From: djm@openbsd.org <djm@openbsd.org>
Date: Fri, 17 Apr 2020 04:27:03 +0000 (+0000)
Subject: upstream: auth2-pubkey r1.89 changed the order of operations to
X-Git-Tag: V_8_3_P1~54
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=44ae009a0112081d0d541aeaa90088bedb6f21ce;p=thirdparty%2Fopenssh-portable.git

upstream: auth2-pubkey r1.89 changed the order of operations to

checking AuthorizedKeysFile first and falling back to AuthorizedKeysCommand
if no key was found in a file. Document this order here; bz3134

OpenBSD-Commit-ID: afce0872cbfcfc1d4910ad7722e50f792a1dce12
---

diff --git a/sshd_config.5 b/sshd_config.5
index 5648337a6..b2fda8d52 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,7 +33,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.309 2020/04/17 03:30:05 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.310 2020/04/17 04:27:03 djm Exp $
 .Dd $Mdocdate: April 17 2020 $
 .Dt SSHD_CONFIG 5
 .Os
@@ -247,12 +247,10 @@ more lines of authorized_keys output (see
 .Sx AUTHORIZED_KEYS
 in
 .Xr sshd 8 ) .
-If a key supplied by
 .Cm AuthorizedKeysCommand
-does not successfully authenticate
-and authorize the user then public key authentication continues using the usual
+is tried after the usual
 .Cm AuthorizedKeysFile
-files.
+files and will not be executed if a matching key is found there.
 By default, no
 .Cm AuthorizedKeysCommand
 is run.