openssh bugs - Mar 2020 - [Bug 3134] New: AuthorizedKeysCommand is not executed anymore when an AuthorizedKeysFile has a matching entry

https://bugzilla.mindrot.org/show_bug.cgi?id=3134

            Bug ID: 3134
           Summary: AuthorizedKeysCommand is not executed anymore when an
                    AuthorizedKeysFile has a matching entry
           Product: Portable OpenSSH
           Version: 8.1p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: ganguin at gmail.com

The documentation says:

If a key supplied by AuthorizedKeysCommand does not successfully
authenticate and authorize the user then public key authentication
continues using the usual AuthorizedKeysFile files.

Until sshd version 8.0p1 (I tested 7.6p1, 7.9p1 and 8.0p1), the
behaviour was as documented:

* Execute AuthorizedKeysCommand all the time
* Fallback to AuthorizedKeysFile if AuthorizedKeysCommand does not
successfully authenticate

However, with version 8.1p1 and newer (I tested 8.1p1, 8.2p1 and latest
github version commit 9b47bd7b09d191991ad9e0506bb66b74bbc93d34), the
order got reversed:

* Check the AuthorizedKeysFile
* Fallback to AuthorizedKeysCommand if AuthorizedKeysFile failed

As a workaround I can set AuthorizedKeysFile to none, but I lose the
fallback feature that was interesting in my use case.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3134

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Status|NEW                         |RESOLVED
             Blocks|                            |3117
         Resolution|---                         |FIXED

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Thanks for letting us know - the change of order was intentional, but
the documentation wasn't updated to reflect it. I have fixed
sshd_config.5 to match what is actually implemented.


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3117
[Bug 3117] Tracking bug for 8.3 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3134

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
close bugs that were resolved in OpenSSH 8.5 release cycle

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3134

Ahmed Sayeed <ahmedsayeed1982 at yahoo.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ahmedsayeed1982 at yahoo.com

--- Comment #3 from Ahmed Sayeed <ahmedsayeed1982 at yahoo.com> ---
It does not happen on every run. My MWE:
``` http://www-look-4.com/tech/honor-magicbook/
// test.cpp
#include<iostream>

int main() https://komiya-dental.com/property/google-android/
{
    int a{ 4 };

    std::cout << "a = " << a << '\n';
http://www.iu-bloomington.com/property/properties-in-turkey/
    return 0;
}
```
Simply running the program under GDB yields:
``` https://waytowhatsnext.com/property/disney-at-home/
(gdb) r
Starting program: test-gdb/a.out
[New Thread 0x1a03 of process 24826]
[New Thread 0x1b03 of process 24826]
http://www.wearelondonmade.com/technology/van-technology/
warning: unhandled dyld version (17)
a = 4
[Inferior 1 (process 24826) exited normally]
``` http://www.jopspeech.com/technology/thunderbolt-4/
However, setting breakpoints triggers it:
```
(gdb) b main http://joerg.li/technology/b-class-cars/
Breakpoint 1 at 0x100003e57: file test.cpp, line 5.
(gdb) r
Starting program: test-gdb/a.out
[New Thread 0x2403 of process 24836]
http://connstr.net/technology/nasa-latest/
[New Thread 0x2203 of process 24836]
warning: unhandled dyld version (17)
http://embermanchester.uk/tech/google-drive/
Thread 2 hit Breakpoint 1, main () at test.cpp:5
5           int a{ 4 };
(gdb) r http://www.slipstone.co.uk/technology/cars-interior/
The program being debugged has been started already.
Start it from the beginning? (y or n) n
Program not restarted.
http://www.logoarts.co.uk/technology/robot-vacuums/
(gdb) q
A debugging session is active.

        Inferior 1 [process 24836] will be killed.
http://www.acpirateradio.co.uk/technology/global-warming/

Quit anyway? (y or n) y
../../gdb/target.c:2149: internal-error: void
target_mourn_inferior(ptid_t): Assertion `ptid == inferior_ptid'
failed. http://www.compilatori.com/technology/download-videos/
A problem internal to GDB has been detected,
further debugging may prove unreliable.
https://www.webb-dev.co.uk/services/vaccine-services/
Quit this debugging session? (y or n) y

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.