bugzilla-daemon at mindrot.org
2013-Oct-17 18:04 UTC
[Bug 2161] New: AuthorizedKeysCommand is not executed when defined inside Match block
https://bugzilla.mindrot.org/show_bug.cgi?id=2161
Bug ID: 2161
Summary: AuthorizedKeysCommand is not executed when defined
inside Match block
Product: Portable OpenSSH
Version: -current
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: wijet at wijet.pl
I have the following at the end of my sshd_config
Match User git
AuthorizedKeysCommand /opt/git/authorized_keys
AuthorizedKeysCommandUser git
When I ssh as git user I see in logs the following:
Oct 17 19:59:58 cc sshd[6136]: debug3: checking match for 'User git'
user git host X addr IP laddr IP lport 22
Oct 17 19:59:58 cc sshd[6136]: debug1: user git matched 'User git' at
line 84
Oct 17 19:59:58 cc sshd[6136]: debug3: match found
Oct 17 19:59:58 cc sshd[6136]: debug3: reprocess config:85 setting
AuthorizedKeysCommand /opt/git/authorized_keys
Oct 17 19:59:58 cc sshd[6136]: debug3: reprocess config:86 setting
AuthorizedKeysCommandUser git
but the AuthorizedKeysCommand is not invoked. When I remove Match
block, everything works as expected.
I tried to remove AuthorizedKeysCommandUser from the inside of the
block, but it doesn't help.
My SSH version is: OpenSSH_6.2p2 Debian-6, OpenSSL 1.0.1e 11 Feb 2013
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2013-Oct-18 12:43 UTC
[Bug 2161] AuthorizedKeysCommand is not executed when defined inside Match block
https://bugzilla.mindrot.org/show_bug.cgi?id=2161 --- Comment #1 from wijet at wijet.pl --- I've noticed one more thing in logs. When AuthorizedKeysCommand is inside the Match block I see in logs Oct 18 14:41:49 cc sshd[27314]: error: Unsafe AuthorizedKeysCommand: /lib/x86_64-linux-gnu/security is not a regular file -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at natsu.mindrot.org
2013-Oct-23 23:27 UTC
[Bug 2161] AuthorizedKeysCommand is not executed when defined inside Match block
https://bugzilla.mindrot.org/show_bug.cgi?id=2161
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Could you please attach a full debug trace from a failing connection?
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at natsu.mindrot.org
2013-Oct-24 16:37 UTC
[Bug 2161] AuthorizedKeysCommand is not executed when defined inside Match block
https://bugzilla.mindrot.org/show_bug.cgi?id=2161 --- Comment #3 from wijet at wijet.pl --- Here you have both logs, with Match block and without it https://gist.github.com/wijet/50adf849f029b702ec94 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Dec-05 00:52 UTC
[Bug 2161] AuthorizedKeysCommand is not executed when defined inside Match block
https://bugzilla.mindrot.org/show_bug.cgi?id=2161
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2382| |ok?(dtucker at zip.com.au)
Flags| |
CC| |dtucker at zip.com.au
Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
--- Comment #4 from Damien Miller <djm at mindrot.org> ---
Created attachment 2382
--> https://bugzilla.mindrot.org/attachment.cgi?id=2382&action=edit
Fix AuthorizedKeysCommand in Match block
Found it - this patch should fix it.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Dec-05 00:52 UTC
[Bug 2161] AuthorizedKeysCommand is not executed when defined inside Match block
https://bugzilla.mindrot.org/show_bug.cgi?id=2161
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2130
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2013-Dec-05 01:12 UTC
[Bug 2161] AuthorizedKeysCommand is not executed when defined inside Match block
https://bugzilla.mindrot.org/show_bug.cgi?id=2161 --- Comment #5 from Darren Tucker <dtucker at zip.com.au> --- Comment on attachment 2382 --> https://bugzilla.mindrot.org/attachment.cgi?id=2382 Fix AuthorizedKeysCommand in Match block I'd suggest also moving the definition of M_CP_STROPT to just before COPY_MATCH_STRING_OPTS() which will make it harder to do the wrong thing. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2013-Dec-05 01:13 UTC
[Bug 2161] AuthorizedKeysCommand is not executed when defined inside Match block
https://bugzilla.mindrot.org/show_bug.cgi?id=2161
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2382|0 |1
is obsolete| |
Attachment #2382|ok?(dtucker at zip.com.au) |
Flags| |
Attachment #2383| |ok?(dtucker at zip.com.au)
Flags| |
--- Comment #6 from Damien Miller <djm at mindrot.org> ---
Created attachment 2383
--> https://bugzilla.mindrot.org/attachment.cgi?id=2383&action=edit
Revised patch with more foolproofing
This makes it harder for the developers to make a similar mistake in
the future
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2013-Dec-05 01:15 UTC
[Bug 2161] AuthorizedKeysCommand is not executed when defined inside Match block
https://bugzilla.mindrot.org/show_bug.cgi?id=2161
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2383|ok?(dtucker at zip.com.au) |ok+
Flags| |
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2013-Dec-05 01:17 UTC
[Bug 2161] AuthorizedKeysCommand is not executed when defined inside Match block
https://bugzilla.mindrot.org/show_bug.cgi?id=2161
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #7 from Damien Miller <djm at mindrot.org> ---
Patch is applied - this will be in openssh-6.5. Thanks!
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2015-Aug-11 13:02 UTC
[Bug 2161] AuthorizedKeysCommand is not executed when defined inside Match block
https://bugzilla.mindrot.org/show_bug.cgi?id=2161
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #8 from Damien Miller <djm at mindrot.org> ---
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
Reasonably Related Threads
- problem with AuthorizedKeysCommand on OpenBSD
- [Bug 2092] New: AuthorizedKeysCommand: bad ownership or modes for file
- [Bug 3574] New: ssh ignores AuthorizedPrincipalsCommand if AuthorizedKeysCommand is also set
- AuthorizedKeysCommand support added
- [Bug 2287] New: AuthorizedKeysCommandUser should have it's default documented