Code review comment for ~michal-maloszewski99/ubuntu/+source/openssh:mantic-openssh-lp2031942

Thanks, Michal.

LGTM. This actually fixes the bug. I suspect that the reason you are not able to verify is because the process is (much) more involved.

You have to set up the Authorized*Commands scripts making sure to set their permission bits exactly as openssh expects. You also need to configure openssh to authenticate users using signed keys with principals (see https://dmuth.medium.com/ssh-at-scale-cas-and-principals-b27edca3a5d which contains a good initial guide on how to do this). Finally, it's really important to declare AuthorizedKeysCommands *before* AuthorizedPrincipalCommands, otherwise the bug won't manifest due to the way the config file parsing is done.

After all that, you should be able to finally verify the bug manifesting, and also seeing it being fixed with the proposed change.

I'll go ahead and upload this one because it doesn't require an SRU text.

Uploaded:

$ dput openssh_9.3p1-1ubuntu3_source.changes
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/work/openssh/openssh_9.3p1-1ubuntu3_source.changes: Valid signature from 106DA1C8C3CBBF14
Checking signature on .dsc
gpg: /home/sergio/work/openssh/openssh_9.3p1-1ubuntu3.dsc: Valid signature from 106DA1C8C3CBBF14
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading openssh_9.3p1-1ubuntu3.dsc: done.
  Uploading openssh_9.3p1-1ubuntu3.debian.tar.xz: done.
  Uploading openssh_9.3p1-1ubuntu3_source.buildinfo: done.
  Uploading openssh_9.3p1-1ubuntu3_source.changes: done.
Successfully uploaded packages.