[Bug 3817] New: Replace debug2 "advance:" with "keytype, base64-encoded key not found:"

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Apr 22 07:39:28 AEST 2025 

https://bugzilla.mindrot.org/show_bug.cgi?id=3817

            Bug ID: 3817
           Summary: Replace debug2 "advance:" with "keytype,
                    base64-encoded key not found:"
           Product: Portable OpenSSH
           Version: 10.0p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: tom at hale.ee

The debug2 "advance:" log message is confusing: it doesn't indicate
that sshd was actually expecting to see {keytype, base64-encoded} in
the string that follows.

I spent over an hour of debugging to finally uncovered that, as the
manual says:
> The options (if present) consist of comma-separated option specifications.  No spaces are permitted, except  within  double  quotes.

Here are 3 contiguous lines from a "LogLevel DEBUG3", and how I
interpreted them:

Apr 22 06:49:45 nas sshd[503091]: debug2:
/root/.ssh/authorized_keys:10: check options:
'from="*.d.hale.ee,100.64.0.0/10,10.181.0.0/16"
command="/usr/share/btrbk/scripts/ssh_filter_btrbk.sh --log
--target",restrict ssh-ed25519 AAAAAAAAREDACTED btrbk off-site archives
2025-04-21\n'

Me: 'Okay, we read in line 10, and I'm seeing what was read in. All
good.'

Apr 22 06:49:45 nas sshd[503091]: debug2:
/root/.ssh/authorized_keys:10: advance:
'command="/usr/share/btrbk/scripts/ssh_filter_btrbk.sh --log
--target",restrict ssh-ed25519 AAAAREDACTED btrbk off-site archives
2025-04-21\n'

Me: 'The "from=" filter has been removed, so that must be all ok. We
are advancing to check the "command=" part'

Apr 22 06:49:45 nas sshd[503091]: debug1: restore_uid: 0/0

Me: 'Hmm, the "command=" failed.  I need to debug the filter script'

But no.  Actually, "advance:" means:
"keytype, base64-encoded key not found: <string>"

Would a pull request for such likely be accepted?


### Extra info:
Version: OpenSSH_9.6p1, OpenSSL 3.2.1 30 Jan 2024

Relevant code:
https://github.com/openssh/openssh-portable/blob/b5b405fee7f3e79d44e2d2971a4b6b4cc53f112e/auth2-pubkeyfile.c#L294-L298

                if (sshkey_read(found, &cp) != 0) {
                        /* still no key?  advance to next line*/
                        debug2("%s: advance: '%s'", loc, cp);
                        goto out;
                }

I note in the same files as above, a few lines up, at line 283:

    /* XXX djm: peek at key type in line and skip if unwanted */

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list