[Bug 2031942] Re: AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set
Michał Małoszewski
2031942 at bugs.launchpad.net
Fri Sep 1 13:35:17 UTC 2023
** Description changed:
[Impact]
* User of openssh reported an issue that affects Lunar and Jammy.
* This crash is caused by the wrong pointer manipulation in the if
statement. The fix is to change the code to check if the value pointed
to by the pointer 'charptr' is NULL.
[Test Plan]
- Launch container:
+ Launch container:
$ lxc launch ubuntu:jammy <container-name>
Shell into that container:
$ lxc shell <container-name>
Create the main directory for our task (e.g. “reproducer”)
# mkdir reproducer
- Go to that directory using ‘cd’ command and from there create 2 more dirs that reflect users:
+ Go to that directory:
+ # cd reproducer
+
+ Create 2 more dirs that reflect users:
# mkdir certuser keyonlyuser
- Go to the keyonlyuser and inside:
+ Go to the keyonlyuser:
+ # cd keyonlyuser
+
+ Do:
# ssh-keygen -t ed25519 -f key
- Go to the certuser and inside:
+ Go to the certuser:
+ # cd /root/reproducer/certuser
+
+ Do:
# ssh-keygen -t rsa -f ca
# ssh-keygen -t ed25519 -f key
# ssh-keygen -s ca -I key_id -n certuser key.pub
Create a script‘/root/reproducer/authorized_principals’ with permissions 755 as follows:
- #!/bin/sh
- if [ "$1" = "otheruser" ]; then
+ #!/bin/sh
+ if [ "$1" = "otheruser" ]; then
echo certuser
fi
-
- Exit from the file and set the permission bits:
- # chmod 755 authorized_principals
- Stay in the same directory and create a user called otheruser:
+ Exit the file.
+
+ Ensure you are in the /root/reproducer directory:
# adduser --disabled-password otheruser
(Enter multiple times, leave all fields blank)
Then do the same for another user:
# adduser --disabled-password keyonlyuser
- Go back to the reproducer/ directory and create a new script called authorized_keys:
- # nano authorized_keys
-
- Add inside:
- #!/bin/sh
- if [ "$1" = "keyonlyuser" ]; then
+ Create a script‘/root/reproducer/authorized_keys’ with permissions 755 as follows:
+ #!/bin/sh
+ if [ "$1" = "keyonlyuser" ]; then
echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd>
fi
-
- Exit from the file and set permission bits:
- # chmod 755 authorized_keys
Go to the etc/ssh/sshd_config
Add at the top:
AuthorizedKeysCommand /root/reproducer/authorized_keys %u
- AuthorizedKeysCommandUser root
+ AuthorizedKeysCommandUser root
AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u AuthorizedPrincipalsCommandUser root
TrustedUserCAKeys /root/reproducer/certuser/ca.pub
Exit from the file and restart the ssh service:
systemctl restart ssh
Use these commands to manifest the bug:
# ssh keyonlyuser at localhost -i /root/reproducer/keyonlyuser/key
# ssh otheruser at localhost -i /root/reproducer/certuser/key -o
CertificateFile=/root/reproducer/certuser/key-cert.pub
Expected results: both ssh commands should succeed.
Actual results: the second ssh is fails because the
AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set.
[Where problems could occur]
* The patch itself modifies only the servconf.c, so regressions should
be limited to the server configuration.
* Since the fix touches pointers, there might be regression related to
memory handling and fetching data.
---------------------------------original
report--------------------------
Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code:
if (*activep && options->authorized_keys_command == NULL)
*charptr = xstrdup(str + len);
However, this is executed for both authorized_keys_command and
authorized_principals_command. As a result, if authorized_keys_command
is set (for instance, if using ec2-instance-connect), any
AuthorizedPrincipalsCommand configuration in sshd_config is ignored.
This is fixed in 9.4p1 with the attached patch.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2031942
Title:
AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Jammy:
In Progress
Status in openssh source package in Lunar:
In Progress
Status in openssh source package in Mantic:
Fix Released
Bug description:
[Impact]
* User of openssh reported an issue that affects Lunar and Jammy.
* This crash is caused by the wrong pointer manipulation in the if
statement. The fix is to change the code to check if the value pointed
to by the pointer 'charptr' is NULL.
[Test Plan]
Launch container:
$ lxc launch ubuntu:jammy <container-name>
Shell into that container:
$ lxc shell <container-name>
Create the main directory for our task (e.g. “reproducer”)
# mkdir reproducer
Go to that directory:
# cd reproducer
Create 2 more dirs that reflect users:
# mkdir certuser keyonlyuser
Go to the keyonlyuser:
# cd keyonlyuser
Do:
# ssh-keygen -t ed25519 -f key
Go to the certuser:
# cd /root/reproducer/certuser
Do:
# ssh-keygen -t rsa -f ca
# ssh-keygen -t ed25519 -f key
# ssh-keygen -s ca -I key_id -n certuser key.pub
Create a script‘/root/reproducer/authorized_principals’ with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "otheruser" ]; then
echo certuser
fi
Exit the file.
Ensure you are in the /root/reproducer directory:
# adduser --disabled-password otheruser
(Enter multiple times, leave all fields blank)
Then do the same for another user:
# adduser --disabled-password keyonlyuser
Create a script‘/root/reproducer/authorized_keys’ with permissions 755 as follows:
#!/bin/sh
if [ "$1" = "keyonlyuser" ]; then
echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd>
fi
Go to the etc/ssh/sshd_config
Add at the top:
AuthorizedKeysCommand /root/reproducer/authorized_keys %u
AuthorizedKeysCommandUser root
AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u AuthorizedPrincipalsCommandUser root
TrustedUserCAKeys /root/reproducer/certuser/ca.pub
Exit from the file and restart the ssh service:
systemctl restart ssh
Use these commands to manifest the bug:
# ssh keyonlyuser at localhost -i /root/reproducer/keyonlyuser/key
# ssh otheruser at localhost -i /root/reproducer/certuser/key -o
CertificateFile=/root/reproducer/certuser/key-cert.pub
Expected results: both ssh commands should succeed.
Actual results: the second ssh is fails because the
AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is
set.
[Where problems could occur]
* The patch itself modifies only the servconf.c, so regressions should
be limited to the server configuration.
* Since the fix touches pointers, there might be regression related to
memory handling and fetching data.
---------------------------------original
report--------------------------
Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code:
if (*activep && options->authorized_keys_command == NULL)
*charptr = xstrdup(str + len);
However, this is executed for both authorized_keys_command and
authorized_principals_command. As a result, if authorized_keys_command
is set (for instance, if using ec2-instance-connect), any
AuthorizedPrincipalsCommand configuration in sshd_config is ignored.
This is fixed in 9.4p1 with the attached patch.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2031942/+subscriptions
More information about the foundations-bugs
mailing list