Authentication tried for XXX with correct key but not from a permitted host

Matthew Seaman m.seaman at
Sun Jul 11 07:45:02 UTC 2010

On 11/07/2010 04:04:57, Dan Langille wrote:

> That asked, I know if I move the key to the top of the
> ~/.ssh/authorized_keys file, the message is no longer logged. Further
> investigation reveals that if a line of the form:
> from="10..etc"
> appears before the key being used to log in, the message will appear.

Usually the from='' tag should be inserted at the beginning of
the line for each key it should affect.  It shouldn't do anything on a
line on its own -- in fact that should be a syntax error.  The behaviour
you're seeing sounds like something new: it isn't what sshd(8) describes

This new behaviour sounds as if it could be quite useful for easing the
management of complicated authorised_keys files, but I'd have expected
some sort of notice somewhere.  I can't see anything relevant in the
release notes for OpenSSH for versions 5.0, 5.1, 5.3, 5.3, 5.4 or 5.5
[Eg. -- 8.1-PRERELEASE has
OpenSSH 5.4p1 bundled].  Nor anything in any of the ssh(1),
ssh_config(1), sshd(8), sshd_config(8) man pages.

Maybe it's a bug, but one that has fortuitously useful effects.



Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP:     Ramsgate
JID: matthew at               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url :

More information about the freebsd-stable mailing list