[Bug 3910] New: Permission denied if from= contains an invalid IP range in authorized_keys

[bugzilla-daemon at mindrot.org]

https://bugzilla.mindrot.org/show_bug.cgi?id=3910

            Bug ID: 3910
           Summary: Permission denied if from= contains an invalid IP
                    range in authorized_keys
           Product: Portable OpenSSH
           Version: 9.2p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: taziden at flexiden.org

If from= contains an invalid IP range (10.0.1.0/8, 192.168.1.2/24,
2001:912:2101:10f:6000::/64 are examples in both v4 and v6), permission
is denied even though the user is allowed through another IP or IP
range  within the from pattern list.

This results in being locked out ("Permission denied") of a server
despite being explicitely allowed through the authorized_keys file.

This can be catastrophic if one deploys an invalid range on several
hundreds of servers (been there, almost done that).

I understand where it comes from, but I consider this as a major bug
nonetheless.

This stems from the behavoir of the addr_match_list function within
addrmatch.c. On the server side, an error is displayed : "inconsistent
mask length for …" but only if debug2 is enabled. 
Otherwise, with log level set to INFO, the error message is simply
"Authentication tried for … with correct key but not from a permitted
host", which is not true.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.