source: trunk/server/common/patches/openssh-no-spurious-correct-key-incorrect-host-messages.patch @ 2625

Last change on this file since 2625 was 1739, checked in by mitchb, 13 years ago
Eliminate spurious opsnssh error messages related to public keys If the following conditions apply: o Someone attempt to authenticate to an account with an ssh key o The account has an authorized_keys file o Entries in authorized_keys have restrictions (i.e. "from=" clauses) o The attempted key matches the type (RSA/DSA) of the restricted key(s) o The attempted key is not actually one of the authorized keys You will get a spurious error message that claims: "Authentication tried for _____ with correct key but not from a permitted host (host=______, ip=________)." even though there is no correct key involved. This is OpenSSH bug 1765 (https://bugzilla.mindrot.org/show_bug.cgi?id=1765) and the patch is backported from the one committed in that ticket (https://bugzilla.mindrot.org/attachment.cgi?id=1848).
File size: 1.1 KB
RevLine 
[1739]1--- openssh/auth2-pubkey.c.hold 2010-11-20 20:27:13.000000000 -0500
2+++ openssh/auth2-pubkey.c      2010-11-20 20:33:23.000000000 -0500
3@@ -233,13 +233,14 @@
4                                continue;
5                        }
6                }
7-               if (auth_parse_options(pw, key_options, file, linenum) != 1)
8-                       continue;
9                if (key->type == KEY_RSA_CERT || key->type == KEY_DSA_CERT) {
10-                       if (!key_is_cert_authority)
11-                               continue;
12                        if (!key_equal(found, key->cert->signature_key))
13                                continue;
14+                       if (auth_parse_options(pw, key_options, file,
15+                           linenum) != 1)
16+                               continue;
17+                       if (!key_is_cert_authority)
18+                               continue;
19                        debug("matching CA found: file %s, line %lu",
20                            file, linenum);
21                        fp = key_fingerprint(found, SSH_FP_MD5,
22@@ -258,7 +259,12 @@
23                                continue;
24                        found_key = 1;
25                        break;
26-               } else if (!key_is_cert_authority && key_equal(found, key)) {
27+               } else if (key_equal(found, key)) {
28+                       if (auth_parse_options(pw, key_options, file,
29+                           linenum) != 1)
30+                               continue;
31+                       if (key_is_cert_authority)
32+                               continue;
33                        found_key = 1;
34                        debug("matching key found: file %s, line %lu",
35                            file, linenum);
Note: See TracBrowser for help on using the repository browser.