openssh bugs - Jul 2012 - [Bug 2027] New: SSH generates misleading errors when using public key authentication

https://bugzilla.mindrot.org/show_bug.cgi?id=2027

          Priority: P5
            Bug ID: 2027
          Assignee: unassigned-bugs at mindrot.org
           Summary: SSH generates misleading errors when using public key
                    authentication
          Severity: normal
    Classification: Unclassified
                OS: Linux
          Reporter: xavier.jodoin at corp.ovh.com
          Hardware: Other
            Status: NEW
           Version: 6.0p1
         Component: sshd
           Product: Portable OpenSSH

Created attachment 2176
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2176&action=edit
message patch

The log message is wrong when you authenticate with a public key and
the account is protected with an ip address.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2027

Gabriel Kerneis <gabriel at kerneis.info> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |gabriel at kerneis.info

--- Comment #1 from Gabriel Kerneis <gabriel at kerneis.info> ---
This bug is related to the following issue: 
http://travaux.ovh.net/?do=details&id=7060

The spurious therefore is:
> Authentication tried for root with correct key but not from a permitted
host (host=AAAA, ip=XXXX).
even when the key is *incorrect*, provided there is a "from=" field in
authorized_keys.

The bug is very real, but I'm afraid your patch is wrong:
- First, the spurious message is about identifiying with a key, not a
certificate.  You are patching the wrong warning - at least wrt. to the
issue linked above (there might also be an issue with certificates but
it has not been reported AFAIK).
- Then, even if this were the right warning to patch, you modified the
string to remove the %.100s for the host but you kept pw->pw_name in
logit. It cannot work.
> auth-options.c: In function ?parse_option_list?:
> auth-options.c:518:10: warning: too many arguments for format
[-Wformat-extra-args]
I know there has been a lot of unfortunate buzz about this yesterday,
but this in no excuse to release a patch that has obviously been done
in a hurry and never tested.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2027

Gabriel Kerneis <gabriel at kerneis.info> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from Gabriel Kerneis <gabriel at kerneis.info> ---
In fact, this bug has already been fixed in OpenSSH 6.0p1.  It is only
present in 5.5p1 (which is in Debian stable), because
auth_parse_options used to be called before key_equal in
user_key_allowed2 (file auth2-pubkey.c).

In the latest cvs snapshot, I cannot reproduce the bug and key_found is
indeed called before auth_parse_options, which is correct.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2027

Gabriel Kerneis <gabriel at kerneis.info> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|FIXED                       |DUPLICATE

--- Comment #3 from Gabriel Kerneis <gabriel at kerneis.info> ---


*** This bug has been marked as a duplicate of bug 1765 ***

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2027

--- Comment #4 from Xavier Jodoin <xavier.jodoin at corp.ovh.com> ---
Thanks for the rapid feedback on this issue. And I confirm it's fix on
the version 6.0p1.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2027

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1

-- 
You are receiving this mail because:
You are watching the assignee of the bug.