[Bug 2031942] [NEW] AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set
Matthew Garrett
2031942 at bugs.launchpad.net
Fri Aug 18 18:55:53 UTC 2023
Public bug reported:
Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code:
if (*activep && options->authorized_keys_command == NULL)
*charptr = xstrdup(str + len);
However, this is executed for both authorized_keys_command and
authorized_principals_command. As a result, if authorized_keys_command
is set (for instance, if using ec2-instance-connect), any
AuthorizedPrincipalsCommand configuration in sshd_config is ignored.
This is fixed in 9.4p1 with the attached patch.
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
** Patch added: "fix-parsing.diff"
https://bugs.launchpad.net/bugs/2031942/+attachment/5693081/+files/fix-parsing.diff
** Bug watch added: OpenSSH Portable Bugzilla #3574
https://bugzilla.mindrot.org/show_bug.cgi?id=3574
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2031942
Title:
AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set
Status in openssh package in Ubuntu:
New
Bug description:
Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code:
if (*activep && options->authorized_keys_command == NULL)
*charptr = xstrdup(str + len);
However, this is executed for both authorized_keys_command and
authorized_principals_command. As a result, if authorized_keys_command
is set (for instance, if using ec2-instance-connect), any
AuthorizedPrincipalsCommand configuration in sshd_config is ignored.
This is fixed in 9.4p1 with the attached patch.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2031942/+subscriptions
More information about the foundations-bugs
mailing list