Bug#406987: authorized_keys from="" syntax doesn't support multiple hosts
Package: openssh-server
Version: 1:4.3p2-8
Severity: normal
If I setup public key authentication between client A and
server S thusly:
from="client_A_hostname, client_A_IP" <key>...
Connections are only permitted from client A. Good.
However, if I want to also specify a client B:
from="client_A_hostname, client_A_IP, client_B_hostname, client_B_IP" <key>...
Connections work from client A but not from client B. A
nasty workaround is to specify the authorized_key line
twice:
from="client_A_hostname, client_A_IP" <key>...
from="client_B_hostname, client_B_IP" <key>...
This, however, results in spurious warnings to syslog/auth
when connecting from client B:
Jan 15 13:35:31 server_S_hostname sshd[24070]:
Authentication tried for root with correct key but not
from a permitted host (host=client_B_hostname,
ip=::ffff:client_B_IP).
These warnings are generated by the first authorized_keys
line failing.
Either
a) the openssh documentation is right, multiple hosts
should be able to be specified in the from="" stuff
and the fact they aren't is a bug
b) the openssh documentation is wrong, you should
specify multiple lines, one per host, and ideally
it shouldn't mutter about right key / wrong host if
there is at least one right key / right host match.
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-amd64
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Versions of packages openssh-server depends on:
ii adduser 3.101 Add and remove users and groups
ii debconf 1.5.11 Debian configuration management sy
ii dpkg 1.13.25 package maintenance system for Deb
ii libc6 2.3.6.ds1-9 GNU C Library: Shared libraries
ii libcomer 1.39+1.40-WIP-2006.11.14+dfsg-1 common error description library
ii libkrb53 1.4.4-5 MIT Kerberos runtime libraries
ii libpam-m 0.79-4 Pluggable Authentication Modules f
ii libpam-r 0.79-4 Runtime support for the PAM librar
ii libpam0g 0.79-4 Pluggable Authentication Modules l
ii libselin 1.32-3 SELinux shared libraries
ii libssl0. 0.9.8c-4 SSL shared libraries
ii libwrap0 7.6.dbs-11 Wietse Venema's TCP wrappers libra
ii openssh- 1:4.3p2-8 Secure shell client, an rlogin/rsh
ii zlib1g 1:1.2.3-13 compression library - runtime
openssh-server recommends no packages.
-- debconf information:
ssh/insecure_telnetd:
ssh/new_config: true
* ssh/use_old_init_script: true
ssh/encrypted_host_key_but_no_keygen:
ssh/disable_cr_auth: false
Reply to: