I have the following at the end of my sshd_config Match User git AuthorizedKeysCommand /opt/git/authorized_keys AuthorizedKeysCommandUser git When I ssh as git user I see in logs the following: Oct 17 19:59:58 cc sshd[6136]: debug3: checking match for 'User git' user git host X addr IP laddr IP lport 22 Oct 17 19:59:58 cc sshd[6136]: debug1: user git matched 'User git' at line 84 Oct 17 19:59:58 cc sshd[6136]: debug3: match found Oct 17 19:59:58 cc sshd[6136]: debug3: reprocess config:85 setting AuthorizedKeysCommand /opt/git/authorized_keys Oct 17 19:59:58 cc sshd[6136]: debug3: reprocess config:86 setting AuthorizedKeysCommandUser git but the AuthorizedKeysCommand is not invoked. When I remove Match block, everything works as expected. I tried to remove AuthorizedKeysCommandUser from the inside of the block, but it doesn't help. My SSH version is: OpenSSH_6.2p2 Debian-6, OpenSSL 1.0.1e 11 Feb 2013
I've noticed one more thing in logs. When AuthorizedKeysCommand is inside the Match block I see in logs Oct 18 14:41:49 cc sshd[27314]: error: Unsafe AuthorizedKeysCommand: /lib/x86_64-linux-gnu/security is not a regular file
Could you please attach a full debug trace from a failing connection?
Here you have both logs, with Match block and without it https://gist.github.com/wijet/50adf849f029b702ec94
Created attachment 2382 [details] Fix AuthorizedKeysCommand in Match block Found it - this patch should fix it.
Comment on attachment 2382 [details] Fix AuthorizedKeysCommand in Match block I'd suggest also moving the definition of M_CP_STROPT to just before COPY_MATCH_STRING_OPTS() which will make it harder to do the wrong thing.
Created attachment 2383 [details] Revised patch with more foolproofing This makes it harder for the developers to make a similar mistake in the future
Patch is applied - this will be in openssh-6.5. Thanks!
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1