[Bug 2031942] Please test proposed package

Andreas Hasenack 2031942 at bugs.launchpad.net
Wed Sep 6 17:31:16 UTC 2023 

Hello Matthew, or anyone else affected,

Accepted openssh into jammy-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/openssh/1:8.9p1-3ubuntu0.4 in a few
hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
jammy to verification-done-jammy. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-jammy. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2031942

Title:
  AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set

Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Jammy:
  Fix Committed
Status in openssh source package in Lunar:
  Fix Committed
Status in openssh source package in Mantic:
  Fix Released

Bug description:
  [Impact]

  User of openssh reported an issue that affects Lunar and Jammy.

  If AuthorizedKeysCommand is set, an AuthorizedPrincipalsCommand
  configuration in sshd_config that comes after it is ignored. In this
  scenario, where AuthorizedPrincipalsCommand is needed and set, users
  relying on ssh certificates for authentication will be denied access.

  [Test Plan]

  Launch container:
  $ lxc launch ubuntu:jammy <container-name>

  Shell into that container:
  $ lxc shell <container-name>

  Create the main directory for our task (e.g. “reproducer”)
  # mkdir reproducer

  Go to that directory:
  # cd reproducer

  Create 2 more dirs that reflect users:
  # mkdir certuser keyonlyuser

  Go to the keyonlyuser:
  # cd keyonlyuser

  Do:
  # ssh-keygen -t ed25519 -f key

  Go to the certuser:
  # cd /root/reproducer/certuser/

  Do:
  # ssh-keygen -t rsa -f ca
  # ssh-keygen -t ed25519 -f key
  # ssh-keygen -s ca -I key_id -n certuser key.pub

  Create a script '/root/reproducer/authorized_principals' with permissions 755 as follows:
  #!/bin/sh
  if [ "$1" = "otheruser" ]; then
  echo certuser
  fi

  Exit the file.

  Ensure you are in the /root/reproducer/ directory:
  # adduser --disabled-password otheruser
  (Enter multiple times, leave all fields blank)

  Then do the same for another user:
  # adduser --disabled-password keyonlyuser

  Create a script '/root/reproducer/authorized_keys' with permissions 755 as follows:
  #!/bin/sh
  if [ "$1" = "keyonlyuser" ]; then
  echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd>
  fi

  Go to the /etc/ssh/sshd_config file.
  Add at the top:

  AuthorizedKeysCommand /root/reproducer/authorized_keys %u
  AuthorizedKeysCommandUser root

  AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u
  AuthorizedPrincipalsCommandUser root

  TrustedUserCAKeys /root/reproducer/certuser/ca.pub

  Exit from the file and restart the ssh service:
  # systemctl restart ssh

  Use these commands to manifest the bug:

  # ssh keyonlyuser at localhost -i /root/reproducer/keyonlyuser/key

  # ssh otheruser at localhost -i /root/reproducer/certuser/key -o
  CertificateFile=/root/reproducer/certuser/key-cert.pub

  Expected results: both ssh commands should succeed.

  Actual results:  the second ssh fails because the
  AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is
  set.

  [Where problems could occur]

  * The patch itself modifies only the servconf.c, so regressions should
  be limited to the server configuration.

  * Since the fix touches pointers, there might be regression related to
  memory handling and fetching data.

  ---------------------------------original
  report--------------------------

  Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code:

                  if (*activep && options->authorized_keys_command == NULL)
                          *charptr = xstrdup(str + len);

  However, this is executed for both authorized_keys_command and
  authorized_principals_command. As a result, if authorized_keys_command
  is set (for instance, if using ec2-instance-connect), any
  AuthorizedPrincipalsCommand configuration in sshd_config is ignored.
  This is fixed in 9.4p1 with the attached patch.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2031942/+subscriptions

More information about the foundations-bugs mailing list