Debian Bug report logs - #607369
authorized_keys: key options on items preceding match key generates false log output

version graph

Package: openssh-server; Maintainer for openssh-server is Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>; Source for openssh-server is src:openssh (PTS, buildd, popcon).

Reported by: Vaclav Ovsik <vaclav.ovsik@gmail.com>

Date: Fri, 17 Dec 2010 14:15:01 UTC

Severity: normal

Found in version openssh/1:5.5p1-5

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#607369; Package openssh-server. (Fri, 17 Dec 2010 14:15:04 GMT) (full text, mbox, link).

Acknowledgement sent to Vaclav Ovsik <vaclav.ovsik@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Fri, 17 Dec 2010 14:15:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Vaclav Ovsik <vaclav.ovsik@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: authorized_keys: key options on items preceding match key generates false log output
Date: Fri, 17 Dec 2010 15:10:15 +0100
Package: openssh-server
Version: 1:5.5p1-5+b1
Severity: normal

Hi,
I catched log messages in /var/log/auth.log

... Authentication tried for test with correct key but not from a permitted host...

for successful login attempts. I have investigated, that this log
messages belongs to key options preceding the matched key. The problem
occurs only for keys with the same type. So if you are logging with dss
type key, then only messages generated from the dss key type entries can
occur.

There is an example procedure to prove the problem:

# lets generate some 5 ssh keys...

    test@bobek:~/.ssh$ for x in {1..5}; do ssh-keygen -N '' -f id_rsa_$x; done
    ...
    test@bobek:~/.ssh$ ls -la id_rsa_*
    -rw------- 1 test test 1679 Dec 17 13:49 id_rsa_1
    -rw-r--r-- 1 test test  392 Dec 17 13:49 id_rsa_1.pub
    -rw------- 1 test test 1675 Dec 17 13:49 id_rsa_2
    -rw-r--r-- 1 test test  392 Dec 17 13:49 id_rsa_2.pub
    -rw------- 1 test test 1679 Dec 17 13:49 id_rsa_3
    -rw-r--r-- 1 test test  392 Dec 17 13:49 id_rsa_3.pub
    -rw------- 1 test test 1679 Dec 17 13:49 id_rsa_4
    -rw-r--r-- 1 test test  392 Dec 17 13:49 id_rsa_4.pub
    -rw------- 1 test test 1679 Dec 17 13:49 id_rsa_5
    -rw-r--r-- 1 test test  392 Dec 17 13:49 id_rsa_5.pub

# cat all keys to authorized_keys

    test@bobek:~/.ssh$ cat *.pub >authorized_keys
    test@bobek:~/.ssh$ chmod 600 authorized_keys

# insert some from restriction...

    from="127.1.1.1" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDK+GhZmcgupdeJX3tergwOLW8UIeqzFClmTKAFFttNgaaKbUpCu1mrJSU60KbnkFL9cBmljmJBDcXPkIqzU8MKPvO6zA2k1qfSuiwFZrP3nd4Kxc+qPMzK3yo4jBiHSyCnnZrb0GxE1wfYo4V2hTSZKquytIbIFMiXdVOY0GPZM9PyGGywcmStA8H7999OuFsrxGETTD6uKNWU5PFqf3syFZvodJGK8oQN3dUunBubjsrzjnzNPGoAEfFFPTK1dEQHLY4MwakUAXMof1eVN/GFDU1St9DvhX+9PW88lb5UjnnvfQM7As87Au8WpHCV5n7FsSbneTeP9KZfe8St+9a3 test@bobek
    from="127.1.1.1" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMBi3x1H6+V7mAbzd9rJRkNclNpXfynZi4s4U579Z17HCbOhKdn3lJoL3H1H48id21j+ynN4LXlFRSrtI11AuNiExJVjH2C4oFWrOqHW/4+wGLjFQKBUT+6jjLlVTXvTAOmPn+eKUnP29YBryremjbTTtWbOUovDger5tgl4DeiAsjh9n4hklJzx2zuQkHZNO6M1fuFMJ1f8ujwK8pMQe3MYT32F7fn5rEa48RwA7Z4ooK0N18d0HZ5Z0L+xdu9Rkl0Qo4n+GdEkL1cVTqIKUmVzwD8q1WcX5MeXSrmL3BRlVc6mU200myEwyv35YHnf9XERHAw1LOhsXdsB8lxUin test@bobek
    from="127.1.1.1" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHfdW6yHWfcnEfptUbXI8iIxS0gZLjdAvxjwPZxU1EctziW/ULdwf+zgZB3a5fNVawpcVfHYswCw33+K+Zr+Dm539mdkERweSBoit8BEY8zqQ/e0qPculUWwunPhnkKyu+g4nzo+Ckc/2tdGM8dLg5RhVzxSGEEEQ3IIOpemjIdsjohUfw8FpDTFCTaHp8raJjj/f8i4/JPfh1H6fQLxUCG/WlllmIJVh/DRjBTi9aPuTUI/zDKALZPhYJ2dPrYG6j8wf6Lir3P0KeEzmiN258y7ujtPgAzvEvlCV1bFf1+izT3BJvKJbfVyJpEFg3CHFHB8dccAVWjOfBjidBZ6Id test@bobek
    from="127.1.1.1" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC80Lv3Pt+VN8+VsgG1tCbaWSj3SByNzQx/vWKhytPTRl9nqQ1N9qq0u8aG29qFmceEh+Xq4IFMbR319+hoB3nCDQiixm8Q5tw/BAn/N6L/i3ov36XNm7wxTrmHdu06U/S0Szfy2bD+/N+CDmpTcKtdo+MgecFG144IZpjxjQtWO06Q1MRwNAQPUOKGNKBTTR8rGGV5T3iX14k5GwX5cuXZuNN0NcfudHuTPgO+8SjZM0GXUiIFB4mCvq/yprazajlEsn4Tf9h3IcggTXxgXji54Ac9D85Gt/x7+wlc7vk3hGwe0X15E+KoVH0P1fu4dv696OCYqhvaBWD3eaBAQXzh test@bobek
    from="127.0.0.1" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIdfTAdUgsf1GLdqY3WZDtEudKsb1eN8CWY+l/7OyWcpQABPGIgsohoZuBKA+Ie+bSvA26rVpDbGstVyiQbQ4pX9YkGQHxN+ClsS5EkgZJXnGQuRWJUmrRvHMzpGl1COVtDA9/v83FBdDxRYbuntWSNg4Mh5oa4FUjX7fjbY6F2F7gTnuMZnFaWdv1POAK+HkwG2ABkZhi8WVz6upCyD3HYJ0H794Q2zgj0rrStxR0EbEZ3LOyf3xjhdPEq3Hs1rBMuxmQXkmr0DmYM7YuzizA91SHC1dNpIlDxeXMuy4UlWeHrnM65Tw25+UOOJnKCm4/Hxmhr5hBjg3SaiY3jhaN test@bobek


# login from localhost using last key (id_rsa_5), so 4 preceding from
# restrictions are applied

    test@bobek:~/.ssh$ ssh -i id_rsa_5 localhost
    Linux bobek 2.6.36-trunk-686 #1 SMP Thu Oct 28 14:08:39 UTC 2010 i686

    The programs included with the Debian GNU/Linux system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.

    Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
    permitted by applicable law.
    test@bobek:~$ 


# and see the log output in /var/log/auth

    bobek:~# tail -f /var/log/auth.log
    ...
    Dec 17 14:03:10 bobek sshd[2323]: pam_unix(sshd:session): session closed for user test
    Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with correct key but not from a permitted host (host=localhost.localdomain, ip=127.0.0.1).
    Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with correct key but not from a permitted host (host=localhost.localdomain, ip=127.0.0.1).
    Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with correct key but not from a permitted host (host=localhost.localdomain, ip=127.0.0.1).
    Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with correct key but not from a permitted host (host=localhost.localdomain, ip=127.0.0.1).
    Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with correct key but not from a permitted host (host=localhost.localdomain, ip=127.0.0.1).
    Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with correct key but not from a permitted host (host=localhost.localdomain, ip=127.0.0.1).
    Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with correct key but not from a permitted host (host=localhost.localdomain, ip=127.0.0.1).
    Dec 17 14:03:12 bobek sshd[3607]: Authentication tried for test with correct key but not from a permitted host (host=localhost.localdomain, ip=127.0.0.1).
    Dec 17 14:03:12 bobek sshd[3607]: Accepted publickey for test from 127.0.0.1 port 42357 ssh2
    Dec 17 14:03:12 bobek sshd[3607]: pam_unix(sshd:session): session opened for user test by (uid=0)


All this "...Authentication tried for test with correct key but not from
a permitted host..." are invalid and very confusing!

This is not only about "from" options. I tried to run sshd by hand
with -d, and authorized_keys options environment="..." also generates
(I have permitted user environment).

debug output on server side:
    debug1: Adding to environment: GIT_COMMITTER_NAME=...
    debug1: Adding to environment: GIT_COMMITTER_EMAIL=...
    debug1: Adding to environment: GIT_COMMITTER_NAME=...
    debug1: Adding to environment: GIT_COMMITTER_EMAIL=...

debug output on client side (ssh -v):
    debug1: Remote: Adding to environment: GIT_COMMITTER_NAME=...
    debug1: Remote: Adding to environment: GIT_COMMITTER_EMAIL=...
    debug1: Remote: Adding to environment: GIT_COMMITTER_NAME=...
    debug1: Remote: Adding to environment: GIT_COMMITTER_EMAIL=...
    debug1: Remote: Your host '...' is not permitted to use this key for login.
    debug1: Remote: Your host '...' is not permitted to use this key for login.
    debug1: Remote: Adding to environment: GIT_COMMITTER_NAME=...
    debug1: Remote: Adding to environment: GIT_COMMITTER_EMAIL=...
    debug1: Remote: Adding to environment: GIT_COMMITTER_NAME=...
    debug1: Remote: Adding to environment: GIT_COMMITTER_EMAIL=...
    debug1: Remote: Your host '...' is not permitted to use this key for login.
    debug1: Remote: Your host '...' is not permitted to use this key for login.


Very confusing too.

I already found a mention about this bug in #406987, but its subject is
about a different problem, so I fill another bug report.

Thanks for your work.
Best Regards
-- 
Zito


-- System Information:
Debian Release: 6.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.36-trunk-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-server depends on:
ii  adduser                 3.112+nmu2       add and remove users and groups
ii  debconf [debconf-2.0]   1.5.37           Debian configuration management sy
ii  dpkg                    1.15.8.6         Debian package management system
ii  libc6                   2.11.2-7         Embedded GNU C Library: Shared lib
ii  libcomerr2              1.41.12-2        common error description library
ii  libgssapi-krb5-2        1.8.3+dfsg-4     MIT Kerberos runtime libraries - k
ii  libkrb5-3               1.8.3+dfsg-4     MIT Kerberos runtime libraries
ii  libpam-modules          1.1.1-6.1        Pluggable Authentication Modules f
ii  libpam-runtime          1.1.1-6.1        Runtime support for the PAM librar
ii  libpam0g                1.1.1-6.1        Pluggable Authentication Modules l
ii  libselinux1             2.0.96-1         SELinux runtime shared libraries
ii  libssl0.9.8             0.9.8o-4         SSL shared libraries
ii  libwrap0                7.6.q-19         Wietse Venema's TCP wrappers libra
ii  lsb-base                3.2-26           Linux Standard Base 3.2 init scrip
ii  openssh-blacklist       0.4.1            list of default blacklisted OpenSS
ii  openssh-client          1:5.5p1-5+b1     secure shell (SSH) client, for sec
ii  procps                  1:3.2.8-10       /proc file system utilities
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

Versions of packages openssh-server recommends:
ii  openssh-blacklist-extra       0.4.1      list of non-default blacklisted Op
ii  xauth                         1:1.0.5-1  X authentication utility

Versions of packages openssh-server suggests:
pn  molly-guard                   <none>     (no description available)
pn  rssh                          <none>     (no description available)
pn  ssh-askpass                   <none>     (no description available)
pn  ufw                           <none>     (no description available)

-- debconf information:
  ssh/vulnerable_host_keys:
  ssh/encrypted_host_key_but_no_keygen:
  ssh/new_config: true
* ssh/use_old_init_script: true
  ssh/disable_cr_auth: false

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#607369; Package openssh-server. (Sun, 13 Feb 2011 16:18:03 GMT) (full text, mbox, link).

Acknowledgement sent to Toni Mueller <support@oeko.net>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Sun, 13 Feb 2011 16:18:03 GMT) (full text, mbox, link).

Message #10 received at 607369@bugs.debian.org (full text, mbox, reply):

From: Toni Mueller <support@oeko.net>
To: 607369@bugs.debian.org
Cc: support@oeko.net
Subject: confirmed after upgrading from Lenny to Squeeze
Date: Sun, 13 Feb 2011 17:14:54 +0100
Hi,

after upgrading from Lenny to Squeeze, I notice exactly the same
problem. Imho, these messages are invalid.


Kind regards,
--Toni++


Version: 1:5.5p1-6


Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-server depends on:
ii  adduser                 3.112+nmu2       add and remove users and groups
ii  debconf [debconf-2.0]   1.5.36.1         Debian configuration management sy
ii  dpkg                    1.15.8.10        Debian package management system
ii  libc6                   2.11.2-10        Embedded GNU C Library: Shared lib
ii  libcomerr2              1.41.12-2        common error description library
ii  libgssapi-krb5-2        1.8.3+dfsg-4     MIT Kerberos runtime libraries - k
ii  libkrb5-3               1.8.3+dfsg-4     MIT Kerberos runtime libraries
ii  libpam-modules          1.1.1-6.1        Pluggable Authentication Modules f
ii  libpam-runtime          1.1.1-6.1        Runtime support for the PAM librar
ii  libpam0g                1.1.1-6.1        Pluggable Authentication Modules l
ii  libselinux1             2.0.96-1         SELinux runtime shared libraries
ii  libssl0.9.8             0.9.8o-4         SSL shared libraries
ii  libwrap0                7.6.q-19         Wietse Venema's TCP wrappers libra
ii  lsb-base                3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii  openssh-blacklist       0.4.1            list of default blacklisted OpenSS
ii  openssh-client          1:5.5p1-6        secure shell (SSH) client, for sec
ii  procps                  1:3.2.8-9        /proc file system utilities
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

Versions of packages openssh-server recommends:
ii  openssh-blacklist-extra       0.4.1      list of non-default blacklisted Op
ii  xauth                         1:1.0.4-1  X authentication utility

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#607369; Package openssh-server. (Sun, 13 Feb 2011 16:21:06 GMT) (full text, mbox, link).

Acknowledgement sent to Toni Mueller <support@oeko.net>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Sun, 13 Feb 2011 16:21:06 GMT) (full text, mbox, link).

Message #15 received at 607369@bugs.debian.org (full text, mbox, reply):

From: Toni Mueller <support@oeko.net>
To: 607369@bugs.debian.org
Cc: support@oeko.net
Subject: Request merge with #607602
Date: Sun, 13 Feb 2011 17:19:16 +0100

Hi,

it looks like other people are also uncomfortable with this behaviour.
These two bugs could imho be merged.


Kind regards,
--Toni++

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Mar 25 17:35:31 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.