Bug 1318430 - authorized_keys from="*.domain" (hostnames) not working
Summary: authorized_keys from="*.domain" (hostnames) not working
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: 23
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jakub Jelen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-16 21:03 UTC by Chris Schanzle
Modified: 2016-03-17 14:09 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-03-17 14:09:19 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Chris Schanzle 2016-03-16 21:03:44 UTC 
Description of problem:
hostname wildcards do not work any more when prepending from="*.mydomain" to an authorized_keys entry....login prompts for password.

Version-Release number of selected component (if applicable):
openssh-server-6.9p1-10.fc22.x86_64

How reproducible:
100%

Steps to Reproduce:
0.  move aside existing ssh authorized keys file for save/clean testing
mv ~/.ssh/authorized_keys{,.bak}

1. on "host1", 
   ssh-keygen -t rsa -b 2048 -f ~/.ssh/a
   # empty passphrase OK, or type one and add it to ssh-agent via "ssh-add a"

2. cat ~/.ssh/a.pub >> ~/.ssh/authorized_keys

3. confirm you can log in to the host from another system "host2" with the key.  If you don't share home directories, copy the private key to the remote host.  use 'ssh -i ~/.ssh/a host1'

5. edit authorized_keys and prepend an appropriate "from=*.domain" or the fqdn of host2 without wildcards.

Actual results:
ssh prompts for password

Expected results:
no password prompt, login in succeeds using ssh key authentication

Additional info:
IP addresses with wildcards work.  E.g.,
from="10.0.*"
Comment 1 Jakub Jelen 2016-03-17 12:17:41 UTC 
Hi Chris,
the report is for Fedora 23, but package version is from Fedora 22.  Do you have  UseDNS yes  in your  sshd_config?  What errors/messages do you see in the server log?

When you said "any more", when did it work for you last time? There was change in default and this UseDNS is turned off by default. Let me know if it helped you.


Anyway I filled a bug [1] for the documentation which mentions this option with wrong description.

[1] https://bugzilla.mindrot.org/show_bug.cgi?id=2554
Comment 2 Chris Schanzle 2016-03-17 14:09:19 UTC 
Yes, UseDNS was unset ("#UseDNS no") and thus taking the (new) default of no.  Setting it to yes got it working.  Sorry for not noticing the option existed and changed defaults.

I think this last worked in Fedora 21 until near it's EOL.  We skipped Fedora 22 on most systems.

Looks like the default was changed for 6.8p1 per http://www.openssh.com/txt/release-6.8

Sorry about the package version, I meant 
openssh-server-7.2p2-1.fc23.x86_64

Thank you!!

Now armed with the right keywords, reading up on the security-related reasons for the change, such as http://unix.stackexchange.com/questions/56941/what-is-the-point-of-sshd-usedns-option
In our business environment, we don't have to worry about the long delays issues.
Note You need to log in before you can comment on or make changes to this bug.