Multiple AuthorizedKeysCommand Executions

Jochen Bern Jochen.Bern at
Thu Sep 30 21:25:02 AEST 2021

On 30.09.21 08:32, Jan Damborsky wrote:
> I am now in process of preparing patch for OpenSSH 8.4p1
> to address CVE-2021-41617 (fixed in OpenSSH 8.8p1),

While I doublechecked this (with extra logging of the 
AuthorizedKeysCommand), I found that the AKC seems to be run *two or 
three times* for a single login:

> sshd/AKC[15524]: [REDACTED] pubkeys found for [REDACTED]
> sshd/AKC[15535]: [REDACTED] pubkeys found for [REDACTED]
> sshd[15512]: Postponed publickey for [REDACTED] from [REDACTED] port 36140 ssh2 [preauth]
> sshd/AKC[15546]: [REDACTED] pubkeys found for [REDACTED]
> sshd[15512]: Accepted publickey for [REDACTED] from [REDACTED] port 36140 ssh2: RSA SHA256:[REDACTED]
> sshd[15512]: pam_unix(sshd:session): session opened for user [REDACTED] by (uid=0)
> sshd[15512]: session opened for local user [REDACTED] from [REDACTED] [postauth]
> sshd[15512]: open "[REDACTED]" flags READ mode 0666 [postauth]
> sshd[15512]: close "[REDACTED]" bytes read 20256 written 0 [postauth]
> sshd[15512]: session closed for local user [REDACTED] from [REDACTED] [postauth]
> sshd[15512]: Received disconnect from [REDACTED] port 36140:11: disconnected by user [postauth]
> sshd[15512]: Disconnected from [REDACTED] port 36140 [postauth]
> sshd[15512]: pam_unix(sshd:session): session closed for user [REDACTED]

I realize that it *might* be necessary to run the AKC repeatedly *if* 
the %f or %t tokens were used in the command line configured for it, but 
I've configured it sans parameters (so %u is thrown in as the default) 
and I doubt that the client has several keypairs to try, either. Is this 
repeated execution the expected behavior ... ?

Kind regards,
Jochen Bern

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the openssh-unix-dev mailing list