source: trunk/server/common/patches/openssh-no-spurious-correct-key-incorrect-host-messages.patch

Last change on this file was 1739, checked in by mitchb, 14 years ago
Eliminate spurious opsnssh error messages related to public keys If the following conditions apply: o Someone attempt to authenticate to an account with an ssh key o The account has an authorized_keys file o Entries in authorized_keys have restrictions (i.e. "from=" clauses) o The attempted key matches the type (RSA/DSA) of the restricted key(s) o The attempted key is not actually one of the authorized keys You will get a spurious error message that claims: "Authentication tried for _____ with correct key but not from a permitted host (host=______, ip=________)." even though there is no correct key involved. This is OpenSSH bug 1765 (https://bugzilla.mindrot.org/show_bug.cgi?id=1765) and the patch is backported from the one committed in that ticket (https://bugzilla.mindrot.org/attachment.cgi?id=1848).
File size: 1.1 KB
  • openssh/auth2-pubkey.c

    old new  
    233233                                continue;
    234234                        }
    235235                }
    236                 if (auth_parse_options(pw, key_options, file, linenum) != 1)
    237                         continue;
    238236                if (key->type == KEY_RSA_CERT || key->type == KEY_DSA_CERT) {
    239                         if (!key_is_cert_authority)
    240                                 continue;
    241237                        if (!key_equal(found, key->cert->signature_key))
    242238                                continue;
     239                        if (auth_parse_options(pw, key_options, file,
     240                            linenum) != 1)
     241                                continue;
     242                        if (!key_is_cert_authority)
     243                                continue;
    243244                        debug("matching CA found: file %s, line %lu",
    244245                            file, linenum);
    245246                        fp = key_fingerprint(found, SSH_FP_MD5,
     
    258259                                continue;
    259260                        found_key = 1;
    260261                        break;
    261                 } else if (!key_is_cert_authority && key_equal(found, key)) {
     262                } else if (key_equal(found, key)) {
     263                        if (auth_parse_options(pw, key_options, file,
     264                            linenum) != 1)
     265                                continue;
     266                        if (key_is_cert_authority)
     267                                continue;
    262268                        found_key = 1;
    263269                        debug("matching key found: file %s, line %lu",
    264270                            file, linenum);
Note: See TracBrowser for help on using the repository browser.