Mailing List Archive

Multiple AuthorizedKeysCommand Executions
On 30.09.21 08:32, Jan Damborsky wrote:
> I am now in process of preparing patch for OpenSSH 8.4p1
> to address CVE-2021-41617 (fixed in OpenSSH 8.8p1),

While I doublechecked this (with extra logging of the
AuthorizedKeysCommand), I found that the AKC seems to be run *two or
three times* for a single login:

> sshd/AKC[15524]: [REDACTED] pubkeys found for [REDACTED]
> sshd/AKC[15535]: [REDACTED] pubkeys found for [REDACTED]
> sshd[15512]: Postponed publickey for [REDACTED] from [REDACTED] port 36140 ssh2 [preauth]
> sshd/AKC[15546]: [REDACTED] pubkeys found for [REDACTED]
> sshd[15512]: Accepted publickey for [REDACTED] from [REDACTED] port 36140 ssh2: RSA SHA256:[REDACTED]
> sshd[15512]: pam_unix(sshd:session): session opened for user [REDACTED] by (uid=0)
> sshd[15512]: session opened for local user [REDACTED] from [REDACTED] [postauth]
> sshd[15512]: open "[REDACTED]" flags READ mode 0666 [postauth]
> sshd[15512]: close "[REDACTED]" bytes read 20256 written 0 [postauth]
> sshd[15512]: session closed for local user [REDACTED] from [REDACTED] [postauth]
> sshd[15512]: Received disconnect from [REDACTED] port 36140:11: disconnected by user [postauth]
> sshd[15512]: Disconnected from [REDACTED] port 36140 [postauth]
> sshd[15512]: pam_unix(sshd:session): session closed for user [REDACTED]

I realize that it *might* be necessary to run the AKC repeatedly *if*
the %f or %t tokens were used in the command line configured for it, but
I've configured it sans parameters (so %u is thrown in as the default)
and I doubt that the client has several keypairs to try, either. Is this
repeated execution the expected behavior ... ?

Kind regards,
Jochen Bern

Binect GmbH