Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] - Bug in OpenSSH version OpenSSH_8.7p1 #899

Open
asheynkmantyler opened this issue Jan 30, 2025 · 0 comments
Open

[Bug] - Bug in OpenSSH version OpenSSH_8.7p1 #899

asheynkmantyler opened this issue Jan 30, 2025 · 0 comments

Comments

@asheynkmantyler
Copy link

Describe the bug
There is a bug in OpenSSH_8.7p1, where if both AuthorizedKeysCommand and AuthorizedPrincipalsCommand parameters are used in sshd_config, then AuthorizedPrincipalsCommand block is ignored and certificate based auth does not work.

To Reproduce
Here is a sample sshd_config stanza that does not work:

AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys %u %f
AuthorizedKeysCommandUser ec2-instance-connect

TrustedUserCAKeys /etc/ssh/privx_ca.pub
AuthorizedPrincipalsCommand /etc/ssh/principals_command.sh %u
AuthorizedPrincipalsCommandUser "nobody"

I confirmed the behavior, because when I commented out AuthorizedKeysCommand and AuthorizedKeysCommandUser entries I was able to ssh using certificates.

This issue is mentioned here: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2031942

Expected behavior
I would expect both AuthorizedKeys and AuthorizedPrincipals to work.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@asheynkmantyler