** Description changed: [Impact] * User of openssh reported an issue that affects Lunar and Jammy. * This crash is caused by the wrong pointer manipulation in the if statement. The fix is to change the code to check if the value pointed to by the pointer 'charptr' is NULL. [Test Plan] - TBD + Launch container: + $ lxc launch ubuntu:jammy <container-name> + + Shell into that container: + $ lxc shell <container-name> + + Create the main directory for our task (e.g. “reproducer”) + # mkdir reproducer + + Go to that directory using ‘cd’ command and from there create 2 more dirs that reflect users: + # mkdir certuser keyonlyuser + + Go to the keyonlyuser and inside: + # ssh-keygen -t ed25519 -f key + + Go to the certuser and inside: + # ssh-keygen -t rsa -f ca + # ssh-keygen -t ed25519 -f key + # ssh-keygen -s ca -I key_id -n certuser key.pub + + Create a script‘/root/reproducer/authorized_principals’ with permissions 755 as follows: + #!/bin/sh + if [ "$1" = "otheruser" ]; then + echo certuser + fi + + Exit from the file and set the permission bits: + # chmod 755 authorized_principals + + Stay in the same directory and create a user called otheruser: + # adduser --disabled-password otheruser + (Enter multiple times, leave all fields blank) + + Then do the same for another user: + # adduser --disabled-password keyonlyuser + + Go back to the reproducer/ directory and create a new script called authorized_keys: + # nano authorized_keys + + Add inside: + #!/bin/sh + if [ "$1" = "keyonlyuser" ]; then + echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd> + fi + + Exit from the file and set permission bits: + # chmod 755 authorized_keys + + Go to the etc/ssh/sshd_config + Add at the top: + + AuthorizedKeysCommand /root/reproducer/authorized_keys %u + AuthorizedKeysCommandUser root + + AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u AuthorizedPrincipalsCommandUser root + TrustedUserCAKeys /root/reproducer/certuser/ca.pub + + Exit from the file and restart the ssh service: + systemctl restart ssh + + Use these commands to manifest the bug: + + # ssh keyonlyuser@localhost -i /root/reproducer/keyonlyuser/key + + # ssh otheruser@localhost -i /root/reproducer/certuser/key -o + CertificateFile=/root/reproducer/certuser/key-cert.pub + + Expected results: both ssh commands should succeed. + + Actual results: the second ssh is fails because the + AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set. [Where problems could occur] * The patch itself modifies only the servconf.c, so regressions should be limited to the server configuration. * Since the fix touches pointers, there might be regression related to memory handling and fetching data. ---------------------------------original report-------------------------- - Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code: if (*activep && options->authorized_keys_command == NULL) *charptr = xstrdup(str + len); However, this is executed for both authorized_keys_command and authorized_principals_command. As a result, if authorized_keys_command is set (for instance, if using ec2-instance-connect), any AuthorizedPrincipalsCommand configuration in sshd_config is ignored. This is fixed in 9.4p1 with the attached patch.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2031942 Title: AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Jammy: In Progress Status in openssh source package in Lunar: In Progress Status in openssh source package in Mantic: Fix Released Bug description: [Impact] * User of openssh reported an issue that affects Lunar and Jammy. * This crash is caused by the wrong pointer manipulation in the if statement. The fix is to change the code to check if the value pointed to by the pointer 'charptr' is NULL. [Test Plan] Launch container: $ lxc launch ubuntu:jammy <container-name> Shell into that container: $ lxc shell <container-name> Create the main directory for our task (e.g. “reproducer”) # mkdir reproducer Go to that directory using ‘cd’ command and from there create 2 more dirs that reflect users: # mkdir certuser keyonlyuser Go to the keyonlyuser and inside: # ssh-keygen -t ed25519 -f key Go to the certuser and inside: # ssh-keygen -t rsa -f ca # ssh-keygen -t ed25519 -f key # ssh-keygen -s ca -I key_id -n certuser key.pub Create a script‘/root/reproducer/authorized_principals’ with permissions 755 as follows: #!/bin/sh if [ "$1" = "otheruser" ]; then echo certuser fi Exit from the file and set the permission bits: # chmod 755 authorized_principals Stay in the same directory and create a user called otheruser: # adduser --disabled-password otheruser (Enter multiple times, leave all fields blank) Then do the same for another user: # adduser --disabled-password keyonlyuser Go back to the reproducer/ directory and create a new script called authorized_keys: # nano authorized_keys Add inside: #!/bin/sh if [ "$1" = "keyonlyuser" ]; then echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd> fi Exit from the file and set permission bits: # chmod 755 authorized_keys Go to the etc/ssh/sshd_config Add at the top: AuthorizedKeysCommand /root/reproducer/authorized_keys %u AuthorizedKeysCommandUser root AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u AuthorizedPrincipalsCommandUser root TrustedUserCAKeys /root/reproducer/certuser/ca.pub Exit from the file and restart the ssh service: systemctl restart ssh Use these commands to manifest the bug: # ssh keyonlyuser@localhost -i /root/reproducer/keyonlyuser/key # ssh otheruser@localhost -i /root/reproducer/certuser/key -o CertificateFile=/root/reproducer/certuser/key-cert.pub Expected results: both ssh commands should succeed. Actual results: the second ssh is fails because the AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set. [Where problems could occur] * The patch itself modifies only the servconf.c, so regressions should be limited to the server configuration. * Since the fix touches pointers, there might be regression related to memory handling and fetching data. ---------------------------------original report-------------------------- Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code: if (*activep && options->authorized_keys_command == NULL) *charptr = xstrdup(str + len); However, this is executed for both authorized_keys_command and authorized_principals_command. As a result, if authorized_keys_command is set (for instance, if using ec2-instance-connect), any AuthorizedPrincipalsCommand configuration in sshd_config is ignored. This is fixed in 9.4p1 with the attached patch. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2031942/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
