[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#607369: authorized_keys: key options on items preceding match key generates false log output

Package: openssh-server
Version: 1:5.5p1-5+b1
Severity: normal

Hi,
I catched log messages in /var/log/auth.log

... Authentication tried for test with correct key but not from a permitted host...

for successful login attempts. I have investigated, that this log
messages belongs to key options preceding the matched key. The problem
occurs only for keys with the same type. So if you are logging with dss
type key, then only messages generated from the dss key type entries can
occur.

There is an example procedure to prove the problem:

# lets generate some 5 ssh keys...

    test@bobek:~/.ssh$ for x in {1..5}; do ssh-keygen -N '' -f id_rsa_$x; done
    ...
    test@bobek:~/.ssh$ ls -la id_rsa_*
    -rw------- 1 test test 1679 Dec 17 13:49 id_rsa_1
    -rw-r--r-- 1 test test  392 Dec 17 13:49 id_rsa_1.pub
    -rw------- 1 test test 1675 Dec 17 13:49 id_rsa_2
    -rw-r--r-- 1 test test  392 Dec 17 13:49 id_rsa_2.pub
    -rw------- 1 test test 1679 Dec 17 13:49 id_rsa_3
    -rw-r--r-- 1 test test  392 Dec 17 13:49 id_rsa_3.pub
    -rw------- 1 test test 1679 Dec 17 13:49 id_rsa_4
    -rw-r--r-- 1 test test  392 Dec 17 13:49 id_rsa_4.pub
    -rw------- 1 test test 1679 Dec 17 13:49 id_rsa_5
    -rw-r--r-- 1 test test  392 Dec 17 13:49 id_rsa_5.pub

# cat all keys to authorized_keys

    test@bobek:~/.ssh$ cat *.pub >authorized_keys
    test@bobek:~/.ssh$ chmod 600 authorized_keys

# insert some from restriction...

    from="127.1.1.1" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDK+GhZmcgupdeJX3tergwOLW8UIeqzFClmTKAFFttNgaaKbUpCu1mrJSU60KbnkFL9cBmljmJBDcXPkIqzU8MKPvO6zA2k1qfSuiwFZrP3nd4Kxc+qPMzK3yo4jBiHSyCnnZrb0GxE1wfYo4V2hTSZKquytIbIFMiXdVOY0GPZM9PyGGywcmStA8H7999OuFsrxGETTD6uKNWU5PFqf3syFZvodJGK8oQN3dUunBubjsrzjnzNPGoAEfFFPTK1dEQHLY4MwakUAXMof1eVN/GFDU1St9DvhX+9PW88lb5UjnnvfQM7As87Au8WpHCV5n7FsSbneTeP9KZfe8St+9a3 test@bobek
    from="127.1.1.1" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMBi3x1H6+V7mAbzd9rJRkNclNpXfynZi4s4U579Z17HCbOhKdn3lJoL3H1H48id21j+ynN4LXlFRSrtI11AuNiExJVjH2C4oFWrOqHW/4+wGLjFQKBUT+6jjLlVTXvTAOmPn+eKUnP29YBryremjbTTtWbOUovDger5tgl4DeiAsjh9n4hklJzx2zuQkHZNO6M1fuFMJ1f8ujwK8pMQe3MYT32F7fn5rEa48RwA7Z4ooK0N18d0HZ5Z0L+xdu9Rkl0Qo4n+GdEkL1cVTqIKUmVzwD8q1WcX5MeXSrmL3BRlVc6mU200myEwyv35YHnf9XERHAw1LOhsXdsB8lxUin test@bobek
    from="127.1.1.1" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHfdW6yHWfcnEfptUbXI8iIxS0gZLjdAvxjwPZxU1EctziW/ULdwf+zgZB3a5fNVawpcVfHYswCw33+K+Zr+Dm539mdkERweSBoit8BEY8zqQ/e0qPculUWwunPhnkKyu+g4nzo+Ckc/2tdGM8dLg5RhVzxSGEEEQ3IIOpemjIdsjohUfw8FpDTFCTaHp8raJjj/f8i4/JPfh1H6fQLxUCG/WlllmIJVh/DRjBTi9aPuTUI/zDKALZPhYJ2dPrYG6j8wf6Lir3P0KeEzmiN258y7ujtPgAzvEvlCV1bFf1+izT3BJvKJbfVyJpEFg3CHFHB8dccAVWjOfBjidBZ6Id test@bobek
    from="127.1.1.1" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC80Lv3Pt+VN8+VsgG1tCbaWSj3SByNzQx/vWKhytPTRl9nqQ1N9qq0u8aG29qFmceEh+Xq4IFMbR319+hoB3nCDQiixm8Q5tw/BAn/N6L/i3ov36XNm7wxTrmHdu06U/S0Szfy2bD+/N+CDmpTcKtdo+MgecFG144IZpjxjQtWO06Q1MRwNAQPUOKGNKBTTR8rGGV5T3iX14k5GwX5cuXZuNN0NcfudHuTPgO+8SjZM0GXUiIFB4mCvq/yprazajlEsn4Tf9h3IcggTXxgXji54Ac9D85Gt/x7+wlc7vk3hGwe0X15E+KoVH0P1fu4dv696OCYqhvaBWD3eaBAQXzh test@bobek
    from="127.0.0.1" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIdfTAdUgsf1GLdqY3WZDtEudKsb1eN8CWY+l/7OyWcpQABPGIgsohoZuBKA+Ie+bSvA26rVpDbGstVyiQbQ4pX9YkGQHxN+ClsS5EkgZJXnGQuRWJUmrRvHMzpGl1COVtDA9/v83FBdDxRYbuntWSNg4Mh5oa4FUjX7fjbY6F2F7gTnuMZnFaWdv1POAK+HkwG2ABkZhi8WVz6upCyD3HYJ0H794Q2zgj0rrStxR0EbEZ3LOyf3xjhdPEq3Hs1rBMuxmQXkmr0DmYM7YuzizA91SHC1dNpIlDxeXMuy4UlWeHrnM65Tw25+UOOJnKCm4/Hxmhr5hBjg3SaiY3jhaN test@bobek


# login from localhost using last key (id_rsa_5), so 4 preceding from
# restrictions are applied

    test@bobek:~/.ssh$ ssh -i id_rsa_5 localhost
    Linux bobek 2.6.36-trunk-686 #1 SMP Thu Oct 28 14:08:39 UTC 2010 i686

    The programs included with the Debian GNU/Linux system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.

    Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
    permitted by applicable law.
    test@bobek:~$ 


# and see the log output in /var/log/auth

    bobek:~# tail -f /var/log/auth.log
    ...
    Dec 17 14:03:10 bobek sshd[2323]: pam_unix(sshd:session): session closed for user test
    Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with correct key but not from a permitted host (host=localhost.localdomain, ip=127.0.0.1).
    Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with correct key but not from a permitted host (host=localhost.localdomain, ip=127.0.0.1).
    Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with correct key but not from a permitted host (host=localhost.localdomain, ip=127.0.0.1).
    Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with correct key but not from a permitted host (host=localhost.localdomain, ip=127.0.0.1).
    Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with correct key but not from a permitted host (host=localhost.localdomain, ip=127.0.0.1).
    Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with correct key but not from a permitted host (host=localhost.localdomain, ip=127.0.0.1).
    Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with correct key but not from a permitted host (host=localhost.localdomain, ip=127.0.0.1).
    Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with correct key but not from a permitted host (host=localhost.localdomain, ip=127.0.0.1).
    Dec 17 14:03:12 bobek sshd[3607]: Accepted publickey for test from 127.0.0.1 port 42357 ssh2
    Dec 17 14:03:12 bobek sshd[3607]: pam_unix(sshd:session): session opened for user test by (uid=0)


All this "...Authentication tried for test with correct key but not from
a permitted host..." are invalid and very confusing!

This is not only about "from" options. I tried to run sshd by hand
with -d, and authorized_keys options environment="..." also generates
(I have permitted user environment).

debug output on server side:
    debug1: Adding to environment: GIT_COMMITTER_NAME=...
    debug1: Adding to environment: GIT_COMMITTER_EMAIL=...
    debug1: Adding to environment: GIT_COMMITTER_NAME=...
    debug1: Adding to environment: GIT_COMMITTER_EMAIL=...

debug output on client side (ssh -v):
    debug1: Remote: Adding to environment: GIT_COMMITTER_NAME=...
    debug1: Remote: Adding to environment: GIT_COMMITTER_EMAIL=...
    debug1: Remote: Adding to environment: GIT_COMMITTER_NAME=...
    debug1: Remote: Adding to environment: GIT_COMMITTER_EMAIL=...
    debug1: Remote: Your host '...' is not permitted to use this key for login.
    debug1: Remote: Your host '...' is not permitted to use this key for login.
    debug1: Remote: Adding to environment: GIT_COMMITTER_NAME=...
    debug1: Remote: Adding to environment: GIT_COMMITTER_EMAIL=...
    debug1: Remote: Adding to environment: GIT_COMMITTER_NAME=...
    debug1: Remote: Adding to environment: GIT_COMMITTER_EMAIL=...
    debug1: Remote: Your host '...' is not permitted to use this key for login.
    debug1: Remote: Your host '...' is not permitted to use this key for login.


Very confusing too.

I already found a mention about this bug in #406987, but its subject is
about a different problem, so I fill another bug report.

Thanks for your work.
Best Regards
-- 
Zito


-- System Information:
Debian Release: 6.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.36-trunk-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-server depends on:
ii  adduser                 3.112+nmu2       add and remove users and groups
ii  debconf [debconf-2.0]   1.5.37           Debian configuration management sy
ii  dpkg                    1.15.8.6         Debian package management system
ii  libc6                   2.11.2-7         Embedded GNU C Library: Shared lib
ii  libcomerr2              1.41.12-2        common error description library
ii  libgssapi-krb5-2        1.8.3+dfsg-4     MIT Kerberos runtime libraries - k
ii  libkrb5-3               1.8.3+dfsg-4     MIT Kerberos runtime libraries
ii  libpam-modules          1.1.1-6.1        Pluggable Authentication Modules f
ii  libpam-runtime          1.1.1-6.1        Runtime support for the PAM librar
ii  libpam0g                1.1.1-6.1        Pluggable Authentication Modules l
ii  libselinux1             2.0.96-1         SELinux runtime shared libraries
ii  libssl0.9.8             0.9.8o-4         SSL shared libraries
ii  libwrap0                7.6.q-19         Wietse Venema's TCP wrappers libra
ii  lsb-base                3.2-26           Linux Standard Base 3.2 init scrip
ii  openssh-blacklist       0.4.1            list of default blacklisted OpenSS
ii  openssh-client          1:5.5p1-5+b1     secure shell (SSH) client, for sec
ii  procps                  1:3.2.8-10       /proc file system utilities
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

Versions of packages openssh-server recommends:
ii  openssh-blacklist-extra       0.4.1      list of non-default blacklisted Op
ii  xauth                         1:1.0.5-1  X authentication utility

Versions of packages openssh-server suggests:
pn  molly-guard                   <none>     (no description available)
pn  rssh                          <none>     (no description available)
pn  ssh-askpass                   <none>     (no description available)
pn  ufw                           <none>     (no description available)

-- debconf information:
  ssh/vulnerable_host_keys:
  ssh/encrypted_host_key_but_no_keygen:
  ssh/new_config: true
* ssh/use_old_init_script: true
  ssh/disable_cr_auth: false
Reply to: