Open
Description
Describe the bug
There is a bug in OpenSSH_8.7p1, where if both AuthorizedKeysCommand and AuthorizedPrincipalsCommand parameters are used in sshd_config, then AuthorizedPrincipalsCommand block is ignored and certificate based auth does not work.
To Reproduce
Here is a sample sshd_config stanza that does not work:
AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys %u %f
AuthorizedKeysCommandUser ec2-instance-connect
TrustedUserCAKeys /etc/ssh/privx_ca.pub
AuthorizedPrincipalsCommand /etc/ssh/principals_command.sh %u
AuthorizedPrincipalsCommandUser "nobody"
I confirmed the behavior, because when I commented out AuthorizedKeysCommand and AuthorizedKeysCommandUser entries I was able to ssh using certificates.
This issue is mentioned here: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2031942
Expected behavior
I would expect both AuthorizedKeys and AuthorizedPrincipals to work.