On 30.09.21 08:32, Jan Damborsky wrote:
I am now in process of preparing patch for OpenSSH 8.4p1 to address CVE-2021-41617 (fixed in OpenSSH 8.8p1),
While I doublechecked this (with extra logging of the AuthorizedKeysCommand), I found that the AKC seems to be run *two or three times* for a single login:
sshd/AKC[15524]: [REDACTED] pubkeys found for [REDACTED] sshd/AKC[15535]: [REDACTED] pubkeys found for [REDACTED] sshd[15512]: Postponed publickey for [REDACTED] from [REDACTED] port 36140 ssh2 [preauth] sshd/AKC[15546]: [REDACTED] pubkeys found for [REDACTED] sshd[15512]: Accepted publickey for [REDACTED] from [REDACTED] port 36140 ssh2: RSA SHA256:[REDACTED] sshd[15512]: pam_unix(sshd:session): session opened for user [REDACTED] by (uid=0) sshd[15512]: session opened for local user [REDACTED] from [REDACTED] [postauth] sshd[15512]: open "[REDACTED]" flags READ mode 0666 [postauth] sshd[15512]: close "[REDACTED]" bytes read 20256 written 0 [postauth] sshd[15512]: session closed for local user [REDACTED] from [REDACTED] [postauth] sshd[15512]: Received disconnect from [REDACTED] port 36140:11: disconnected by user [postauth] sshd[15512]: Disconnected from [REDACTED] port 36140 [postauth] sshd[15512]: pam_unix(sshd:session): session closed for user [REDACTED]
I realize that it *might* be necessary to run the AKC repeatedly *if* the %f or %t tokens were used in the command line configured for it, but I've configured it sans parameters (so %u is thrown in as the default) and I doubt that the client has several keypairs to try, either. Is this repeated execution the expected behavior ... ?
Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
