[Bug 3685] New: Putting `RevokedKeys none` inside a `Match` block causes SSHD to try to load a file named 'none'

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Apr 30 15:44:08 AEST 2024 

https://bugzilla.mindrot.org/show_bug.cgi?id=3685

            Bug ID: 3685
           Summary: Putting `RevokedKeys none` inside a `Match` block
                    causes SSHD to try to load a file named 'none'
           Product: Portable OpenSSH
           Version: 8.8p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: macdjord at gmail.com

I was writing an sshd_config file for a system. This config was
structured as a bunch of Match blocks at the top for user-specific
configuration, followed by a Match All block holding the default global
config values. When I added 'RevokedKeys none' to this global block, I
found I could no longer connect to the system; my public key was being
refused.

Running `sshd -d`, I found the following lines in the output:

debug1: authentication methods list 0: publickey
debug1: authentication methods list 0: publickey [preauth]
debug1: userauth-request for user sentinel_ssh_in service
ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: userauth_pubkey: test pkalg ssh-ed25519 pkblob ED25519
SHA256:coriOlC6KSPHrOzztaA7uICVGdZA+RqUeKZAGWlXCT8 [preauth]
Error checking authentication key ED25519
SHA256:coriOlC6KSPHrOzztaA7uICVGdZA+RqUeKZAGWlXCT8 in revoked keys file
none: No such file or directory
Failed publickey for sentinel_ssh_in from 172.23.0.4 port 60768 ssh2:
ED25519 SHA256:coriOlC6KSPHrOzztaA7uICVGdZA+RqUeKZAGWlXCT8

It appears that, while the `sshd_config` documentation says that
'RevokedKeys none' is used to indicate no revoked keys file exists,
SSHD is instead interpreting it to mean that a revoked keys file named
'none' should be loaded - and then rejecting all keys when it finds
that no such file exists.

Curiously, this happens ONLY if 'RevokedKeys none' is inside a Match
block. If I move it to the global options section before the first
Match block in the file, SSHD correctly does not try to load any file.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list