[Bug 3134] New: AuthorizedKeysCommand is not executed anymore when an AuthorizedKeysFile has a matching entry

bugzilla-daemon Wed, 11 Mar 2020 05:29:11 -0700

https://bugzilla.mindrot.org/show_bug.cgi?id=3134


            Bug ID: 3134
           Summary: AuthorizedKeysCommand is not executed anymore when an
                    AuthorizedKeysFile has a matching entry
           Product: Portable OpenSSH
           Version: 8.1p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: sshd
          Assignee: [email protected]
          Reporter: [email protected]

The documentation says:

If a key supplied by AuthorizedKeysCommand does not successfully
authenticate and authorize the user then public key authentication
continues using the usual AuthorizedKeysFile files.

Until sshd version 8.0p1 (I tested 7.6p1, 7.9p1 and 8.0p1), the
behaviour was as documented:

* Execute AuthorizedKeysCommand all the time
* Fallback to AuthorizedKeysFile if AuthorizedKeysCommand does not
successfully authenticate

However, with version 8.1p1 and newer (I tested 8.1p1, 8.2p1 and latest
github version commit 9b47bd7b09d191991ad9e0506bb66b74bbc93d34), the
order got reversed:

* Check the AuthorizedKeysFile
* Fallback to AuthorizedKeysCommand if AuthorizedKeysFile failed

As a workaround I can set AuthorizedKeysFile to none, but I lose the
fallback feature that was interesting in my use case.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
[email protected]
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 3134] New: AuthorizedKeysCommand is not executed anymore when an AuthorizedKeysFile has a matching entry

Reply via email to