Bug#869903: regression: putting an hostname in authorized_keys from="" field does not work anymore in stretch
On 2017-07-27 10:13 AM, Alexander Dahl wrote:
> Package: openssh-server
> Version: 1:7.4p1-10+deb9u1
> Severity: normal
>
> Dear Maintainer,
>
> I used the 'from' field in authorized_keys with an hostname (fqdn) on
> Debian 8 (jessie), which worked fine (openssh-server
> 1:6.7p1-5+deb8u3). After upgrading the server to stretch, this does
> not work anymore. Putting an IP address in this field works however.
> This also does not work with current openssh-server in sid
> (1:7.5p1-5). In every case it was a hostname correctly resolvable by
> DNS, forward and backwards to one IPv4 address. Client has still been
> on jessie in both cases.
>
> The log message on the ssh server when failing is more or less
> misleading:
>
> Jul 27 13:39:16 susan sshd[9562]: Authentication tried for alex with correct key but not from a permitted host (host=192.168.243.98, ip=192.168.243.98).
The UseDNS directive was switched to "no" in OpenSSH 6.8 [1]:
* sshd(8): UseDNS now defaults to 'no'. Configurations that match
against the client host name (via sshd_config or authorized_keys)
may need to re-enable it or convert to matching against addresses.
HTH,
Simon
1: https://www.openssh.com/txt/release-6.8
Reply to: