2161 – AuthorizedKeysCommand is not executed when defined inside Match block

Bug 2161 - AuthorizedKeysCommand is not executed when defined inside Match block

Summary: AuthorizedKeysCommand is not executed when defined inside Match block

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	-current
Hardware:	All Linux

Importance:	P5 normal
Assignee:	Damien Miller

URL:
Keywords:

Depends on:
Blocks:	V_6_5
	Show dependency tree / graph

Reported:	2013-10-18 05:04 AEDT by wijet
Modified:	2015-08-11 23:02 AEST (History)
CC List:	2 users (show)

See Also:

Attachments
Fix AuthorizedKeysCommand in Match block (1.35 KB, patch) 2013-12-05 11:52 AEDT, Damien Miller	no flags	Details \| Diff
Revised patch with more foolproofing (2.87 KB, patch) 2013-12-05 12:13 AEDT, Damien Miller	dtucker: ok+	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description wijet 2013-10-18 05:04:25 AEDT

I have the following at the end of my sshd_config

Match User git
  AuthorizedKeysCommand /opt/git/authorized_keys
  AuthorizedKeysCommandUser git

When I ssh as git user I see in logs the following:

Oct 17 19:59:58 cc sshd[6136]: debug3: checking match for 'User git' user git host X addr IP laddr IP lport 22
Oct 17 19:59:58 cc sshd[6136]: debug1: user git matched 'User git' at line 84
Oct 17 19:59:58 cc sshd[6136]: debug3: match found
Oct 17 19:59:58 cc sshd[6136]: debug3: reprocess config:85 setting AuthorizedKeysCommand /opt/git/authorized_keys
Oct 17 19:59:58 cc sshd[6136]: debug3: reprocess config:86 setting AuthorizedKeysCommandUser git

but the AuthorizedKeysCommand is not invoked. When I remove Match block, everything works as expected.
I tried to remove AuthorizedKeysCommandUser from the inside of the block, but it doesn't help.

My SSH version is: OpenSSH_6.2p2 Debian-6, OpenSSL 1.0.1e 11 Feb 2013

Comment 1 wijet 2013-10-18 23:43:17 AEDT

I've noticed one more thing in logs. When AuthorizedKeysCommand is inside the Match block I see in logs

Oct 18 14:41:49 cc sshd[27314]: error: Unsafe AuthorizedKeysCommand: /lib/x86_64-linux-gnu/security is not a regular file

Comment 2 Damien Miller 2013-10-24 10:27:06 AEDT

Could you please attach a full debug trace from a failing connection?

Comment 3 wijet 2013-10-25 03:37:49 AEDT

Here you have both logs, with Match block and without it

https://gist.github.com/wijet/50adf849f029b702ec94

Comment 4 Damien Miller 2013-12-05 11:52:22 AEDT

Created attachment 2382 [details]
Fix AuthorizedKeysCommand in Match block

Found it - this patch should fix it.

Comment 5 Darren Tucker 2013-12-05 12:12:32 AEDT

Comment on attachment 2382 [details]
Fix AuthorizedKeysCommand in Match block

I'd suggest also moving the definition of M_CP_STROPT to just before COPY_MATCH_STRING_OPTS() which will make it harder to do the wrong thing.

Comment 6 Damien Miller 2013-12-05 12:13:05 AEDT

Created attachment 2383 [details]
Revised patch with more foolproofing

This makes it harder for the developers to make a similar mistake in the future

Comment 7 Damien Miller 2013-12-05 12:17:25 AEDT

Patch is applied - this will be in openssh-6.5. Thanks!

Comment 8 Damien Miller 2015-08-11 23:02:24 AEST

Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1