freebsd stable - Jul 2010 - Authentication tried for XXX with correct key but not from a permitted host

This is more for the record than asking a specific question.

Today I upgraded a system to FreeBSD 8.1-PRERELEASE.  Then I started 
seeing these messages when I ssh to said box with an ssh-agent enabled 
connection:

Jul 11 03:43:06 ngaio sshd[30290]: Authentication tried for dan with 
correct key but not from a permitted host (host=laptop.example.org, 
ip=10.0.0.100).

Jul 11 03:43:07 ngaio sshd[30290]: Authentication tried for dan with 
correct key but not from a permitted host (host=laptop.example.org, 
ip=10.0.0.100).

Jul 11 03:43:07 ngaio sshd[30290]: Accepted publickey for dan from 
10.0.0.100 port 53525 ssh2

My questions were:

1 - how do I set a permitted host?
2 - why is the message logged twice?

That asked, I know if I move the key to the top of the 
~/.ssh/authorized_keys file, the message is no longer logged. Further 
investigation reveals that if a line of the form:

from="10..etc"

appears before the key being used to log in, the message will appear.

Solution: move the from= line to the  bottom of the file.  Ugly, but it 
works.

-- 
Dan Langille - http://langille.org/

On 11/07/2010 04:04:57, Dan Langille wrote:
> That asked, I know if I move the key to the top of the
> ~/.ssh/authorized_keys file, the message is no longer logged. Further
> investigation reveals that if a line of the form:
> 
> from="10..etc"
> 
> appears before the key being used to log in, the message will appear.
Usually the from='10.0.0.100' tag should be inserted at the beginning of
the line for each key it should affect.  It shouldn't do anything on a
line on its own -- in fact that should be a syntax error.  The behaviour
you're seeing sounds like something new: it isn't what sshd(8) describes
in the section on AUTHORIZED_KEYS FILE FORMAT.

This new behaviour sounds as if it could be quite useful for easing the
management of complicated authorised_keys files, but I'd have expected
some sort of notice somewhere.  I can't see anything relevant in the
release notes for OpenSSH for versions 5.0, 5.1, 5.3, 5.3, 5.4 or 5.5
[Eg. http://www.openssh.org/txt/release-5.4 -- 8.1-PRERELEASE has
OpenSSH 5.4p1 bundled].  Nor anything in any of the ssh(1),
ssh_config(1), sshd(8), sshd_config(8) man pages.

Maybe it's a bug, but one that has fortuitously useful effects.

	Cheers,

	Mathew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url :
http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20100711/516b1306/signature.pgp