diff --git a/ChangeLog b/ChangeLog
index 6547f3b0f..5e84af41e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -35,6 +35,11 @@
    - stevesk@cvs.openbsd.org 2001/11/29 19:06:39
      [channels.h]
      remove dead function prototype; ok markus@
+   - markus@cvs.openbsd.org 2001/11/29 22:08:48
+     [auth-rsa.c]
+     fix protocol error: send 'failed' message instead of a 2nd challenge
+     (happens if the same key is in authorized_keys twice).
+     reported Ralf_Meister@genua.de; ok djm@
 
 20011126
  - (tim) [contrib/cygwin/README, openbsd-compat/bsd-cygwin_util.c,
@@ -6957,4 +6962,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.1677 2001/12/06 16:49:57 mouring Exp $
+$Id: ChangeLog,v 1.1678 2001/12/06 17:41:25 mouring Exp $
diff --git a/auth-rsa.c b/auth-rsa.c
index 701d8bd53..61aa64349 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-rsa.c,v 1.44 2001/07/23 18:14:58 stevesk Exp $");
+RCSID("$OpenBSD: auth-rsa.c,v 1.45 2001/11/29 22:08:48 markus Exp $");
 
 #include <openssl/rsa.h>
 #include <openssl/md5.h>
@@ -240,7 +240,11 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
 			/* Wrong response. */
 			verbose("Wrong response to RSA authentication challenge.");
 			packet_send_debug("Wrong response to RSA authentication challenge.");
-			continue;
+			/*
+			 * Break out of the loop. Otherwise we might send
+			 * another challenge and break the protocol.
+			 */
+			break;
 		}
 		/*
 		 * Correct response.  The client has been successfully