Last change
on this file since 2132 was
1739,
checked in by mitchb, 14 years ago
|
Eliminate spurious opsnssh error messages related to public keys
If the following conditions apply:
o Someone attempt to authenticate to an account with an ssh key
o The account has an authorized_keys file
o Entries in authorized_keys have restrictions (i.e. "from=" clauses)
o The attempted key matches the type (RSA/DSA) of the restricted key(s)
o The attempted key is not actually one of the authorized keys
You will get a spurious error message that claims:
"Authentication tried for _____ with correct key but not from a
permitted host (host=______, ip=________)."
even though there is no correct key involved.
This is OpenSSH bug 1765 (https://bugzilla.mindrot.org/show_bug.cgi?id=1765)
and the patch is backported from the one committed in that ticket
(https://bugzilla.mindrot.org/attachment.cgi?id=1848).
|
File size:
1.1 KB
|
Rev | Line | |
---|
[1739] | 1 | --- openssh/auth2-pubkey.c.hold 2010-11-20 20:27:13.000000000 -0500 |
---|
| 2 | +++ openssh/auth2-pubkey.c 2010-11-20 20:33:23.000000000 -0500 |
---|
| 3 | @@ -233,13 +233,14 @@ |
---|
| 4 | continue; |
---|
| 5 | } |
---|
| 6 | } |
---|
| 7 | - if (auth_parse_options(pw, key_options, file, linenum) != 1) |
---|
| 8 | - continue; |
---|
| 9 | if (key->type == KEY_RSA_CERT || key->type == KEY_DSA_CERT) { |
---|
| 10 | - if (!key_is_cert_authority) |
---|
| 11 | - continue; |
---|
| 12 | if (!key_equal(found, key->cert->signature_key)) |
---|
| 13 | continue; |
---|
| 14 | + if (auth_parse_options(pw, key_options, file, |
---|
| 15 | + linenum) != 1) |
---|
| 16 | + continue; |
---|
| 17 | + if (!key_is_cert_authority) |
---|
| 18 | + continue; |
---|
| 19 | debug("matching CA found: file %s, line %lu", |
---|
| 20 | file, linenum); |
---|
| 21 | fp = key_fingerprint(found, SSH_FP_MD5, |
---|
| 22 | @@ -258,7 +259,12 @@ |
---|
| 23 | continue; |
---|
| 24 | found_key = 1; |
---|
| 25 | break; |
---|
| 26 | - } else if (!key_is_cert_authority && key_equal(found, key)) { |
---|
| 27 | + } else if (key_equal(found, key)) { |
---|
| 28 | + if (auth_parse_options(pw, key_options, file, |
---|
| 29 | + linenum) != 1) |
---|
| 30 | + continue; |
---|
| 31 | + if (key_is_cert_authority) |
---|
| 32 | + continue; |
---|
| 33 | found_key = 1; |
---|
| 34 | debug("matching key found: file %s, line %lu", |
---|
| 35 | file, linenum); |
---|
Note: See
TracBrowser
for help on using the repository browser.