Bug 3574 - sshd ignores AuthorizedPrincipalsCommand if AuthorizedKeysCommand is also set
Summary: sshd ignores AuthorizedPrincipalsCommand if AuthorizedKeysCommand is also set
Status: RESOLVED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 9.3p1
Hardware: All All
: P5 normal
Assignee: Damien Miller
URL:
Keywords:
Depends on:
Blocks: V_9_4
  Show dependency treegraph
 
Reported: 2023-05-23 06:17 AEST by John Meyers
Modified: 2023-05-25 09:43 AEST (History)
3 users (show)

See Also:

Attachments
Suggested fix (1.06 KB, patch)
2023-05-23 06:18 AEST, John Meyers 		no flags Details | Diff
minimal fix (456 bytes, patch)
2023-05-24 10:23 AEST, Damien Miller 		dtucker: ok+
Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Meyers 2023-05-23 06:17:20 AEST 
In OpenBSD Commit ID 9c4305631d20c2d194661504ce11e1f68b20d93e sshd_config parser was switched to a newer tokanizer.  As a result of this, a new bug was introduced that causes the parser to ignore AuthorizedPrincipalsCommand if AuthorizedKeysCommand is also set.

To Reproduce
Set AuthorizedPrincipalsCommand and AuthorizedPrincipalsCommandUser to a valid value in sshd_config.
Set AuthorizedKeysCommand and AuthorizedKeysCommandUser to a valid value.  Suggest using a script that will touch a file to prove it was executed.
Reload sshd and login.
AuthprizedKeysCommand will not be executed.
Remove AuthorizedKeysCommand from the sshd_config and it will work.

Suggested patch is attached.
Comment 1 John Meyers 2023-05-23 06:18:40 AEST 
Created attachment 3698 [details]
Suggested fix
Comment 2 Damien Miller 2023-05-24 10:23:54 AEST 
Created attachment 3699 [details]
minimal fix

I think this should fix it without adding additional code.
Comment 3 Damien Miller 2023-05-25 09:43:01 AEST 
committed as fcd78e31 and will be in the 9.4 release, due in a few months. Thanks!