From owner-freebsd-stable@FreeBSD.ORG Sun Jul 11 07:45:01 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F1BCE106566B for ; Sun, 11 Jul 2010 07:45:01 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 57A5F8FC12 for ; Sun, 11 Jul 2010 07:45:01 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id o6B7ikGG067482 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Sun, 11 Jul 2010 08:44:55 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Message-ID: <4C397668.6060904@infracaninophile.co.uk> Date: Sun, 11 Jul 2010 08:44:40 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-GB; rv:1.9.2.4) Gecko/20100608 Thunderbird/3.1 MIME-Version: 1.0 To: freebsd-stable@freebsd.org References: <4C3934D9.3030501@langille.org> In-Reply-To: <4C3934D9.3030501@langille.org> X-Enigmail-Version: 1.1.1 OpenPGP: id=60AE908C Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigB0580895971B966953610BFB" X-Virus-Scanned: clamav-milter 0.96.1 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_40,DKIM_ADSP_ALL, SPF_FAIL autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on lucid-nonsense.infracaninophile.co.uk Subject: Re: Authentication tried for XXX with correct key but not from a permitted host X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Jul 2010 07:45:02 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigB0580895971B966953610BFB Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 11/07/2010 04:04:57, Dan Langille wrote: > That asked, I know if I move the key to the top of the > ~/.ssh/authorized_keys file, the message is no longer logged. Further > investigation reveals that if a line of the form: >=20 > from=3D"10..etc" >=20 > appears before the key being used to log in, the message will appear. Usually the from=3D'10.0.0.100' tag should be inserted at the beginning o= f the line for each key it should affect. It shouldn't do anything on a line on its own -- in fact that should be a syntax error. The behaviour you're seeing sounds like something new: it isn't what sshd(8) describes in the section on AUTHORIZED_KEYS FILE FORMAT. This new behaviour sounds as if it could be quite useful for easing the management of complicated authorised_keys files, but I'd have expected some sort of notice somewhere. I can't see anything relevant in the release notes for OpenSSH for versions 5.0, 5.1, 5.3, 5.3, 5.4 or 5.5 [Eg. http://www.openssh.org/txt/release-5.4 -- 8.1-PRERELEASE has OpenSSH 5.4p1 bundled]. Nor anything in any of the ssh(1), ssh_config(1), sshd(8), sshd_config(8) man pages. Maybe it's a bug, but one that has fortuitously useful effects. Cheers, Mathew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enigB0580895971B966953610BFB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkw5dm4ACgkQ8Mjk52CukIzKLwCghPzYo8Wva0y18HT8J1alkRvi sJkAn2ctpzzAtC2sn3ILSNcHY4LsGdnr =X+pL -----END PGP SIGNATURE----- --------------enigB0580895971B966953610BFB--