Bug 2161

Summary: AuthorizedKeysCommand is not executed when defined inside Match block
Product: Portable OpenSSH Reporter: wijet
Component: sshdAssignee: Damien Miller <djm>
Status: CLOSED FIXED    
Severity: normal CC: djm, dtucker
Priority: P5    
Version: -current   
Hardware: All   
OS: Linux   
Bug Depends on:    
Bug Blocks: 2130    
Attachments:
Description Flags
Fix AuthorizedKeysCommand in Match block
none
Revised patch with more foolproofing dtucker: ok+

Description wijet 2013-10-18 05:04:25 AEDT 
I have the following at the end of my sshd_config

Match User git
  AuthorizedKeysCommand /opt/git/authorized_keys
  AuthorizedKeysCommandUser git

When I ssh as git user I see in logs the following:

Oct 17 19:59:58 cc sshd[6136]: debug3: checking match for 'User git' user git host X addr IP laddr IP lport 22
Oct 17 19:59:58 cc sshd[6136]: debug1: user git matched 'User git' at line 84
Oct 17 19:59:58 cc sshd[6136]: debug3: match found
Oct 17 19:59:58 cc sshd[6136]: debug3: reprocess config:85 setting AuthorizedKeysCommand /opt/git/authorized_keys
Oct 17 19:59:58 cc sshd[6136]: debug3: reprocess config:86 setting AuthorizedKeysCommandUser git

but the AuthorizedKeysCommand is not invoked. When I remove Match block, everything works as expected.
I tried to remove AuthorizedKeysCommandUser from the inside of the block, but it doesn't help.

My SSH version is: OpenSSH_6.2p2 Debian-6, OpenSSL 1.0.1e 11 Feb 2013
Comment 1 wijet 2013-10-18 23:43:17 AEDT 
I've noticed one more thing in logs. When AuthorizedKeysCommand is inside the Match block I see in logs

Oct 18 14:41:49 cc sshd[27314]: error: Unsafe AuthorizedKeysCommand: /lib/x86_64-linux-gnu/security is not a regular file
Comment 2 Damien Miller 2013-10-24 10:27:06 AEDT 
Could you please attach a full debug trace from a failing connection?
Comment 3 wijet 2013-10-25 03:37:49 AEDT 
Here you have both logs, with Match block and without it

https://gist.github.com/wijet/50adf849f029b702ec94
Comment 4 Damien Miller 2013-12-05 11:52:22 AEDT 
Created attachment 2382 [details]
Fix AuthorizedKeysCommand in Match block

Found it - this patch should fix it.
Comment 5 Darren Tucker 2013-12-05 12:12:32 AEDT 
Comment on attachment 2382 [details]
Fix AuthorizedKeysCommand in Match block

I'd suggest also moving the definition of M_CP_STROPT to just before COPY_MATCH_STRING_OPTS() which will make it harder to do the wrong thing.
Comment 6 Damien Miller 2013-12-05 12:13:05 AEDT 
Created attachment 2383 [details]
Revised patch with more foolproofing

This makes it harder for the developers to make a similar mistake in the future
Comment 7 Damien Miller 2013-12-05 12:17:25 AEDT 
Patch is applied - this will be in openssh-6.5. Thanks!
Comment 8 Damien Miller 2015-08-11 23:02:24 AEST 
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1