Bug 953534

Summary: AuthorizedKeysCommandRunAs doesn't work as documented
Product: [Fedora] Fedora Reporter: Jan Cholasta <jcholast>
Component: opensshAssignee: Petr Lautrbach <plautrba>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: mattias.ellert, mgrepl, mkosek, plautrba, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-26 00:57:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Cholasta 2013-04-18 11:52:10 UTC 
Description of problem:

The behavior of AuthorizedKeysCommandRunAs sshd_config option has been changed in openssh 6.1p1 package to resemble that of AuthorizedKeysCommandUser of upstream OpenSSH 6.2. Now, when the option is unset, AuthorizedKeysCommand is not run at all and an error message is printed. This does not correspond to what is documented in sshd_config man page, and breaks applications that depend on the documented behavior (such as IPA).

Please revert to the old behavior in openssh 6.1p1 package.

Version-Release number of selected component (if applicable):

openssh-server-6.1p1-6 and later

How reproducible:

Always.

Steps to Reproduce:
1. root@host# /usr/sbin/sshd -D -d -p 2222 -o AuthorizedKeysCommand=/bin/echo
2. user@host$ ssh -p 2222 localhost

Actual results:

sshd does not run the specified command, the following line can be seen in sshd log:

No user for AuthorizedKeysCommand specified, skipping

Expected results:

sshd runs the specified command under the account of the user being authenticated.

Additional info:
Comment 1 Petr Lautrbach 2013-04-22 13:15:10 UTC 
You're right, this is an unwanted change for the Fedora 18. I've pushed fixed openssh-6.1p1-akc.patch, which uses the user being authenticated as documented.

However, this won't work in the Fedora 19 (openssh-6.2p1) and later. Users, who would want this behavior, should use 
AuthorizedKeysCommandUser %u
Comment 2 Jan Cholasta 2013-04-22 13:21:16 UTC 
Thanks.

As for Fedora 19 and openssh-6.2p1, this is already taken care of: https://fedorahosted.org/freeipa/ticket/3571
Comment 3 Fedora Update System 2013-04-23 10:39:23 UTC 
openssh-6.1p1-8.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/FEDORA-2013-5918/openssh-6.1p1-8.fc18
Comment 4 Fedora Update System 2013-04-24 01:25:08 UTC 
Package openssh-6.1p1-8.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openssh-6.1p1-8.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-5918/openssh-6.1p1-8.fc18
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2013-04-26 00:57:26 UTC 
openssh-6.1p1-8.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.