bugzilla-daemon at mindrot.org
2024-Apr-30 05:44 UTC
[Bug 3685] New: Putting `RevokedKeys none` inside a `Match` block causes SSHD to try to load a file named 'none'
https://bugzilla.mindrot.org/show_bug.cgi?id=3685 Bug ID: 3685 Summary: Putting `RevokedKeys none` inside a `Match` block causes SSHD to try to load a file named 'none' Product: Portable OpenSSH Version: 8.8p1 Hardware: Other OS: Linux Status: NEW Severity: minor Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: macdjord at gmail.com I was writing an sshd_config file for a system. This config was structured as a bunch of Match blocks at the top for user-specific configuration, followed by a Match All block holding the default global config values. When I added 'RevokedKeys none' to this global block, I found I could no longer connect to the system; my public key was being refused. Running `sshd -d`, I found the following lines in the output: debug1: authentication methods list 0: publickey debug1: authentication methods list 0: publickey [preauth] debug1: userauth-request for user sentinel_ssh_in service ssh-connection method publickey [preauth] debug1: attempt 1 failures 0 [preauth] debug1: userauth_pubkey: test pkalg ssh-ed25519 pkblob ED25519 SHA256:coriOlC6KSPHrOzztaA7uICVGdZA+RqUeKZAGWlXCT8 [preauth] Error checking authentication key ED25519 SHA256:coriOlC6KSPHrOzztaA7uICVGdZA+RqUeKZAGWlXCT8 in revoked keys file none: No such file or directory Failed publickey for sentinel_ssh_in from 172.23.0.4 port 60768 ssh2: ED25519 SHA256:coriOlC6KSPHrOzztaA7uICVGdZA+RqUeKZAGWlXCT8 It appears that, while the `sshd_config` documentation says that 'RevokedKeys none' is used to indicate no revoked keys file exists, SSHD is instead interpreting it to mean that a revoked keys file named 'none' should be loaded - and then rejecting all keys when it finds that no such file exists. Curiously, this happens ONLY if 'RevokedKeys none' is inside a Match block. If I move it to the global options section before the first Match block in the file, SSHD correctly does not try to load any file. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Apr-30 05:44 UTC
[Bug 3685] Putting `RevokedKeys none` inside a `Match` block causes SSHD to try to load a file named 'none'
https://bugzilla.mindrot.org/show_bug.cgi?id=3685 Jordan Macdonald <macdjord at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |macdjord at gmail.com -- You are receiving this mail because: You are watching the assignee of the bug.