Authenticate against key files before AuthorizedKeysCommand

Damien Miller djm at mindrot.org
Tue May 21 11:43:11 AEST 2019 

On Mon, 20 May 2019, Andrei Gherzan wrote:

> Hello,
> 
> Currently OpenSSH has a fixed order on how the key authenticates the
> user: at first it tries to authenticate against TrustedUserCAKeys,
> afterwards it does it against the output keys from the
> AuthorizedKeysCommand and finally against the files as set in
> AuthorizedKeysFile. I have an use-case where this order is not ideal.
> This is because in my case the command fetches keys from the cloud which
> due to connectivity issues (and whatnot) might timeout and the fallback
> to the auth keys file will only happen after this timeout. In my case,
> checking it first and only fallback to the cloud keys would help. This
> would make the cloud keys being the fallback which even if it timeouts
> it's fine because there is no other fallback afterwards (existing public
> keys would have been tried).
> 
> Do you think such a feature would make sense? If yes, how would you
> recommend going about it? I was thinking of having a priority
> configuration variable of some sort that would decide the order I'm
> mentioning above or even a simple configuration flag like
> AuthorizedKeysCommandBeforeFile (default to true). I'm willing to send
> patch if this is considered upstreamable.

Maybe it makes sense to just prefer the static files to the command under
all circumstances? This is already what we do for authorized_principals
and IMO it makes the most sense.

diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index ec1cdb9..cdf20da 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1023,16 +1023,6 @@ user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
 	    auth_key_is_revoked(key->cert->signature_key))
 		return 0;
 
-	if ((success = user_cert_trusted_ca(ssh, pw, key, &opts)) != 0)
-		goto out;
-	sshauthopt_free(opts);
-	opts = NULL;
-
-	if ((success = user_key_command_allowed2(ssh, pw, key, &opts)) != 0)
-		goto out;
-	sshauthopt_free(opts);
-	opts = NULL;
-
 	for (i = 0; !success && i < options.num_authkeys_files; i++) {
 		if (strcasecmp(options.authorized_keys_files[i], "none") == 0)
 			continue;
@@ -1042,6 +1032,16 @@ user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
 		free(file);
 	}
 
+	if ((success = user_cert_trusted_ca(ssh, pw, key, &opts)) != 0)
+		goto out;
+	sshauthopt_free(opts);
+	opts = NULL;
+
+	if ((success = user_key_command_allowed2(ssh, pw, key, &opts)) != 0)
+		goto out;
+	sshauthopt_free(opts);
+	opts = NULL;
+
  out:
 	if (success && authoptsp != NULL) {
 		*authoptsp = opts;

More information about the openssh-unix-dev mailing list