openssh bugs - May 2018 - [Bug 2873] New: AuthorizedKeysCommand with different user prevents fetching authorized keys

https://bugzilla.mindrot.org/show_bug.cgi?id=2873

            Bug ID: 2873
           Summary: AuthorizedKeysCommand with different user prevents
                    fetching authorized keys
           Product: Portable OpenSSH
           Version: 7.7p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jjelen at redhat.com

Created attachment 3158
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3158&action=edit
make sure the cached group information belongs to the current UID

Originally filled in Red Hat bugzilla, which provides also whole
reproducer and analysis (credits to Renaud M?trich):

https://bugzilla.redhat.com/show_bug.cgi?id=1583735

In short, the AuthorizedKeysCommandUser code caches group list, which
is then used also for fetching the authorized keys itself, which
obviously does not work if the groups used do not overlap.

The same issue will probably exist with
AuthorizedPrincipalsCommandUser, but I do not have a reproduce for
this.

The correct solution should checking that the cached information about
groups is for the same UID we have in pw parameter. My proposed
solution is in the attachment.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2873

Jakub Jelen <jjelen at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|AuthorizedKeysCommand with  |AuthorizedKeysCommand with
                   |different user prevents     |different user prevents
                   |fetching authorized keys    |fetching authorized keys
                   |                            |from file

--- Comment #1 from Jakub Jelen <jjelen at redhat.com> ---
ping?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2873

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2852
                 CC|                            |djm at mindrot.org


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2852
[Bug 2852] Tracking bug for OpenSSH 7.8 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2873

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Patch committed, with a couple of tweaks. Thanks!

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2873

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.