Attachment #2474 for bug #2276




	FILE *f;
	int ok, found_key = 0;
	struct passwd *pw;
	uid_t owneruid = 0;
	struct stat st;
	int status, devnull, p[2], i;
	pid_t pid;
	char *ownername, *username, errmsg[512];

	if (options.authorized_keys_command == NULL ||
	    options.authorized_keys_command[0] != '/')

		return 0;
	}

	if (options.authorized_keys_command_owner != NULL) {
		struct passwd *ownerpw;
		ownername = percent_expand(options.authorized_keys_command_owner,
		    "u", user_pw->pw_name, (char *)NULL);
		ownerpw = getpwnam(ownername);
		if (ownerpw == NULL) {
			error("AuthorizedKeysCommandOwner \"%s\" not found: %s",
			    ownername, strerror(errno));
			free(ownername);
			return 0;
		}
		free(ownername);
		owneruid = ownerpw->pw_uid;
	}

	username = percent_expand(options.authorized_keys_command_user,
	    "u", user_pw->pw_name, (char *)NULL);
	pw = getpwnam(username);

		    options.authorized_keys_command, strerror(errno));
		goto out;
	}
	if (auth_secure_path(options.authorized_keys_command, &st, NULL, owneruid,
	    errmsg, sizeof(errmsg)) != 0) {
		error("Unsafe AuthorizedKeysCommand: %s", errmsg);
		goto out;




	options->adm_forced_command = NULL;
	options->chroot_directory = NULL;
	options->authorized_keys_command = NULL;
	options->authorized_keys_command_owner = NULL;
	options->authorized_keys_command_user = NULL;
	options->revoked_keys_file = NULL;
	options->trusted_user_ca_keys = NULL;

	sHostCertificate,
	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
	sKexAlgorithms, sIPQoS, sVersionAddendum,
	sAuthorizedKeysCommand, sAuthorizedKeysCommandOwner, sAuthorizedKeysCommandUser,
	sAuthenticationMethods, sHostKeyAgent,
	sDeprecated, sUnsupported
} ServerOpCodes;

	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
	{ "ipqos", sIPQoS, SSHCFG_ALL },
	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
	{ "authorizedkeyscommandowner", sAuthorizedKeysCommandOwner, SSHCFG_ALL },
	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },

		}
		return 0;

	case sAuthorizedKeysCommandOwner:
		charptr = &options->authorized_keys_command_owner;

		arg = strdelim(&cp);
		if (*activep && *charptr == NULL)
			*charptr = xstrdup(arg);
		break;

	case sAuthorizedKeysCommandUser:
		charptr = &options->authorized_keys_command_user;


	    o->authorized_principals_file);
	dump_cfg_string(sVersionAddendum, o->version_addendum);
	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
	dump_cfg_string(sAuthorizedKeysCommandOwner, o->authorized_keys_command_owner);
	dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
	dump_cfg_string(sHostKeyAgent, o->host_key_agent);
	dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :

Lines 56-61 AuthorizedKeysFile .ssh/authorized_keys Link Here

(-)a/sshd_config (+1 lines)
56	#AuthorizedPrincipalsFile none	56	#AuthorizedPrincipalsFile none
57		57
58	#AuthorizedKeysCommand none	58	#AuthorizedKeysCommand none
		59	#AuthorizedKeysCommandOwner root
59	#AuthorizedKeysCommandUser nobody	60	#AuthorizedKeysCommandUser nobody
60		61
61	# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts	62	# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts





     AuthorizedKeysCommand
             Specifies a program to be used to look up the user's public keys.
             The program must be owned by value of AuthorizedKeysCommandOwner
             and not writable by group or others.  It will be invoked with a
             single argument of the username being authenticated, and should
             produce on standard output zero or more lines of authorized_keys
             output (see AUTHORIZED_KEYS in sshd(8)).  If a key supplied by
             AuthorizedKeysCommand does not successfully authenticate and
             authorize the user then public key authentication continues using
             the usual AuthorizedKeysFile files.  By default, no
             AuthorizedKeysCommand is run.

     AuthorizedKeysCommandOwner
             Specifies the user who should own the file referred by
             AuthorizedKeysCommand. By default, root.

     AuthorizedKeysCommandUser
             Specifies the user under whose account the AuthorizedKeysCommand
             is run.  It is recommended to use a dedicated user that has no

Lines 198-204 The default is not to require multiple authentication; successful completion Link Here

(-)a/sshd_config.5 (-2 / +6 lines)
198	of a single authentication method is sufficient.	198	of a single authentication method is sufficient.
199	.It Cm AuthorizedKeysCommand	199	.It Cm AuthorizedKeysCommand
200	Specifies a program to be used to look up the user's public keys.	200	Specifies a program to be used to look up the user's public keys.
201	The program must be owned by root and not writable by group or others.	201	The program must be owned by value of
		202	.Cm AuthorizedKeysCommandOwner
		203	and not writable by group or others.
202	It will be invoked with a single argument of the username	204	It will be invoked with a single argument of the username
203	being authenticated, and should produce on standard output zero or	205	being authenticated, and should produce on standard output zero or
204	more lines of authorized_keys output (see AUTHORIZED_KEYS in	206	more lines of authorized_keys output (see AUTHORIZED_KEYS in
Lines 208-213 and authorize the user then public key authentication continues using the usual Link Here
208	.Cm AuthorizedKeysFile	210	.Cm AuthorizedKeysFile
209	files.	211	files.
210	By default, no AuthorizedKeysCommand is run.	212	By default, no AuthorizedKeysCommand is run.
		213	.It Cm AuthorizedKeysCommandOwner
		214	Specifies the user who should own the file referred by
		215	AuthorizedKeysCommand. By default, root.
211	.It Cm AuthorizedKeysCommandUser	216	.It Cm AuthorizedKeysCommandUser
212	Specifies the user under whose account the AuthorizedKeysCommand is run.	217	Specifies the user under whose account the AuthorizedKeysCommand is run.
213	It is recommended to use a dedicated user that has no other role on the host	218	It is recommended to use a dedicated user that has no other role on the host
214	-

Return to bug 2276

Lines 506-515 user_key_command_allowed2(struct passwd user_pw, Key key) Link Here

(-)a/auth2-pubkey.c (-2 / +18 lines)
506	FILE *f;	506	FILE *f;
507	int ok, found_key = 0;	507	int ok, found_key = 0;
508	struct passwd *pw;	508	struct passwd *pw;
		509	uid_t owneruid = 0;
509	struct stat st;	510	struct stat st;
510	int status, devnull, p[2], i;	511	int status, devnull, p[2], i;
511	pid_t pid;	512	pid_t pid;
512	char *username, errmsg[512];	513	char ownername, username, errmsg[512];
513		514
514	if (options.authorized_keys_command == NULL \|\|	515	if (options.authorized_keys_command == NULL \|\|
515	options.authorized_keys_command[0] != '/')	516	options.authorized_keys_command[0] != '/')
Lines 520-525 user_key_command_allowed2(struct passwd user_pw, Key key) Link Here
520	return 0;	521	return 0;
521	}	522	}
522		523
		524	if (options.authorized_keys_command_owner != NULL) {
		525	struct passwd *ownerpw;
		526	ownername = percent_expand(options.authorized_keys_command_owner,
		527	"u", user_pw->pw_name, (char *)NULL);
		528	ownerpw = getpwnam(ownername);
		529	if (ownerpw == NULL) {
		530	error("AuthorizedKeysCommandOwner \"%s\" not found: %s",
		531	ownername, strerror(errno));
		532	free(ownername);
		533	return 0;
		534	}
		535	free(ownername);
		536	owneruid = ownerpw->pw_uid;
		537	}
		538
523	username = percent_expand(options.authorized_keys_command_user,	539	username = percent_expand(options.authorized_keys_command_user,
524	"u", user_pw->pw_name, (char *)NULL);	540	"u", user_pw->pw_name, (char *)NULL);
525	pw = getpwnam(username);	541	pw = getpwnam(username);
Lines 538-544 user_key_command_allowed2(struct passwd user_pw, Key key) Link Here
538	options.authorized_keys_command, strerror(errno));	554	options.authorized_keys_command, strerror(errno));
539	goto out;	555	goto out;
540	}	556	}
541	if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0,	557	if (auth_secure_path(options.authorized_keys_command, &st, NULL, owneruid,
542	errmsg, sizeof(errmsg)) != 0) {	558	errmsg, sizeof(errmsg)) != 0) {
543	error("Unsafe AuthorizedKeysCommand: %s", errmsg);	559	error("Unsafe AuthorizedKeysCommand: %s", errmsg);
544	goto out;	560	goto out;

Lines 146-151 initialize_server_options(ServerOptions *options) Link Here

(-)a/servconf.c (-1 / +12 lines)
146	options->adm_forced_command = NULL;	146	options->adm_forced_command = NULL;
147	options->chroot_directory = NULL;	147	options->chroot_directory = NULL;
148	options->authorized_keys_command = NULL;	148	options->authorized_keys_command = NULL;
		149	options->authorized_keys_command_owner = NULL;
149	options->authorized_keys_command_user = NULL;	150	options->authorized_keys_command_user = NULL;
150	options->revoked_keys_file = NULL;	151	options->revoked_keys_file = NULL;
151	options->trusted_user_ca_keys = NULL;	152	options->trusted_user_ca_keys = NULL;
Lines 346-352 typedef enum { Link Here
346	sHostCertificate,	347	sHostCertificate,
347	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,	348	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
348	sKexAlgorithms, sIPQoS, sVersionAddendum,	349	sKexAlgorithms, sIPQoS, sVersionAddendum,
349	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,	350	sAuthorizedKeysCommand, sAuthorizedKeysCommandOwner, sAuthorizedKeysCommandUser,
350	sAuthenticationMethods, sHostKeyAgent,	351	sAuthenticationMethods, sHostKeyAgent,
351	sDeprecated, sUnsupported	352	sDeprecated, sUnsupported
352	} ServerOpCodes;	353	} ServerOpCodes;
Lines 471-476 static struct { Link Here
471	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },	472	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
472	{ "ipqos", sIPQoS, SSHCFG_ALL },	473	{ "ipqos", sIPQoS, SSHCFG_ALL },
473	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },	474	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
		475	{ "authorizedkeyscommandowner", sAuthorizedKeysCommandOwner, SSHCFG_ALL },
474	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },	476	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
475	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },	477	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
476	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },	478	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
Lines 1594-1599 process_server_config_line(ServerOptions options, char line, Link Here
1594	}	1596	}
1595	return 0;	1597	return 0;
1596		1598
		1599	case sAuthorizedKeysCommandOwner:
		1600	charptr = &options->authorized_keys_command_owner;
		1601
		1602	arg = strdelim(&cp);
		1603	if (activep && charptr == NULL)
		1604	*charptr = xstrdup(arg);
		1605	break;
		1606
1597	case sAuthorizedKeysCommandUser:	1607	case sAuthorizedKeysCommandUser:
1598	charptr = &options->authorized_keys_command_user;	1608	charptr = &options->authorized_keys_command_user;
1599		1609
Lines 2033-2038 dump_config(ServerOptions *o) Link Here
2033	o->authorized_principals_file);	2043	o->authorized_principals_file);
2034	dump_cfg_string(sVersionAddendum, o->version_addendum);	2044	dump_cfg_string(sVersionAddendum, o->version_addendum);
2035	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);	2045	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
		2046	dump_cfg_string(sAuthorizedKeysCommandOwner, o->authorized_keys_command_owner);
2036	dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);	2047	dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2037	dump_cfg_string(sHostKeyAgent, o->host_key_agent);	2048	dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2038	dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :	2049	dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :

Lines 106-121 DESCRIPTION Link Here

(-)a/sshd_config.0 (-5 / +9 lines)
106		106
107	AuthorizedKeysCommand	107	AuthorizedKeysCommand
108	Specifies a program to be used to look up the user's public keys.	108	Specifies a program to be used to look up the user's public keys.
109	The program must be owned by root and not writable by group or	109	The program must be owned by value of AuthorizedKeysCommandOwner
110	others. It will be invoked with a single argument of the	110	and not writable by group or others. It will be invoked with a
111	username being authenticated, and should produce on standard	111	single argument of the username being authenticated, and should
112	output zero or more lines of authorized_keys output (see	112	produce on standard output zero or more lines of authorized_keys
113	AUTHORIZED_KEYS in sshd(8)). If a key supplied by	113	output (see AUTHORIZED_KEYS in sshd(8)). If a key supplied by
114	AuthorizedKeysCommand does not successfully authenticate and	114	AuthorizedKeysCommand does not successfully authenticate and
115	authorize the user then public key authentication continues using	115	authorize the user then public key authentication continues using
116	the usual AuthorizedKeysFile files. By default, no	116	the usual AuthorizedKeysFile files. By default, no
117	AuthorizedKeysCommand is run.	117	AuthorizedKeysCommand is run.
118		118
		119	AuthorizedKeysCommandOwner
		120	Specifies the user who should own the file referred by
		121	AuthorizedKeysCommand. By default, root.
		122
119	AuthorizedKeysCommandUser	123	AuthorizedKeysCommandUser
120	Specifies the user under whose account the AuthorizedKeysCommand	124	Specifies the user under whose account the AuthorizedKeysCommand
121	is run. It is recommended to use a dedicated user that has no	125	is run. It is recommended to use a dedicated user that has no

Lines 174-179 typedef struct { Link Here

(-)a/servconf.h (+2 lines)
174	char *trusted_user_ca_keys;	174	char *trusted_user_ca_keys;
175	char *authorized_principals_file;	175	char *authorized_principals_file;
176	char *authorized_keys_command;	176	char *authorized_keys_command;
		177	char *authorized_keys_command_owner;
177	char *authorized_keys_command_user;	178	char *authorized_keys_command_user;
178		179
179	int64_t rekey_limit;	180	int64_t rekey_limit;
Lines 210-215 struct connection_info { Link Here
210	M_CP_STROPT(revoked_keys_file); \	211	M_CP_STROPT(revoked_keys_file); \
211	M_CP_STROPT(authorized_principals_file); \	212	M_CP_STROPT(authorized_principals_file); \
212	M_CP_STROPT(authorized_keys_command); \	213	M_CP_STROPT(authorized_keys_command); \
		214	M_CP_STROPT(authorized_keys_command_owner); \
213	M_CP_STROPT(authorized_keys_command_user); \	215	M_CP_STROPT(authorized_keys_command_user); \
214	M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \	216	M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \
215	M_CP_STRARRAYOPT(allow_users, num_allow_users); \	217	M_CP_STRARRAYOPT(allow_users, num_allow_users); \