Bug#607369: authorized_keys: key options on items preceding match key generates false log output
Package: openssh-server
Version: 1:5.5p1-5+b1
Severity: normal
Hi,
I catched log messages in /var/log/auth.log
... Authentication tried for test with correct key but not from a permitted host...
for successful login attempts. I have investigated, that this log
messages belongs to key options preceding the matched key. The problem
occurs only for keys with the same type. So if you are logging with dss
type key, then only messages generated from the dss key type entries can
occur.
There is an example procedure to prove the problem:
# lets generate some 5 ssh keys...
test@bobek:~/.ssh$ for x in {1..5}; do ssh-keygen -N '' -f id_rsa_$x; done
...
test@bobek:~/.ssh$ ls -la id_rsa_*
-rw------- 1 test test 1679 Dec 17 13:49 id_rsa_1
-rw-r--r-- 1 test test 392 Dec 17 13:49 id_rsa_1.pub
-rw------- 1 test test 1675 Dec 17 13:49 id_rsa_2
-rw-r--r-- 1 test test 392 Dec 17 13:49 id_rsa_2.pub
-rw------- 1 test test 1679 Dec 17 13:49 id_rsa_3
-rw-r--r-- 1 test test 392 Dec 17 13:49 id_rsa_3.pub
-rw------- 1 test test 1679 Dec 17 13:49 id_rsa_4
-rw-r--r-- 1 test test 392 Dec 17 13:49 id_rsa_4.pub
-rw------- 1 test test 1679 Dec 17 13:49 id_rsa_5
-rw-r--r-- 1 test test 392 Dec 17 13:49 id_rsa_5.pub
# cat all keys to authorized_keys
test@bobek:~/.ssh$ cat *.pub >authorized_keys
test@bobek:~/.ssh$ chmod 600 authorized_keys
# insert some from restriction...
from="127.1.1.1" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDK+GhZmcgupdeJX3tergwOLW8UIeqzFClmTKAFFttNgaaKbUpCu1mrJSU60KbnkFL9cBmljmJBDcXPkIqzU8MKPvO6zA2k1qfSuiwFZrP3nd4Kxc+qPMzK3yo4jBiHSyCnnZrb0GxE1wfYo4V2hTSZKquytIbIFMiXdVOY0GPZM9PyGGywcmStA8H7999OuFsrxGETTD6uKNWU5PFqf3syFZvodJGK8oQN3dUunBubjsrzjnzNPGoAEfFFPTK1dEQHLY4MwakUAXMof1eVN/GFDU1St9DvhX+9PW88lb5UjnnvfQM7As87Au8WpHCV5n7FsSbneTeP9KZfe8St+9a3 test@bobek
from="127.1.1.1" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMBi3x1H6+V7mAbzd9rJRkNclNpXfynZi4s4U579Z17HCbOhKdn3lJoL3H1H48id21j+ynN4LXlFRSrtI11AuNiExJVjH2C4oFWrOqHW/4+wGLjFQKBUT+6jjLlVTXvTAOmPn+eKUnP29YBryremjbTTtWbOUovDger5tgl4DeiAsjh9n4hklJzx2zuQkHZNO6M1fuFMJ1f8ujwK8pMQe3MYT32F7fn5rEa48RwA7Z4ooK0N18d0HZ5Z0L+xdu9Rkl0Qo4n+GdEkL1cVTqIKUmVzwD8q1WcX5MeXSrmL3BRlVc6mU200myEwyv35YHnf9XERHAw1LOhsXdsB8lxUin test@bobek
from="127.1.1.1" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHfdW6yHWfcnEfptUbXI8iIxS0gZLjdAvxjwPZxU1EctziW/ULdwf+zgZB3a5fNVawpcVfHYswCw33+K+Zr+Dm539mdkERweSBoit8BEY8zqQ/e0qPculUWwunPhnkKyu+g4nzo+Ckc/2tdGM8dLg5RhVzxSGEEEQ3IIOpemjIdsjohUfw8FpDTFCTaHp8raJjj/f8i4/JPfh1H6fQLxUCG/WlllmIJVh/DRjBTi9aPuTUI/zDKALZPhYJ2dPrYG6j8wf6Lir3P0KeEzmiN258y7ujtPgAzvEvlCV1bFf1+izT3BJvKJbfVyJpEFg3CHFHB8dccAVWjOfBjidBZ6Id test@bobek
from="127.1.1.1" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC80Lv3Pt+VN8+VsgG1tCbaWSj3SByNzQx/vWKhytPTRl9nqQ1N9qq0u8aG29qFmceEh+Xq4IFMbR319+hoB3nCDQiixm8Q5tw/BAn/N6L/i3ov36XNm7wxTrmHdu06U/S0Szfy2bD+/N+CDmpTcKtdo+MgecFG144IZpjxjQtWO06Q1MRwNAQPUOKGNKBTTR8rGGV5T3iX14k5GwX5cuXZuNN0NcfudHuTPgO+8SjZM0GXUiIFB4mCvq/yprazajlEsn4Tf9h3IcggTXxgXji54Ac9D85Gt/x7+wlc7vk3hGwe0X15E+KoVH0P1fu4dv696OCYqhvaBWD3eaBAQXzh test@bobek
from="127.0.0.1" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIdfTAdUgsf1GLdqY3WZDtEudKsb1eN8CWY+l/7OyWcpQABPGIgsohoZuBKA+Ie+bSvA26rVpDbGstVyiQbQ4pX9YkGQHxN+ClsS5EkgZJXnGQuRWJUmrRvHMzpGl1COVtDA9/v83FBdDxRYbuntWSNg4Mh5oa4FUjX7fjbY6F2F7gTnuMZnFaWdv1POAK+HkwG2ABkZhi8WVz6upCyD3HYJ0H794Q2zgj0rrStxR0EbEZ3LOyf3xjhdPEq3Hs1rBMuxmQXkmr0DmYM7YuzizA91SHC1dNpIlDxeXMuy4UlWeHrnM65Tw25+UOOJnKCm4/Hxmhr5hBjg3SaiY3jhaN test@bobek
# login from localhost using last key (id_rsa_5), so 4 preceding from
# restrictions are applied
test@bobek:~/.ssh$ ssh -i id_rsa_5 localhost
Linux bobek 2.6.36-trunk-686 #1 SMP Thu Oct 28 14:08:39 UTC 2010 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
test@bobek:~$
# and see the log output in /var/log/auth
bobek:~# tail -f /var/log/auth.log
...
Dec 17 14:03:10 bobek sshd[2323]: pam_unix(sshd:session): session closed for user test
Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with correct key but not from a permitted host (host=localhost.localdomain, ip=127.0.0.1).
Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with correct key but not from a permitted host (host=localhost.localdomain, ip=127.0.0.1).
Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with correct key but not from a permitted host (host=localhost.localdomain, ip=127.0.0.1).
Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with correct key but not from a permitted host (host=localhost.localdomain, ip=127.0.0.1).
Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with correct key but not from a permitted host (host=localhost.localdomain, ip=127.0.0.1).
Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with correct key but not from a permitted host (host=localhost.localdomain, ip=127.0.0.1).
Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with correct key but not from a permitted host (host=localhost.localdomain, ip=127.0.0.1).
Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with correct key but not from a permitted host (host=localhost.localdomain, ip=127.0.0.1).
Dec 17 14:03:12 bobek sshd[3607]: Accepted publickey for test from 127.0.0.1 port 42357 ssh2
Dec 17 14:03:12 bobek sshd[3607]: pam_unix(sshd:session): session opened for user test by (uid=0)
All this "...Authentication tried for test with correct key but not from
a permitted host..." are invalid and very confusing!
This is not only about "from" options. I tried to run sshd by hand
with -d, and authorized_keys options environment="..." also generates
(I have permitted user environment).
debug output on server side:
debug1: Adding to environment: GIT_COMMITTER_NAME=...
debug1: Adding to environment: GIT_COMMITTER_EMAIL=...
debug1: Adding to environment: GIT_COMMITTER_NAME=...
debug1: Adding to environment: GIT_COMMITTER_EMAIL=...
debug output on client side (ssh -v):
debug1: Remote: Adding to environment: GIT_COMMITTER_NAME=...
debug1: Remote: Adding to environment: GIT_COMMITTER_EMAIL=...
debug1: Remote: Adding to environment: GIT_COMMITTER_NAME=...
debug1: Remote: Adding to environment: GIT_COMMITTER_EMAIL=...
debug1: Remote: Your host '...' is not permitted to use this key for login.
debug1: Remote: Your host '...' is not permitted to use this key for login.
debug1: Remote: Adding to environment: GIT_COMMITTER_NAME=...
debug1: Remote: Adding to environment: GIT_COMMITTER_EMAIL=...
debug1: Remote: Adding to environment: GIT_COMMITTER_NAME=...
debug1: Remote: Adding to environment: GIT_COMMITTER_EMAIL=...
debug1: Remote: Your host '...' is not permitted to use this key for login.
debug1: Remote: Your host '...' is not permitted to use this key for login.
Very confusing too.
I already found a mention about this bug in #406987, but its subject is
about a different problem, so I fill another bug report.
Thanks for your work.
Best Regards
--
Zito
-- System Information:
Debian Release: 6.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.36-trunk-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages openssh-server depends on:
ii adduser 3.112+nmu2 add and remove users and groups
ii debconf [debconf-2.0] 1.5.37 Debian configuration management sy
ii dpkg 1.15.8.6 Debian package management system
ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib
ii libcomerr2 1.41.12-2 common error description library
ii libgssapi-krb5-2 1.8.3+dfsg-4 MIT Kerberos runtime libraries - k
ii libkrb5-3 1.8.3+dfsg-4 MIT Kerberos runtime libraries
ii libpam-modules 1.1.1-6.1 Pluggable Authentication Modules f
ii libpam-runtime 1.1.1-6.1 Runtime support for the PAM librar
ii libpam0g 1.1.1-6.1 Pluggable Authentication Modules l
ii libselinux1 2.0.96-1 SELinux runtime shared libraries
ii libssl0.9.8 0.9.8o-4 SSL shared libraries
ii libwrap0 7.6.q-19 Wietse Venema's TCP wrappers libra
ii lsb-base 3.2-26 Linux Standard Base 3.2 init scrip
ii openssh-blacklist 0.4.1 list of default blacklisted OpenSS
ii openssh-client 1:5.5p1-5+b1 secure shell (SSH) client, for sec
ii procps 1:3.2.8-10 /proc file system utilities
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages openssh-server recommends:
ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op
ii xauth 1:1.0.5-1 X authentication utility
Versions of packages openssh-server suggests:
pn molly-guard <none> (no description available)
pn rssh <none> (no description available)
pn ssh-askpass <none> (no description available)
pn ufw <none> (no description available)
-- debconf information:
ssh/vulnerable_host_keys:
ssh/encrypted_host_key_but_no_keygen:
ssh/new_config: true
* ssh/use_old_init_script: true
ssh/disable_cr_auth: false
Reply to: