openssh bugs - May 2023 - [Bug 3574] New: ssh ignores AuthorizedPrincipalsCommand if AuthorizedKeysCommand is also set

https://bugzilla.mindrot.org/show_bug.cgi?id=3574

            Bug ID: 3574
           Summary: ssh ignores AuthorizedPrincipalsCommand if
                    AuthorizedKeysCommand is also set
           Product: Portable OpenSSH
           Version: 9.3p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: code at themeyers.us

In OpenBSD Commit ID 9c4305631d20c2d194661504ce11e1f68b20d93e
sshd_config parser was switched to a newer tokanizer.  As a result of
this, a new bug was introduced that causes the parser to ignore
AuthorizedPrincipalsCommand if AuthorizedKeysCommand is also set.

To Reproduce
Set AuthorizedPrincipalsCommand and AuthorizedPrincipalsCommandUser to
a valid value in sshd_config.
Set AuthorizedKeysCommand and AuthorizedKeysCommandUser to a valid
value.  Suggest using a script that will touch a file to prove it was
executed.
Reload sshd and login.
AuthprizedKeysCommand will not be executed.
Remove AuthorizedKeysCommand from the sshd_config and it will work.

Suggested patch is attached.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3574

--- Comment #1 from John Meyers <code at themeyers.us> ---
Created attachment 3698
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3698&action=edit
Suggested fix

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3574

John Meyers <code at themeyers.us> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |code at themeyers.us

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3574

John Meyers <code at themeyers.us> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|ssh ignores                 |sshd ignores
                   |AuthorizedPrincipalsCommand |AuthorizedPrincipalsCommand
                   |if AuthorizedKeysCommand is |if AuthorizedKeysCommand is
                   |also set                    |also set

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3574

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3698|0                           |1
        is obsolete|                            |
                 CC|                            |djm at mindrot.org,
                   |                            |dtucker at dtucker.net
             Status|NEW                         |ASSIGNED
           Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
   Attachment #3699|                            |ok?(dtucker at dtucker.net)
              Flags|                            |

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Created attachment 3699
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3699&action=edit
minimal fix

I think this should fix it without adding additional code.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3574

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3699|ok?(dtucker at dtucker.net)    |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3574

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Blocks|                            |3549
             Status|ASSIGNED                    |RESOLVED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
committed as fcd78e31 and will be in the 9.4 release, due in a few
months. Thanks!


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3549
[Bug 3549] Tracking bug for OpenSSH 9.4
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.