[Bug 3134] New: AuthorizedKeysCommand is not executed anymore when an AuthorizedKeysFile has a matching entry

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Mar 11 23:27:26 AEDT 2020 

https://bugzilla.mindrot.org/show_bug.cgi?id=3134

            Bug ID: 3134
           Summary: AuthorizedKeysCommand is not executed anymore when an
                    AuthorizedKeysFile has a matching entry
           Product: Portable OpenSSH
           Version: 8.1p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: ganguin at gmail.com

The documentation says:

If a key supplied by AuthorizedKeysCommand does not successfully
authenticate and authorize the user then public key authentication
continues using the usual AuthorizedKeysFile files.

Until sshd version 8.0p1 (I tested 7.6p1, 7.9p1 and 8.0p1), the
behaviour was as documented:

* Execute AuthorizedKeysCommand all the time
* Fallback to AuthorizedKeysFile if AuthorizedKeysCommand does not
successfully authenticate

However, with version 8.1p1 and newer (I tested 8.1p1, 8.2p1 and latest
github version commit 9b47bd7b09d191991ad9e0506bb66b74bbc93d34), the
order got reversed:

* Check the AuthorizedKeysFile
* Fallback to AuthorizedKeysCommand if AuthorizedKeysFile failed

As a workaround I can set AuthorizedKeysFile to none, but I lose the
fallback feature that was interesting in my use case.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list