Package: openssh-server
Version: 1:5.5p1-5+b1
Severity: normal
Hi,
I catched log messages in /var/log/auth.log
... Authentication tried for test with correct key but not from a permitted
host...
for successful login attempts. I have investigated, that this log
messages belongs to key options preceding the matched key. The problem
occurs only for keys with the same type. So if you are logging with dss
type key, then only messages generated from the dss key type entries can
occur.
There is an example procedure to prove the problem:
# lets generate some 5 ssh keys...
t...@bobek:~/.ssh$ for x in {1..5}; do ssh-keygen -N '' -f id_rsa_$x; done
...
t...@bobek:~/.ssh$ ls -la id_rsa_*
-rw------- 1 test test 1679 Dec 17 13:49 id_rsa_1
-rw-r--r-- 1 test test 392 Dec 17 13:49 id_rsa_1.pub
-rw------- 1 test test 1675 Dec 17 13:49 id_rsa_2
-rw-r--r-- 1 test test 392 Dec 17 13:49 id_rsa_2.pub
-rw------- 1 test test 1679 Dec 17 13:49 id_rsa_3
-rw-r--r-- 1 test test 392 Dec 17 13:49 id_rsa_3.pub
-rw------- 1 test test 1679 Dec 17 13:49 id_rsa_4
-rw-r--r-- 1 test test 392 Dec 17 13:49 id_rsa_4.pub
-rw------- 1 test test 1679 Dec 17 13:49 id_rsa_5
-rw-r--r-- 1 test test 392 Dec 17 13:49 id_rsa_5.pub
# cat all keys to authorized_keys
t...@bobek:~/.ssh$ cat *.pub >authorized_keys
t...@bobek:~/.ssh$ chmod 600 authorized_keys
# insert some from restriction...
from="127.1.1.1" ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDK+GhZmcgupdeJX3tergwOLW8UIeqzFClmTKAFFttNgaaKbUpCu1mrJSU60KbnkFL9cBmljmJBDcXPkIqzU8MKPvO6zA2k1qfSuiwFZrP3nd4Kxc+qPMzK3yo4jBiHSyCnnZrb0GxE1wfYo4V2hTSZKquytIbIFMiXdVOY0GPZM9PyGGywcmStA8H7999OuFsrxGETTD6uKNWU5PFqf3syFZvodJGK8oQN3dUunBubjsrzjnzNPGoAEfFFPTK1dEQHLY4MwakUAXMof1eVN/GFDU1St9DvhX+9PW88lb5UjnnvfQM7As87Au8WpHCV5n7FsSbneTeP9KZfe8St+9a3
t...@bobek
from="127.1.1.1" ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDMBi3x1H6+V7mAbzd9rJRkNclNpXfynZi4s4U579Z17HCbOhKdn3lJoL3H1H48id21j+ynN4LXlFRSrtI11AuNiExJVjH2C4oFWrOqHW/4+wGLjFQKBUT+6jjLlVTXvTAOmPn+eKUnP29YBryremjbTTtWbOUovDger5tgl4DeiAsjh9n4hklJzx2zuQkHZNO6M1fuFMJ1f8ujwK8pMQe3MYT32F7fn5rEa48RwA7Z4ooK0N18d0HZ5Z0L+xdu9Rkl0Qo4n+GdEkL1cVTqIKUmVzwD8q1WcX5MeXSrmL3BRlVc6mU200myEwyv35YHnf9XERHAw1LOhsXdsB8lxUin
t...@bobek
from="127.1.1.1" ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDHfdW6yHWfcnEfptUbXI8iIxS0gZLjdAvxjwPZxU1EctziW/ULdwf+zgZB3a5fNVawpcVfHYswCw33+K+Zr+Dm539mdkERweSBoit8BEY8zqQ/e0qPculUWwunPhnkKyu+g4nzo+Ckc/2tdGM8dLg5RhVzxSGEEEQ3IIOpemjIdsjohUfw8FpDTFCTaHp8raJjj/f8i4/JPfh1H6fQLxUCG/WlllmIJVh/DRjBTi9aPuTUI/zDKALZPhYJ2dPrYG6j8wf6Lir3P0KeEzmiN258y7ujtPgAzvEvlCV1bFf1+izT3BJvKJbfVyJpEFg3CHFHB8dccAVWjOfBjidBZ6Id
t...@bobek
from="127.1.1.1" ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQC80Lv3Pt+VN8+VsgG1tCbaWSj3SByNzQx/vWKhytPTRl9nqQ1N9qq0u8aG29qFmceEh+Xq4IFMbR319+hoB3nCDQiixm8Q5tw/BAn/N6L/i3ov36XNm7wxTrmHdu06U/S0Szfy2bD+/N+CDmpTcKtdo+MgecFG144IZpjxjQtWO06Q1MRwNAQPUOKGNKBTTR8rGGV5T3iX14k5GwX5cuXZuNN0NcfudHuTPgO+8SjZM0GXUiIFB4mCvq/yprazajlEsn4Tf9h3IcggTXxgXji54Ac9D85Gt/x7+wlc7vk3hGwe0X15E+KoVH0P1fu4dv696OCYqhvaBWD3eaBAQXzh
t...@bobek
from="127.0.0.1" ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDIdfTAdUgsf1GLdqY3WZDtEudKsb1eN8CWY+l/7OyWcpQABPGIgsohoZuBKA+Ie+bSvA26rVpDbGstVyiQbQ4pX9YkGQHxN+ClsS5EkgZJXnGQuRWJUmrRvHMzpGl1COVtDA9/v83FBdDxRYbuntWSNg4Mh5oa4FUjX7fjbY6F2F7gTnuMZnFaWdv1POAK+HkwG2ABkZhi8WVz6upCyD3HYJ0H794Q2zgj0rrStxR0EbEZ3LOyf3xjhdPEq3Hs1rBMuxmQXkmr0DmYM7YuzizA91SHC1dNpIlDxeXMuy4UlWeHrnM65Tw25+UOOJnKCm4/Hxmhr5hBjg3SaiY3jhaN
t...@bobek
# login from localhost using last key (id_rsa_5), so 4 preceding from
# restrictions are applied
t...@bobek:~/.ssh$ ssh -i id_rsa_5 localhost
Linux bobek 2.6.36-trunk-686 #1 SMP Thu Oct 28 14:08:39 UTC 2010 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
t...@bobek:~$
# and see the log output in /var/log/auth
bobek:~# tail -f /var/log/auth.log
...
Dec 17 14:03:10 bobek sshd[2323]: pam_unix(sshd:session): session closed
for user test
Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with
correct key but not from a permitted host (host=localhost.localdomain,
ip=127.0.0.1).
Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with
correct key but not from a permitted host (host=localhost.localdomain,
ip=127.0.0.1).
Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with
correct key but not from a permitted host (host=localhost.localdomain,
ip=127.0.0.1).
Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with
correct key but not from a permitted host (host=localhost.localdomain,
ip=127.0.0.1).
Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with
correct key but not from a permitted host (host=localhost.localdomain,
ip=127.0.0.1).
Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with
correct key but not from a permitted host (host=localhost.localdomain,
ip=127.0.0.1).
Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with
correct key but not from a permitted host (host=localhost.localdomain,
ip=127.0.0.1).
Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with
correct key but not from a permitted host (host=localhost.localdomain,
ip=127.0.0.1).
Dec 17 14:03:12 bobek sshd[3607]: Accepted publickey for test from
127.0.0.1 port 42357 ssh2
Dec 17 14:03:12 bobek sshd[3607]: pam_unix(sshd:session): session opened
for user test by (uid=0)
All this "...Authentication tried for test with correct key but not from
a permitted host..." are invalid and very confusing!
This is not only about "from" options. I tried to run sshd by hand
with -d, and authorized_keys options environment="..." also generates
(I have permitted user environment).
debug output on server side:
debug1: Adding to environment: GIT_COMMITTER_NAME=...
debug1: Adding to environment: GIT_COMMITTER_EMAIL=...
debug1: Adding to environment: GIT_COMMITTER_NAME=...
debug1: Adding to environment: GIT_COMMITTER_EMAIL=...
debug output on client side (ssh -v):
debug1: Remote: Adding to environment: GIT_COMMITTER_NAME=...
debug1: Remote: Adding to environment: GIT_COMMITTER_EMAIL=...
debug1: Remote: Adding to environment: GIT_COMMITTER_NAME=...
debug1: Remote: Adding to environment: GIT_COMMITTER_EMAIL=...
debug1: Remote: Your host '...' is not permitted to use this key for login.
debug1: Remote: Your host '...' is not permitted to use this key for login.
debug1: Remote: Adding to environment: GIT_COMMITTER_NAME=...
debug1: Remote: Adding to environment: GIT_COMMITTER_EMAIL=...
debug1: Remote: Adding to environment: GIT_COMMITTER_NAME=...
debug1: Remote: Adding to environment: GIT_COMMITTER_EMAIL=...
debug1: Remote: Your host '...' is not permitted to use this key for login.
debug1: Remote: Your host '...' is not permitted to use this key for login.
Very confusing too.
I already found a mention about this bug in #406987, but its subject is
about a different problem, so I fill another bug report.
Thanks for your work.
Best Regards
--
Zito
-- System Information:
Debian Release: 6.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.36-trunk-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages openssh-server depends on:
ii adduser 3.112+nmu2 add and remove users and groups
ii debconf [debconf-2.0] 1.5.37 Debian configuration management sy
ii dpkg 1.15.8.6 Debian package management system
ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib
ii libcomerr2 1.41.12-2 common error description library
ii libgssapi-krb5-2 1.8.3+dfsg-4 MIT Kerberos runtime libraries - k
ii libkrb5-3 1.8.3+dfsg-4 MIT Kerberos runtime libraries
ii libpam-modules 1.1.1-6.1 Pluggable Authentication Modules f
ii libpam-runtime 1.1.1-6.1 Runtime support for the PAM librar
ii libpam0g 1.1.1-6.1 Pluggable Authentication Modules l
ii libselinux1 2.0.96-1 SELinux runtime shared libraries
ii libssl0.9.8 0.9.8o-4 SSL shared libraries
ii libwrap0 7.6.q-19 Wietse Venema's TCP wrappers libra
ii lsb-base 3.2-26 Linux Standard Base 3.2 init scrip
ii openssh-blacklist 0.4.1 list of default blacklisted OpenSS
ii openssh-client 1:5.5p1-5+b1 secure shell (SSH) client, for sec
ii procps 1:3.2.8-10 /proc file system utilities
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages openssh-server recommends:
ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op
ii xauth 1:1.0.5-1 X authentication utility
Versions of packages openssh-server suggests:
pn molly-guard <none> (no description available)
pn rssh <none> (no description available)
pn ssh-askpass <none> (no description available)
pn ufw <none> (no description available)
-- debconf information:
ssh/vulnerable_host_keys:
ssh/encrypted_host_key_but_no_keygen:
ssh/new_config: true
* ssh/use_old_init_script: true
ssh/disable_cr_auth: false
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
