, file,
                            linenum) != 1)
                                continue;
                        if (!key_is_cert_authority)
                                continue;
                        fp = key_fingerprint(found, SSH_FP_MD5,
                            SSH_FP_HEX);

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1765

--- Comment #4 from Damien Miller <djm at mindrot.org>  ---
Are you using certificates? The lines you quoted only apply to
certificate keys.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1765

--- Comment #5 from Anders Liljegren <anders.liljegren at uadm.uu.se>  ---
No, I'm not. I just didn't note that this part of the patch is only
used for certificates. Sorry! I must have made some mistake when
testing. When I test now the problem is still there so the patch didn't
help.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1765

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #6 from Damien Miller <djm at mindrot.org>  ---
Fix committed - will be in OpenSSH-5.6

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1765

--- Comment #7 from Anders Liljegren <anders.liljegren at uadm.uu.se>  ---
As I said, the problem is *not* fixed by the patch, at least not if
applied to 5.5p1 containing version 1.22 of auth2-pubkey.c.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1765

--- Comment #8 from Anders Liljegren <anders.liljegren at uadm.uu.se>
2010-11-22 20:24:02 EST ---
Created attachment 1959
  --> https://bugzilla.mindrot.org/attachment.cgi?id=1959
Diff of manually applied patch

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1765

Anders Liljegren <anders.liljegren at uadm.uu.se> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |

--- Comment #9 from Anders Liljegren <anders.liljegren at uadm.uu.se>
2010-11-22 20:29:52 EST ---
On 2010-11-21, at 02.23, Edward Z. Yang wrote:
>We noticed that you stated that the patch attached to [1] did not
>work.  This seems quite odd, and so I was wondering if you could
>construct a unified diff of your changes and post it to the
>bugtracker?
I have attached the requested diff seperately.

I have also tried the new version openssh-5.6p1 which should contain
the fix. Unfortunately the problem remains:


Nov 22 10:15:57 alaemon sshd[3894]: Authentication tried for http with
correct key but not from a permitted host (host=anders2.its.uu.se,
ip=130.238.131.143).
Nov 22 10:15:57 alaemon sshd[3894]: Accepted publickey for http from
130.238.131.143 port 1073 ssh2
Nov 22 10:15:57 alaemon sshd[3916]: Received disconnect from
130.238.131.143: 11: disconnected by user
Nov 22 10:15:58 alaemon sshd[3925]: Authentication tried for http with
correct key but not from a permitted host (host=anders2.its.uu.se,
ip=130.238.131.143).

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1765

Anders Liljegren <anders.liljegren at uadm.uu.se> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|                            |FIXED

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1765

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #10 from Damien Miller <djm at mindrot.org> 2011-01-24
12:33:53 EST ---
Move resolved bugs to CLOSED after 5.7 release

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.