Bug#406987: authorized_keys from="" syntax doesn't support multiple hosts

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#406987: authorized_keys from="" syntax doesn't support multiple hosts
From: Jon Dowland <bugs@alcopop.org>
Date: Mon, 15 Jan 2007 13:39:44 +0000
Message-id: <[🔎] 20070115133944.2716.91946.reportbug@ankh.ncl.ac.uk>
Reply-to: Jon Dowland <bugs@alcopop.org>, 406987@bugs.debian.org

Package: openssh-server
Version: 1:4.3p2-8
Severity: normal

If I setup public key authentication between client A and
server S thusly:

    from="client_A_hostname, client_A_IP" <key>...

Connections are only permitted from client A. Good.
However, if I want to also specify a client B:

    from="client_A_hostname, client_A_IP, client_B_hostname, client_B_IP" <key>...

Connections work from client A but not from client B. A
nasty workaround is to specify the authorized_key line
twice:

    from="client_A_hostname, client_A_IP" <key>...
    from="client_B_hostname, client_B_IP" <key>...

This, however, results in spurious warnings to syslog/auth
when connecting from client B:

    Jan 15 13:35:31 server_S_hostname sshd[24070]:
    Authentication tried for root with correct key but not
    from a permitted host (host=client_B_hostname,
    ip=::ffff:client_B_IP).

These warnings are generated by the first authorized_keys
line failing.

Either

    a) the openssh documentation is right, multiple hosts
       should be able to be specified in the from="" stuff
       and the fact they aren't is a bug

    b) the openssh documentation is wrong, you should
       specify multiple lines, one per host, and ideally
       it shouldn't mutter about right key / wrong host if
       there is at least one right key / right host match.

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-amd64
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)

Versions of packages openssh-server depends on:
ii  adduser  3.101                           Add and remove users and groups
ii  debconf  1.5.11                          Debian configuration management sy
ii  dpkg     1.13.25                         package maintenance system for Deb
ii  libc6    2.3.6.ds1-9                     GNU C Library: Shared libraries
ii  libcomer 1.39+1.40-WIP-2006.11.14+dfsg-1 common error description library
ii  libkrb53 1.4.4-5                         MIT Kerberos runtime libraries
ii  libpam-m 0.79-4                          Pluggable Authentication Modules f
ii  libpam-r 0.79-4                          Runtime support for the PAM librar
ii  libpam0g 0.79-4                          Pluggable Authentication Modules l
ii  libselin 1.32-3                          SELinux shared libraries
ii  libssl0. 0.9.8c-4                        SSL shared libraries
ii  libwrap0 7.6.dbs-11                      Wietse Venema's TCP wrappers libra
ii  openssh- 1:4.3p2-8                       Secure shell client, an rlogin/rsh
ii  zlib1g   1:1.2.3-13                      compression library - runtime

openssh-server recommends no packages.

-- debconf information:
  ssh/insecure_telnetd:
  ssh/new_config: true
* ssh/use_old_init_script: true
  ssh/encrypted_host_key_but_no_keygen:
  ssh/disable_cr_auth: false

Reply to:

Prev by Date: Processed: Re: Bug#406375: (no subject)
Next by Date: Bug#407088: openssh-client: scp output alignment bug with UTF-8/multibyte sequences
Previous by thread: Processed: Re: Bug#406375: (no subject)
Next by thread: Bug#407088: openssh-client: scp output alignment bug with UTF-8/multibyte sequences
Index(es):
- Date
- Thread