openssh bugs - Nov 2010 - [Bug 1841] New: Error message if key not first in authorized_keys file

https://bugzilla.mindrot.org/show_bug.cgi?id=1841

           Summary: Error message if key not first in authorized_keys file
           Product: Portable OpenSSH
           Version: 5.6p1
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: anders.liljegren at uadm.uu.se


If a public key occurs twice in the authorized_keys file but with
different IP addresses or domain names in the "from=" field, and if
the
a connection is made from the IP address or domain name of the latter,
then the following error message is printed twice in the log:

Nov 22 16:31:27 alaemon sshd[11763]: Authentication tried for anders
with correct key but not from a permitted host (host=anders2.its.uu.se,
ip=130.238.131.143).
Nov 22 16:31:33 alaemon sshd[11763]: Authentication tried for anders
with correct key but not from a permitted host (host=anders2.its.uu.se,
ip=130.238.131.143).

The authorized_keys file is attached.

This bug is related to bug 1765 and explains why the fix for that bug
didn't solve my problem.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1841

--- Comment #1 from Anders Liljegren <anders.liljegren at uadm.uu.se>
2010-11-23 03:16:52 EST ---
Created attachment 1960
  --> https://bugzilla.mindrot.org/attachment.cgi?id=1960
authorized_keys

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1841

Anders Liljegren <anders.liljegren at uadm.uu.se> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Error message if key not    |Error message if key occurs
                   |first in authorized_keys    |twice in authorized_keys
                   |file                        |file

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1841

--- Comment #2 from Anders Liljegren <anders.liljegren at uadm.uu.se>
2010-11-23 19:08:53 EST ---
Changed title to something more appropriate.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1841

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #3 from Damien Miller <djm at mindrot.org> 2010-11-24 10:14:37
EST ---
Please attach a debug trace of the server accepting such a connection
(run the server using "sshd -ddd").

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1841

--- Comment #4 from Anders Liljegren <anders.liljegren at uadm.uu.se>
2010-11-24 17:08:25 EST ---
Created attachment 1967
  --> https://bugzilla.mindrot.org/attachment.cgi?id=1967
sshd -ddd

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1841

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WORKSFORME

--- Comment #5 from Damien Miller <djm at mindrot.org> 2010-11-26 07:51:29
EST ---
Public keys are usually tried twice during authentication, initially to
query the server to determine whether it will accept the key and then
again, after generating a signature using the private half, to actually
authenticate.

As such, each line in authorized_keys will be evaluated twice. You
configuration is set up to cause this noise by listing the same key
with different access rules. To avoid the noise in your logs, combine
the two lines as

from="anders.its.uu.se,anders2.its.uu.se" ssh-dss AAAAB3N...

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1841

--- Comment #6 from Anders Liljegren <anders.liljegren at uadm.uu.se>
2010-11-26 20:46:33 EST ---
(In reply to comment #5)
> Public keys are usually tried twice during authentication, initially to
> query the server to determine whether it will accept the key and then
> again, after generating a signature using the private half, to actually
> authenticate.
> 
> As such, each line in authorized_keys will be evaluated twice.
I guessed that this was the problem. If sshd both times looked up the
keys using both key and ip-address it would be no problem. It would
only get one hit.
> Your
> configuration is set up to cause this noise by listing the same key
> with different access rules. To avoid the noise in your logs, combine
> the two lines as
> 
> from="anders.its.uu.se,anders2.its.uu.se" ssh-dss AAAAB3N...
Yes, this is the obvious work around. There is however some problems
with this. Firstly, if the file is big it's easy to overlook that  a
certain
key is already in the file with some other ip address. Secondly, it's
not easy
to understand at once what's wrong. The user may think something else
is wrong and start out on a wild goose chase.

I think that this should be fixed in the code so that is works as most
people would expect it to work.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1841

--- Comment #7 from Anders Liljegren <anders.liljegren at uadm.uu.se>
2010-11-26 20:57:52 EST ---
(In reply to comment #5)

I just remembered why I use the same key on multiple
lines in the authorized_keys file.  If I want different
commands to be executed for different ip addresses, 
then I can't combine the lines into one.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1841

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #8 from Damien Miller <djm at mindrot.org> 2011-01-24 12:34:00
EST ---
Move resolved bugs to CLOSED after 5.7 release

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.