source: trunk/server/common/patches/openssh-no-spurious-correct-key-incorrect-host-messages.patch

Last change on this file was 1739, checked in by mitchb, 13 years ago
Eliminate spurious opsnssh error messages related to public keys If the following conditions apply: o Someone attempt to authenticate to an account with an ssh key o The account has an authorized_keys file o Entries in authorized_keys have restrictions (i.e. "from=" clauses) o The attempted key matches the type (RSA/DSA) of the restricted key(s) o The attempted key is not actually one of the authorized keys You will get a spurious error message that claims: "Authentication tried for _____ with correct key but not from a permitted host (host=______, ip=________)." even though there is no correct key involved. This is OpenSSH bug 1765 (https://bugzilla.mindrot.org/show_bug.cgi?id=1765) and the patch is backported from the one committed in that ticket (https://bugzilla.mindrot.org/attachment.cgi?id=1848).
File size: 1.1 KB
RevLine 
[1739]1--- openssh/auth2-pubkey.c.hold 2010-11-20 20:27:13.000000000 -0500
2+++ openssh/auth2-pubkey.c      2010-11-20 20:33:23.000000000 -0500
3@@ -233,13 +233,14 @@
4                                continue;
5                        }
6                }
7-               if (auth_parse_options(pw, key_options, file, linenum) != 1)
8-                       continue;
9                if (key->type == KEY_RSA_CERT || key->type == KEY_DSA_CERT) {
10-                       if (!key_is_cert_authority)
11-                               continue;
12                        if (!key_equal(found, key->cert->signature_key))
13                                continue;
14+                       if (auth_parse_options(pw, key_options, file,
15+                           linenum) != 1)
16+                               continue;
17+                       if (!key_is_cert_authority)
18+                               continue;
19                        debug("matching CA found: file %s, line %lu",
20                            file, linenum);
21                        fp = key_fingerprint(found, SSH_FP_MD5,
22@@ -258,7 +259,12 @@
23                                continue;
24                        found_key = 1;
25                        break;
26-               } else if (!key_is_cert_authority && key_equal(found, key)) {
27+               } else if (key_equal(found, key)) {
28+                       if (auth_parse_options(pw, key_options, file,
29+                           linenum) != 1)
30+                               continue;
31+                       if (key_is_cert_authority)
32+                               continue;
33                        found_key = 1;
34                        debug("matching key found: file %s, line %lu",
35                            file, linenum);
Note: See TracBrowser for help on using the repository browser.