Date: Sun, 11 Jul 2010 08:44:40 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-stable@freebsd.org Subject: Re: Authentication tried for XXX with correct key but not from a permitted host Message-ID: <4C397668.6060904@infracaninophile.co.uk> In-Reply-To: <4C3934D9.3030501@langille.org> References: <4C3934D9.3030501@langille.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On 11/07/2010 04:04:57, Dan Langille wrote: > That asked, I know if I move the key to the top of the > ~/.ssh/authorized_keys file, the message is no longer logged. Further > investigation reveals that if a line of the form: > > from="10..etc" > > appears before the key being used to log in, the message will appear. Usually the from='10.0.0.100' tag should be inserted at the beginning of the line for each key it should affect. It shouldn't do anything on a line on its own -- in fact that should be a syntax error. The behaviour you're seeing sounds like something new: it isn't what sshd(8) describes in the section on AUTHORIZED_KEYS FILE FORMAT. This new behaviour sounds as if it could be quite useful for easing the management of complicated authorised_keys files, but I'd have expected some sort of notice somewhere. I can't see anything relevant in the release notes for OpenSSH for versions 5.0, 5.1, 5.3, 5.3, 5.4 or 5.5 [Eg. http://www.openssh.org/txt/release-5.4 -- 8.1-PRERELEASE has OpenSSH 5.4p1 bundled]. Nor anything in any of the ssh(1), ssh_config(1), sshd(8), sshd_config(8) man pages. Maybe it's a bug, but one that has fortuitously useful effects. Cheers, Mathew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkw5dm4ACgkQ8Mjk52CukIzKLwCghPzYo8Wva0y18HT8J1alkRvi sJkAn2ctpzzAtC2sn3ILSNcHY4LsGdnr =X+pL -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C397668.6060904>