Hide Forgot
Description of problem: hostname wildcards do not work any more when prepending from="*.mydomain" to an authorized_keys entry....login prompts for password. Version-Release number of selected component (if applicable): openssh-server-6.9p1-10.fc22.x86_64 How reproducible: 100% Steps to Reproduce: 0. move aside existing ssh authorized keys file for save/clean testing mv ~/.ssh/authorized_keys{,.bak} 1. on "host1", ssh-keygen -t rsa -b 2048 -f ~/.ssh/a # empty passphrase OK, or type one and add it to ssh-agent via "ssh-add a" 2. cat ~/.ssh/a.pub >> ~/.ssh/authorized_keys 3. confirm you can log in to the host from another system "host2" with the key. If you don't share home directories, copy the private key to the remote host. use 'ssh -i ~/.ssh/a host1' 5. edit authorized_keys and prepend an appropriate "from=*.domain" or the fqdn of host2 without wildcards. Actual results: ssh prompts for password Expected results: no password prompt, login in succeeds using ssh key authentication Additional info: IP addresses with wildcards work. E.g., from="10.0.*"
Hi Chris, the report is for Fedora 23, but package version is from Fedora 22. Do you have UseDNS yes in your sshd_config? What errors/messages do you see in the server log? When you said "any more", when did it work for you last time? There was change in default and this UseDNS is turned off by default. Let me know if it helped you. Anyway I filled a bug [1] for the documentation which mentions this option with wrong description. [1] https://bugzilla.mindrot.org/show_bug.cgi?id=2554
Yes, UseDNS was unset ("#UseDNS no") and thus taking the (new) default of no. Setting it to yes got it working. Sorry for not noticing the option existed and changed defaults. I think this last worked in Fedora 21 until near it's EOL. We skipped Fedora 22 on most systems. Looks like the default was changed for 6.8p1 per http://www.openssh.com/txt/release-6.8 Sorry about the package version, I meant openssh-server-7.2p2-1.fc23.x86_64 Thank you!! Now armed with the right keywords, reading up on the security-related reasons for the change, such as http://unix.stackexchange.com/questions/56941/what-is-the-point-of-sshd-usedns-option In our business environment, we don't have to worry about the long delays issues.