Your message dated Mon, 16 Feb 2009 10:59:48 +0900 with message-id <s9w3aef5egb.wl%takaki@asis.media-as.org> and subject line Re: openssh-server: authorized_keys from= doesn't loop around hostnames has caused the Debian Bug report #456672, regarding openssh-server: authorized_keys from= restriction doesn't handle multiple in-addr.arpa PTR records to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 456672: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=456672 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: openssh-server: authorized_keys from= doesn't loop around hostnames
- From: Justin Pryzby <jpryzby+d@quoininc.com>
- Date: Mon, 17 Dec 2007 09:20:52 -0500
- Message-id: <20071217142052.GA5972@quoininc.com>
Package: openssh-server Version: 1:4.3p2-9.1 I used the authorized_keys "from=" option to restrict access, and get the following: |Dec 17 03:55:03 moe sshd[13282]: Authentication tried for backup with |correct key but not from a permitted host (host=smtp.quoininc.com, |ip=64.191.84.165). The machine in question has multiple PTR records: 165.84.191.64.in-addr.arpa domain name pointer smtp.quoininc.com. 165.84.191.64.in-addr.arpa domain name pointer domain.quoininc.com. 165.84.191.64.in-addr.arpa domain name pointer nyuk.quoininc.com. So the connection fails 2/3 times. I think openssh should loop around all the hostnames/aliasen and fail only if a string comparison fails every time.
--- End Message ---
--- Begin Message ---
- To: 456672-close@bugs.debian.org
- Subject: Re: openssh-server: authorized_keys from= doesn't loop around hostnames
- From: TANIGUCHI Takaki <takaki@asis.media-as.org>
- Date: Mon, 16 Feb 2009 10:59:48 +0900
- Message-id: <s9w3aef5egb.wl%takaki@asis.media-as.org>
- In-reply-to: <handler.s.R.123474782621711.info.0@bugs.debian.org>
- References: <20090216013023.34003108401B@file-01.office.priv.mediocom.jp> <handler.s.R.123474782621711.info.0@bugs.debian.org>
> From: Justin Pryzby <jpryzby+d@quoininc.com> > To: submit@bugs.debian.org > Subject: openssh-server: authorized_keys from= doesn't loop around hostnames > Date: Mon, 17 Dec 2007 09:20:52 -0500 > Package: openssh-server > Version: 1:4.3p2-9.1 > > I used the authorized_keys "from=" option to restrict access, and get > the following: > > |Dec 17 03:55:03 moe sshd[13282]: Authentication tried for backup with > |correct key but not from a permitted host (host=smtp.quoininc.com, > |ip=64.191.84.165). > > The machine in question has multiple PTR records: > 165.84.191.64.in-addr.arpa domain name pointer smtp.quoininc.com. > 165.84.191.64.in-addr.arpa domain name pointer domain.quoininc.com. > 165.84.191.64.in-addr.arpa domain name pointer nyuk.quoininc.com. > > So the connection fails 2/3 times. I think openssh should loop around > all the hostnames/aliasen and fail only if a string comparison fails > every time. This is not a ssh problem. There is no assuarance DNS server reply with round-robin response rule. It is allow DNS server always response "domain.quoininc.com" everyday, also allow only on Monday , and never. I can't understand necesary of multiple PTR records, but if you need, you should use multiple "from=". Indeed, add from="smtp.quoininc.com,domain.quoininc.com,nyuk.quoininc.com". Thanks, Takaki
--- End Message ---