AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set

Upstream bug: https://bugzilla.mindrot.org/show_bug.cgi?id=3574

The attachment "fix-parsing.diff" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Hi, I assigned myself to the bug and I will deal with it :)

This bug was fixed in the package openssh - 1:9.3p1-1ubuntu3

---------------
openssh (1:9.3p1-1ubuntu3) mantic; urgency=medium

  * d/p/fix-authorized-principals-command.patch: Fix the situation where
    sshd ignores AuthorizedPrincipalsCommand if AuthorizedKeysCommand
    is also set by checking if the value pointed to by the pointer
    'charptr' is NULL. (LP: #2031942)

 -- Michal Maloszewski <email address hidden> Thu, 24 Aug 2023 15:20:27 +0200

Hello Matthew, or anyone else affected,

Accepted openssh into lunar-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssh/1:9.0p1-1ubuntu8.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-lunar to verification-done-lunar. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-lunar. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Matthew, or anyone else affected,

Accepted openssh into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssh/1:8.9p1-3ubuntu0.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted openssh (1:9.0p1-1ubuntu8.5) for lunar have finished running.
The following regressions have been reported in tests triggered by the package:

ganeti/3.0.2-3 (armhf)
gvfs/1.50.4-1 (arm64)
lava/unknown (amd64)
oz/unknown (i386)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/lunar/update_excuses.html#openssh

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted openssh (1:8.9p1-3ubuntu0.4) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

ganeti/3.0.2-1ubuntu1 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#openssh

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests have been cleared after retries (both lunar and jammy ones).

Verified for lunar and jammy:

# lxc launch ubuntu:jammy test-openssh-lunar
# lxc exec test-openssh-lunar bash

# cat <<EOF >/etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
# Enable Ubuntu proposed archive
deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
EOF

# apt update && apt dist-upgrade -y

# mkdir reproducer
# cd reproducer
# mkdir certuser keyonlyuser
# cd keyonlyuser

# ssh-keygen -t ed25519 -f key
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in key
Your public key has been saved in key.pub
...

# cd ../certuser/

# ssh-keygen -t rsa -f ca
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ca
Your public key has been saved in ca.pub

# ssh-keygen -t ed25519 -f key
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in key
Your public key has been saved in key.pub

# ssh-keygen -s ca -I key_id -n certuser key.pub
Signed user key key-cert.pub: id "key_id" serial 0 for certuser valid forever

# cd ..
# cat <<EOF >authorized_principals
#!/bin/sh
if [ "$1" = "otheruser" ]; then
echo certuser
fi
EOF

# chmod 755 authorized_principals

# adduser --disabled-password otheruser
Adding user `otheruser' ...
Adding new group `otheruser' (1001) ...
Adding new user `otheruser' (1001) with group `otheruser' ...
Creating home directory `/home/otheruser' ...
Copying files from `/etc/skel' ...
Changing the user information for otheruser
Enter the new value, or press ENTER for the default
 Full Name []:
 Room Number []:
 Work Phone []:
 Home Phone []:
 Other []:
Is the information correct? [Y/n] y

# adduser --disabled-password keyonlyuser
Adding user `keyonlyuser' ...
Adding new group `keyonlyuser' (1002) ...
Adding new user `keyonlyuser' (1002) with group `keyonlyuser' ...
Creating home directory `/home/keyonlyuser' ...
Copying files from `/etc/skel' ...
Changing the user information for keyonlyuser
Enter the new value, or press ENTER for the default
 Full Name []:
 Room Number []:
 Work Phone []:
 Home Phone []:
 Other []:
Is the information correct? [Y/n] y

# cat <<EOF >authorized_keys
#!/bin/sh
if [ "$1" = "keyonlyuser" ]; then
echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbBpE1TDzG48CLKI6bWQbIE87ke4ZJmgFQ0LFnYyikT root@test-openssh-lunar"
fi
EOF

# chmod 755 authorized_keys

# vi /etc/ssh/sshd_config
i
AuthorizedKeysCommand /root/reproducer/authorized_keys %u
AuthorizedKeysCommandUser root

AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u
AuthorizedPrincipalsCommandUser root

TrustedUserCAKeys /root/reproducer/certuser/ca.pub
[esc]
:wq

# systemctl restart ssh

# ssh keyonlyuser@localhost -i /root/reproducer/keyonlyuser/key
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ED25519 key fingerprint is SHA256:hCVcIK0Q/jBlQqqyEAcGnxgXnd46/kaT7j+78BobN2E.
This key is not known by any other names
Are you sure you want to continue...

This bug was fixed in the package openssh - 1:9.0p1-1ubuntu8.5

---------------
openssh (1:9.0p1-1ubuntu8.5) lunar; urgency=medium

  * d/p/fix-authorized-principals-command.patch: Fix the situation where
    sshd ignores AuthorizedPrincipalsCommand if AuthorizedKeysCommand
    is also set by checking if the value pointed to by the pointer
    'charptr' is NULL. (LP: #2031942)

 -- Michal Maloszewski <email address hidden> Thu, 24 Aug 2023 15:52:47 +0200

The verification of the Stable Release Update for openssh has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package openssh - 1:8.9p1-3ubuntu0.4

---------------
openssh (1:8.9p1-3ubuntu0.4) jammy; urgency=medium

  * d/p/fix-authorized-principals-command.patch: Fix the situation where
    sshd ignores AuthorizedPrincipalsCommand if AuthorizedKeysCommand
    is also set by checking if the value pointed to by the pointer
    'charptr' is NULL. (LP: #2031942)

 -- Michal Maloszewski <email address hidden> Thu, 24 Aug 2023 15:40:24 +0200