upstream: auth2-pubkey r1.89 changed the order of operations to

checking AuthorizedKeysFile first and falling back to AuthorizedKeysCommand if no key was found in a file. Document this order here; bz3134 OpenBSD-Commit-ID: afce0872cbfcfc1d4910ad7722e50f792a1dce12
author: djm@openbsd.org <djm@openbsd.org> 2020-04-17 04:27:03 +0000
committer: Damien Miller <djm@mindrot.org> 2020-04-17 17:17:47 +1000
commit: 44ae009a0112081d0d541aeaa90088bedb6f21ce (patch)
tree: edb664fcec28db5427d24523ff97bbf5e13ff96e
parent: f96f17f920f38ceea6f3c5cb0b075c46b8929fdc (diff)
1 files changed, 3 insertions, 5 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 5648337a6..b2fda8d52 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,7 +33,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.309 2020/04/17 03:30:05 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.310 2020/04/17 04:27:03 djm Exp $
 .Dd $Mdocdate: April 17 2020 $
 .Dt SSHD_CONFIG 5
 .Os
@@ -247,12 +247,10 @@ more lines of authorized_keys output (see
 .Sx AUTHORIZED_KEYS
 in
 .Xr sshd 8 ) .
-If a key supplied by
 .Cm AuthorizedKeysCommand
-does not successfully authenticate
+is tried after the usual
-and authorize the user then public key authentication continues using the usual
 .Cm AuthorizedKeysFile
-files.
+files and will not be executed if a matching key is found there.
 By default, no
 .Cm AuthorizedKeysCommand
 is run.
author	djm@openbsd.org <djm@openbsd.org>	2020-04-17 04:27:03 +0000
committer	Damien Miller <djm@mindrot.org>	2020-04-17 17:17:47 +1000
commit	44ae009a0112081d0d541aeaa90088bedb6f21ce (patch)
tree	edb664fcec28db5427d24523ff97bbf5e13ff96e
parent	f96f17f920f38ceea6f3c5cb0b075c46b8929fdc (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index 5648337a6..b2fda8d52 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,7 +33,7 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.309 2020/04/17 03:30:05 djm Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.310 2020/04/17 04:27:03 djm Exp $
37	.Dd $Mdocdate: April 17 2020 $	37	.Dd $Mdocdate: April 17 2020 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
@@ -247,12 +247,10 @@ more lines of authorized_keys output (see
247	.Sx AUTHORIZED_KEYS	247	.Sx AUTHORIZED_KEYS
248	in	248	in
249	.Xr sshd 8 ) .	249	.Xr sshd 8 ) .
250	If a key supplied by
251	.Cm AuthorizedKeysCommand	250	.Cm AuthorizedKeysCommand
252	does not successfully authenticate	251	is tried after the usual
253	and authorize the user then public key authentication continues using the usual
254	.Cm AuthorizedKeysFile	252	.Cm AuthorizedKeysFile
255	files.	253	files and will not be executed if a matching key is found there.
256	By default, no	254	By default, no
257	.Cm AuthorizedKeysCommand	255	.Cm AuthorizedKeysCommand
258	is run.	256	is run.