Hello Matthew, or anyone else affected, Accepted openssh into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssh/1:8.9p1-3ubuntu0.4 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-jammy. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2031942 Title: AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Jammy: Fix Committed Status in openssh source package in Lunar: Fix Committed Status in openssh source package in Mantic: Fix Released Bug description: [Impact] User of openssh reported an issue that affects Lunar and Jammy. If AuthorizedKeysCommand is set, an AuthorizedPrincipalsCommand configuration in sshd_config that comes after it is ignored. In this scenario, where AuthorizedPrincipalsCommand is needed and set, users relying on ssh certificates for authentication will be denied access. [Test Plan] Launch container: $ lxc launch ubuntu:jammy <container-name> Shell into that container: $ lxc shell <container-name> Create the main directory for our task (e.g. “reproducer”) # mkdir reproducer Go to that directory: # cd reproducer Create 2 more dirs that reflect users: # mkdir certuser keyonlyuser Go to the keyonlyuser: # cd keyonlyuser Do: # ssh-keygen -t ed25519 -f key Go to the certuser: # cd /root/reproducer/certuser/ Do: # ssh-keygen -t rsa -f ca # ssh-keygen -t ed25519 -f key # ssh-keygen -s ca -I key_id -n certuser key.pub Create a script '/root/reproducer/authorized_principals' with permissions 755 as follows: #!/bin/sh if [ "$1" = "otheruser" ]; then echo certuser fi Exit the file. Ensure you are in the /root/reproducer/ directory: # adduser --disabled-password otheruser (Enter multiple times, leave all fields blank) Then do the same for another user: # adduser --disabled-password keyonlyuser Create a script '/root/reproducer/authorized_keys' with permissions 755 as follows: #!/bin/sh if [ "$1" = "keyonlyuser" ]; then echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd> fi Go to the /etc/ssh/sshd_config file. Add at the top: AuthorizedKeysCommand /root/reproducer/authorized_keys %u AuthorizedKeysCommandUser root AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u AuthorizedPrincipalsCommandUser root TrustedUserCAKeys /root/reproducer/certuser/ca.pub Exit from the file and restart the ssh service: # systemctl restart ssh Use these commands to manifest the bug: # ssh keyonlyuser@localhost -i /root/reproducer/keyonlyuser/key # ssh otheruser@localhost -i /root/reproducer/certuser/key -o CertificateFile=/root/reproducer/certuser/key-cert.pub Expected results: both ssh commands should succeed. Actual results: the second ssh fails because the AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set. [Where problems could occur] * The patch itself modifies only the servconf.c, so regressions should be limited to the server configuration. * Since the fix touches pointers, there might be regression related to memory handling and fetching data. ---------------------------------original report-------------------------- Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code: if (*activep && options->authorized_keys_command == NULL) *charptr = xstrdup(str + len); However, this is executed for both authorized_keys_command and authorized_principals_command. As a result, if authorized_keys_command is set (for instance, if using ec2-instance-connect), any AuthorizedPrincipalsCommand configuration in sshd_config is ignored. This is fixed in 9.4p1 with the attached patch. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2031942/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp