[Bug 3134] New: AuthorizedKeysCommand is not executed anymore when an AuthorizedKeysFile has a matching entry
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Wed Mar 11 23:27:26 AEDT 2020
https://bugzilla.mindrot.org/show_bug.cgi?id=3134
Bug ID: 3134
Summary: AuthorizedKeysCommand is not executed anymore when an
AuthorizedKeysFile has a matching entry
Product: Portable OpenSSH
Version: 8.1p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: major
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: ganguin at gmail.com
The documentation says:
If a key supplied by AuthorizedKeysCommand does not successfully
authenticate and authorize the user then public key authentication
continues using the usual AuthorizedKeysFile files.
Until sshd version 8.0p1 (I tested 7.6p1, 7.9p1 and 8.0p1), the
behaviour was as documented:
* Execute AuthorizedKeysCommand all the time
* Fallback to AuthorizedKeysFile if AuthorizedKeysCommand does not
successfully authenticate
However, with version 8.1p1 and newer (I tested 8.1p1, 8.2p1 and latest
github version commit 9b47bd7b09d191991ad9e0506bb66b74bbc93d34), the
order got reversed:
* Check the AuthorizedKeysFile
* Fallback to AuthorizedKeysCommand if AuthorizedKeysFile failed
As a workaround I can set AuthorizedKeysFile to none, but I lose the
fallback feature that was interesting in my use case.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list