Bug#869903: regression: putting an hostname in authorized_keys from="" field does not work anymore in stretch

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#869903: regression: putting an hostname in authorized_keys from="" field does not work anymore in stretch
From: Alexander Dahl <post@lespocky.de>
Date: Thu, 27 Jul 2017 16:13:47 +0200
Message-id: <[🔎] 150116482717.15933.745106947861607221.reportbug@susan.home.lespocky.de>
Reply-to: Alexander Dahl <post@lespocky.de>, 869903@bugs.debian.org

Package: openssh-server
Version: 1:7.4p1-10+deb9u1
Severity: normal

Dear Maintainer,

I used the 'from' field in authorized_keys with an hostname (fqdn) on
Debian 8 (jessie), which worked fine (openssh-server
1:6.7p1-5+deb8u3). After upgrading the server to stretch, this does
not work anymore. Putting an IP address in this field works however.
This also does not work with current openssh-server in sid
(1:7.5p1-5). In every case it was a hostname correctly resolvable by
DNS, forward and backwards to one IPv4 address. Client has still been
on jessie in both cases.

The log message on the ssh server when failing is more or less
misleading:

Jul 27 13:39:16 susan sshd[9562]: Authentication tried for alex with correct key but not from a permitted host (host=192.168.243.98, ip=192.168.243.98).

Greets
Alex

-- System Information:
Debian Release: 9.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 4.9.0-3-686-pae (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-server depends on:
ii  adduser                3.115
ii  debconf [debconf-2.0]  1.5.61
ii  dpkg                   1.18.24
ii  init-system-helpers    1.48
ii  libaudit1              1:2.6.7-2
ii  libc6                  2.24-11+deb9u1
ii  libcomerr2             1.43.4-2
ii  libgssapi-krb5-2       1.15-1
ii  libkrb5-3              1.15-1
ii  libpam-modules         1.1.8-3.6
ii  libpam-runtime         1.1.8-3.6
ii  libpam0g               1.1.8-3.6
ii  libselinux1            2.6-3+b1
ii  libssl1.0.2            1.0.2l-2
ii  libsystemd0            232-25+deb9u1
ii  libwrap0               7.6.q-26
ii  lsb-base               9.20161125
ii  openssh-client         1:7.4p1-10+deb9u1
ii  openssh-sftp-server    1:7.4p1-10+deb9u1
ii  procps                 2:3.3.12-3
ii  ucf                    3.0036
ii  zlib1g                 1:1.2.8.dfsg-5

Versions of packages openssh-server recommends:
ii  libpam-systemd  232-25+deb9u1
ii  ncurses-term    6.0+20161126-1
ii  xauth           1:1.0.9-1+b2

Versions of packages openssh-server suggests:
ii  molly-guard   0.6.4
pn  monkeysphere  <none>
pn  rssh          <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

-- debconf information:
  ssh/new_config: true
* ssh/vulnerable_host_keys:
  ssh/encrypted_host_key_but_no_keygen:
* ssh/use_old_init_script: true
  openssh-server/permit-root-login: true
  ssh/disable_cr_auth: false

Reply to:

Follow-Ups:
- Bug#869903: regression: putting an hostname in authorized_keys from="" field does not work anymore in stretch
  - From: Simon Deziel <simon@sdeziel.info>

Prev by Date: Bug#869787: Please let me ssh-add a group-writeable private key file
Next by Date: Bug#869903: regression: putting an hostname in authorized_keys from="" field does not work anymore in stretch
Previous by thread: Bug#869787: Please let me ssh-add a group-writeable private key file
Next by thread: Bug#869903: regression: putting an hostname in authorized_keys from="" field does not work anymore in stretch
Index(es):
- Date
- Thread