source: trunk/server/common/patches/openssh-no-spurious-correct-key-incorrect-host-messages.patch @ 2159

Last change on this file since 2159 was 1739, checked in by mitchb, 12 years ago
Eliminate spurious opsnssh error messages related to public keys If the following conditions apply: o Someone attempt to authenticate to an account with an ssh key o The account has an authorized_keys file o Entries in authorized_keys have restrictions (i.e. "from=" clauses) o The attempted key matches the type (RSA/DSA) of the restricted key(s) o The attempted key is not actually one of the authorized keys You will get a spurious error message that claims: "Authentication tried for _____ with correct key but not from a permitted host (host=______, ip=________)." even though there is no correct key involved. This is OpenSSH bug 1765 (https://bugzilla.mindrot.org/show_bug.cgi?id=1765) and the patch is backported from the one committed in that ticket (https://bugzilla.mindrot.org/attachment.cgi?id=1848).
File size: 1.1 KB
  • openssh/auth2-pubkey.c

    old new  
    233233                                continue;
    234234                        }
    235235                }
    236                 if (auth_parse_options(pw, key_options, file, linenum) != 1)
    237                         continue;
    238236                if (key->type == KEY_RSA_CERT || key->type == KEY_DSA_CERT) {
    239                         if (!key_is_cert_authority)
    240                                 continue;
    241237                        if (!key_equal(found, key->cert->signature_key))
    242238                                continue;
     239                        if (auth_parse_options(pw, key_options, file,
     240                            linenum) != 1)
     241                                continue;
     242                        if (!key_is_cert_authority)
     243                                continue;
    243244                        debug("matching CA found: file %s, line %lu",
    244245                            file, linenum);
    245246                        fp = key_fingerprint(found, SSH_FP_MD5,
     
    258259                                continue;
    259260                        found_key = 1;
    260261                        break;
    261                 } else if (!key_is_cert_authority && key_equal(found, key)) {
     262                } else if (key_equal(found, key)) {
     263                        if (auth_parse_options(pw, key_options, file,
     264                            linenum) != 1)
     265                                continue;
     266                        if (key_is_cert_authority)
     267                                continue;
    262268                        found_key = 1;
    263269                        debug("matching key found: file %s, line %lu",
    264270                            file, linenum);
Note: See TracBrowser for help on using the repository browser.