On 30.09.21 08:32, Jan Damborsky wrote:> I am now in process of preparing patch for OpenSSH 8.4p1
> to address CVE-2021-41617 (fixed in OpenSSH 8.8p1),
While I doublechecked this (with extra logging of the
AuthorizedKeysCommand), I found that the AKC seems to be run *two or
three times* for a single login:
> sshd/AKC[15524]: [REDACTED] pubkeys found for [REDACTED]
> sshd/AKC[15535]: [REDACTED] pubkeys found for [REDACTED]
> sshd[15512]: Postponed publickey for [REDACTED] from [REDACTED] port 36140
ssh2 [preauth]
> sshd/AKC[15546]: [REDACTED] pubkeys found for [REDACTED]
> sshd[15512]: Accepted publickey for [REDACTED] from [REDACTED] port 36140
ssh2: RSA SHA256:[REDACTED]
> sshd[15512]: pam_unix(sshd:session): session opened for user [REDACTED] by
(uid=0)
> sshd[15512]: session opened for local user [REDACTED] from [REDACTED]
[postauth]
> sshd[15512]: open "[REDACTED]" flags READ mode 0666 [postauth]
> sshd[15512]: close "[REDACTED]" bytes read 20256 written 0
[postauth]
> sshd[15512]: session closed for local user [REDACTED] from [REDACTED]
[postauth]
> sshd[15512]: Received disconnect from [REDACTED] port 36140:11:
disconnected by user [postauth]
> sshd[15512]: Disconnected from [REDACTED] port 36140 [postauth]
> sshd[15512]: pam_unix(sshd:session): session closed for user [REDACTED]
I realize that it *might* be necessary to run the AKC repeatedly *if*
the %f or %t tokens were used in the command line configured for it, but
I've configured it sans parameters (so %u is thrown in as the default)
and I doubt that the client has several keypairs to try, either. Is this
repeated execution the expected behavior ... ?
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210930/715cc3b6/attachment-0001.p7s>