False alert:<p>The information is wrong, and OVH was right. I hereby apology for the mistake. See this for more details. FS#7060 — Debian: log d'authentification SSH incorrect. <a href="http://travaux.ovh.net/?do=details&id=7060&edit=yep" rel="nofollow">http://travaux.ovh.net/?do=details&id=7060&edit=yep</a>
I have the same trace in my logs and I disabled the key for the moment. For a quick translation because the page is in French:<p>If you have a server with OVH, they setup by default a secondary SSH key in /root/.ssh/authorized_keys2 which is allowed to access your server only from a single IPv4 and a single IPv6. This is to allow debugging of your server.<p>It looks like the private key has been compromised and is now used to try to access the servers from another IP. Your server will not be compromised, but by security, better to disable this extra key by renaming the file "authorized_keys2.disabled".<p>You can check your logs with a grep like this:<p><pre><code> # grep "correct" /var/log/auth.log
Jul 17 21:42:49 node1 sshd[18548]: Authentication tried for root with correct \
key but not from a permitted host (host=178.63.21.XXX, ip=178.63.21.XXX).</code></pre>
It seems to be an SSH bug <a href="http://linuxfr.org/nodes/94898/comments/1369391" rel="nofollow">http://linuxfr.org/nodes/94898/comments/1369391</a><p>If there is a "from" filter on a key in case of failure this message appear even if the key don't match.
I just fired off an e-mail to OVH to see their response (and to probably make them more aware of this).<p>OVH pre-install a number of things by default on their Debian image including monitoring software (it integrates into their manager) and this key.<p>The only way to make sure things like this are a non-issue is to do a clean install yourself, e.g., via debootstrap in "rescue pro mode".<p>You can then install the key on their request if required giving you more control.