bugzilla-daemon at mindrot.org
2014-Oct-10 01:12 UTC
[Bug 2287] New: AuthorizedKeysCommandUser should have it's default documented
https://bugzilla.mindrot.org/show_bug.cgi?id=2287
Bug ID: 2287
Summary: AuthorizedKeysCommandUser should have it's default
documented
Product: Portable OpenSSH
Version: 6.2p1
Hardware: All
OS: All
Status: NEW
Severity: trivial
Priority: P5
Component: Documentation
Assignee: unassigned-bugs at mindrot.org
Reporter: calestyo at scientia.net
Hi.
In sshd_config(5) AuthorizedKeysCommandUser is documented as follows:
>AuthorizedKeysCommandUser
> Specifies the user under whose account the AuthorizedKeysCommand
> is run. It is recommended to use a dedicated user that has no
> other role on the host than running authorized keys commands.
It should have the default of this directive documented, i.e. whether
it needs to be manually set when AuthorizedKeysCommand is used, or
whether it's simply always the user under which sshd runs.
Cheers,
Chris.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Oct-10 01:12 UTC
[Bug 2287] AuthorizedKeysCommandUser should have it's default documented
https://bugzilla.mindrot.org/show_bug.cgi?id=2287
Christoph Anton Mitterer <calestyo at scientia.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Version|6.2p1 |6.7p1
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Dec-11 05:25 UTC
[Bug 2287] AuthorizedKeysCommandUser should have it's default documented
https://bugzilla.mindrot.org/show_bug.cgi?id=2287
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2266
Status|NEW |RESOLVED
Resolution|--- |FIXED
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
fixed:
+If no user is specified then
+.Cm AuthorizedKeysCommand
+is ignored.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Dec-12 02:48 UTC
[Bug 2287] AuthorizedKeysCommandUser should have it's default documented
https://bugzilla.mindrot.org/show_bug.cgi?id=2287
Christoph Anton Mitterer <calestyo at scientia.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|FIXED |---
Status|RESOLVED |REOPENED
--- Comment #2 from Christoph Anton Mitterer <calestyo at scientia.net>
---
Hi.
I've just tried that, and it seems it's not ignored, but sshd fails to
start, when AuthorizedKeysCommandUser is unset, while
AuthorizedKeysCommand is set.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2014-Dec-22 08:52 UTC
[Bug 2287] AuthorizedKeysCommandUser should have it's default documented
https://bugzilla.mindrot.org/show_bug.cgi?id=2287
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|REOPENED |RESOLVED
--- Comment #3 from Damien Miller <djm at mindrot.org> ---
tweaked:
revision 1.186
date: 2014/12/22 08:04:23; author: djm; state: Exp; lines: +8 -4;
commitid: GUvlwbDWDq69eUhh;
correct description of what will happen when a AuthorizedKeysCommand is
specified but AuthorizedKeysCommandUser is not (sshd will refuse to
start)
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2014-Dec-23 03:39 UTC
[Bug 2287] AuthorizedKeysCommandUser should have it's default documented
https://bugzilla.mindrot.org/show_bug.cgi?id=2287 --- Comment #4 from Christoph Anton Mitterer <calestyo at scientia.net> --- Thanks :-) -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2015-Feb-21 18:40 UTC
[Bug 2287] AuthorizedKeysCommandUser should have it's default documented
https://bugzilla.mindrot.org/show_bug.cgi?id=2287
Christoph Anton Mitterer <calestyo at scientia.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|FIXED |---
Status|RESOLVED |REOPENED
--- Comment #5 from Christoph Anton Mitterer <calestyo at scientia.net>
---
Hey Damien.
Let me just reopen this once more as I've discovered by chance another
unexpected behaviour by this (which might be a bug)... just have a look
and decide... and feel free to close it again.
As we found out above, having:
"AuthorizedKeysCommandUser" unset while having
"AuthorizedKeysCommand"
set to anything but "none" and the daemon will not start.
Interestingly, having AuthorizedKeysCommandUser set to the empty value,
e.g.
AuthorizedKeysCommand /bin/test
AuthorizedKeysCommandUser
and the daemon *will* actually start, but it seems that /bin/test is
nevertheless never executed.
So this is no security issue, but I guess for consistency it shouldn't
start either when AuthorizedKeysCommandUser is explicitly set to the
empty value.
Thanks,
Chris.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2015-Mar-02 20:59 UTC
[Bug 2287] AuthorizedKeysCommandUser should have it's default documented
https://bugzilla.mindrot.org/show_bug.cgi?id=2287
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|2266 |
--- Comment #6 from Damien Miller <djm at mindrot.org> ---
OpenSSH 6.8 is approaching release and closed for major work. Retarget
these bugs for the next release.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2015-Mar-02 21:01 UTC
[Bug 2287] AuthorizedKeysCommandUser should have it's default documented
https://bugzilla.mindrot.org/show_bug.cgi?id=2287
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2360
--- Comment #7 from Damien Miller <djm at mindrot.org> ---
Retarget to 6.9
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2015-May-01 03:55 UTC
[Bug 2287] AuthorizedKeysCommandUser should have it's default documented
https://bugzilla.mindrot.org/show_bug.cgi?id=2287 --- Comment #8 from Damien Miller <djm at mindrot.org> --- I don't see how sshd can start with an empty AuthorizedKeysCommandUser: /etc/ssh/sshd_config line 60: missing AuthorizedKeysCommandUser argument. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2015-May-22 03:58 UTC
[Bug 2287] AuthorizedKeysCommandUser should have it's default documented
https://bugzilla.mindrot.org/show_bug.cgi?id=2287
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution|--- |WORKSFORME
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2015-Jun-01 22:43 UTC
[Bug 2287] AuthorizedKeysCommandUser should have it's default documented
https://bugzilla.mindrot.org/show_bug.cgi?id=2287 --- Comment #9 from Christoph Anton Mitterer <calestyo at scientia.net> --- Which version did you use for testing? I've just tried again with 6.7p1 and at least that behaves as I described before, i.e. it starts up with empty Username. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2015-Aug-11 13:04 UTC
[Bug 2287] AuthorizedKeysCommandUser should have it's default documented
https://bugzilla.mindrot.org/show_bug.cgi?id=2287
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #10 from Damien Miller <djm at mindrot.org> ---
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
Apparently Analagous Threads
- [Bug 2288] New: documentation of options defaulting to "none"
- [Bug 1663] sshd_config: AuthorizedKeysCommand
- [Bug 2081] New: extend the parameters to the AuthorizedKeysCommand
- [Bug 2355] New: general protection / segfaults when PermitOpen=none
- [Bug 2354] New: please document that PermitRootLogin really checks for uid=0