** Description changed: [Impact] * User of openssh reported an issue that affects Lunar and Jammy. * This crash is caused by the wrong pointer manipulation in the if statement. The fix is to change the code to check if the value pointed to by the pointer 'charptr' is NULL. [Test Plan] Launch container: $ lxc launch ubuntu:jammy <container-name> Shell into that container: $ lxc shell <container-name> Create the main directory for our task (e.g. “reproducer”) # mkdir reproducer Go to that directory: # cd reproducer Create 2 more dirs that reflect users: # mkdir certuser keyonlyuser Go to the keyonlyuser: # cd keyonlyuser Do: # ssh-keygen -t ed25519 -f key Go to the certuser: # cd /root/reproducer/certuser/ Do: # ssh-keygen -t rsa -f ca # ssh-keygen -t ed25519 -f key # ssh-keygen -s ca -I key_id -n certuser key.pub Create a script '/root/reproducer/authorized_principals' with permissions 755 as follows: #!/bin/sh if [ "$1" = "otheruser" ]; then echo certuser fi Exit the file. Ensure you are in the /root/reproducer/ directory: # adduser --disabled-password otheruser (Enter multiple times, leave all fields blank) Then do the same for another user: # adduser --disabled-password keyonlyuser Create a script '/root/reproducer/authorized_keys' with permissions 755 as follows: #!/bin/sh if [ "$1" = "keyonlyuser" ]; then echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd> fi - Go to the /etc/ssh/sshd_config + Go to the /etc/ssh/sshd_config file. Add at the top: AuthorizedKeysCommand /root/reproducer/authorized_keys %u AuthorizedKeysCommandUser root AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u AuthorizedPrincipalsCommandUser root TrustedUserCAKeys /root/reproducer/certuser/ca.pub Exit from the file and restart the ssh service: - systemctl restart ssh + # systemctl restart ssh Use these commands to manifest the bug: # ssh keyonlyuser@localhost -i /root/reproducer/keyonlyuser/key # ssh otheruser@localhost -i /root/reproducer/certuser/key -o CertificateFile=/root/reproducer/certuser/key-cert.pub Expected results: both ssh commands should succeed. Actual results: the second ssh is fails because the AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set. [Where problems could occur] * The patch itself modifies only the servconf.c, so regressions should be limited to the server configuration. * Since the fix touches pointers, there might be regression related to memory handling and fetching data. ---------------------------------original report-------------------------- Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code: if (*activep && options->authorized_keys_command == NULL) *charptr = xstrdup(str + len); However, this is executed for both authorized_keys_command and authorized_principals_command. As a result, if authorized_keys_command is set (for instance, if using ec2-instance-connect), any AuthorizedPrincipalsCommand configuration in sshd_config is ignored. This is fixed in 9.4p1 with the attached patch.
** Description changed: [Impact] * User of openssh reported an issue that affects Lunar and Jammy. * This crash is caused by the wrong pointer manipulation in the if statement. The fix is to change the code to check if the value pointed to by the pointer 'charptr' is NULL. [Test Plan] Launch container: $ lxc launch ubuntu:jammy <container-name> Shell into that container: $ lxc shell <container-name> Create the main directory for our task (e.g. “reproducer”) # mkdir reproducer Go to that directory: # cd reproducer Create 2 more dirs that reflect users: # mkdir certuser keyonlyuser Go to the keyonlyuser: # cd keyonlyuser Do: # ssh-keygen -t ed25519 -f key Go to the certuser: # cd /root/reproducer/certuser/ Do: # ssh-keygen -t rsa -f ca # ssh-keygen -t ed25519 -f key # ssh-keygen -s ca -I key_id -n certuser key.pub Create a script '/root/reproducer/authorized_principals' with permissions 755 as follows: #!/bin/sh if [ "$1" = "otheruser" ]; then echo certuser fi Exit the file. Ensure you are in the /root/reproducer/ directory: # adduser --disabled-password otheruser (Enter multiple times, leave all fields blank) Then do the same for another user: # adduser --disabled-password keyonlyuser Create a script '/root/reproducer/authorized_keys' with permissions 755 as follows: #!/bin/sh if [ "$1" = "keyonlyuser" ]; then echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd> fi Go to the /etc/ssh/sshd_config file. Add at the top: AuthorizedKeysCommand /root/reproducer/authorized_keys %u AuthorizedKeysCommandUser root AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u AuthorizedPrincipalsCommandUser root TrustedUserCAKeys /root/reproducer/certuser/ca.pub Exit from the file and restart the ssh service: # systemctl restart ssh Use these commands to manifest the bug: # ssh keyonlyuser@localhost -i /root/reproducer/keyonlyuser/key # ssh otheruser@localhost -i /root/reproducer/certuser/key -o CertificateFile=/root/reproducer/certuser/key-cert.pub Expected results: both ssh commands should succeed. - Actual results: the second ssh is fails because the + Actual results: the second ssh fails because the AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set. [Where problems could occur] * The patch itself modifies only the servconf.c, so regressions should be limited to the server configuration. * Since the fix touches pointers, there might be regression related to memory handling and fetching data. ---------------------------------original report-------------------------- Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code: if (*activep && options->authorized_keys_command == NULL) *charptr = xstrdup(str + len); However, this is executed for both authorized_keys_command and authorized_principals_command. As a result, if authorized_keys_command is set (for instance, if using ec2-instance-connect), any AuthorizedPrincipalsCommand configuration in sshd_config is ignored. This is fixed in 9.4p1 with the attached patch. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2031942 Title: AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Jammy: In Progress Status in openssh source package in Lunar: In Progress Status in openssh source package in Mantic: Fix Released Bug description: [Impact] * User of openssh reported an issue that affects Lunar and Jammy. * This crash is caused by the wrong pointer manipulation in the if statement. The fix is to change the code to check if the value pointed to by the pointer 'charptr' is NULL. [Test Plan] Launch container: $ lxc launch ubuntu:jammy <container-name> Shell into that container: $ lxc shell <container-name> Create the main directory for our task (e.g. “reproducer”) # mkdir reproducer Go to that directory: # cd reproducer Create 2 more dirs that reflect users: # mkdir certuser keyonlyuser Go to the keyonlyuser: # cd keyonlyuser Do: # ssh-keygen -t ed25519 -f key Go to the certuser: # cd /root/reproducer/certuser/ Do: # ssh-keygen -t rsa -f ca # ssh-keygen -t ed25519 -f key # ssh-keygen -s ca -I key_id -n certuser key.pub Create a script '/root/reproducer/authorized_principals' with permissions 755 as follows: #!/bin/sh if [ "$1" = "otheruser" ]; then echo certuser fi Exit the file. Ensure you are in the /root/reproducer/ directory: # adduser --disabled-password otheruser (Enter multiple times, leave all fields blank) Then do the same for another user: # adduser --disabled-password keyonlyuser Create a script '/root/reproducer/authorized_keys' with permissions 755 as follows: #!/bin/sh if [ "$1" = "keyonlyuser" ]; then echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd> fi Go to the /etc/ssh/sshd_config file. Add at the top: AuthorizedKeysCommand /root/reproducer/authorized_keys %u AuthorizedKeysCommandUser root AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u AuthorizedPrincipalsCommandUser root TrustedUserCAKeys /root/reproducer/certuser/ca.pub Exit from the file and restart the ssh service: # systemctl restart ssh Use these commands to manifest the bug: # ssh keyonlyuser@localhost -i /root/reproducer/keyonlyuser/key # ssh otheruser@localhost -i /root/reproducer/certuser/key -o CertificateFile=/root/reproducer/certuser/key-cert.pub Expected results: both ssh commands should succeed. Actual results: the second ssh fails because the AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set. [Where problems could occur] * The patch itself modifies only the servconf.c, so regressions should be limited to the server configuration. * Since the fix touches pointers, there might be regression related to memory handling and fetching data. ---------------------------------original report-------------------------- Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code: if (*activep && options->authorized_keys_command == NULL) *charptr = xstrdup(str + len); However, this is executed for both authorized_keys_command and authorized_principals_command. As a result, if authorized_keys_command is set (for instance, if using ec2-instance-connect), any AuthorizedPrincipalsCommand configuration in sshd_config is ignored. This is fixed in 9.4p1 with the attached patch. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2031942/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
