sshd AuthorizedKeys Called Twice: Fix

TL;DR

Your sshd service is calling the AuthorizedKeysCommand twice on login, causing performance issues or unexpected behaviour. This usually happens when a user’s shell configuration (like .bashrc or .zshrc) indirectly triggers another ssh connection attempt during login. The fix involves identifying and preventing this recursive call.

Solution

1. Understand the Problem: The AuthorizedKeysCommand is executed to generate a list of authorized keys for a user. If it’s called twice, it means sshd is running the command unnecessarily. This can happen if your shell setup attempts to connect via SSH itself during login.
2. Check System Logs: Examine your system logs (usually /var/log/auth.log or /var/log/secure) for clues. Look for multiple entries related to the AuthorizedKeysCommand execution around the time of a user’s login.
3. Identify the Recursive Call: The most common cause is a shell script within the user’s profile (e.g., ~/.bashrc, ~/.zshrc) that attempts an SSH connection. Here’s how to find it:
   • Temporarily disable user profiles: Start by disabling the user’s shell configuration files. You can do this by temporarily changing their shell to a minimal one like /bin/false or /bin/sh.

     sudo usermod -s /bin/false 

   • Test login: Attempt to log in as the user. If the problem disappears, it confirms that a script within their profile is causing the issue.
   • Re-enable and isolate: Revert the shell change.

     sudo usermod -s  

   • Comment out sections of the profile: Start commenting out large blocks of code in the user’s .bashrc, .zshrc or other relevant profile files one by one, testing login after each change to pinpoint the offending script.
4. Prevent the Recursive Call: Once you’ve identified the script causing the issue, there are several ways to prevent it:
   • Conditional Execution: Modify the script to only execute SSH commands when necessary. For example, check if the script is being run interactively before attempting an SSH connection.

     if [ -z "$SSH_CLIENT" ]; then
       # Only run SSH command if not in an SSH session
       ssh ...
     fi

   • Environment Variable Check: Set an environment variable during the initial ssh login and check for its presence within the user’s profile scripts. This prevents recursive calls.
     1. In sshd_config, add a line to set an environment variable on successful authentication (e.g., in the `AuthorizedKeysCommand` or using the `Match User` block):

        Environment SSH_AUTHED=true

     2. Within the user’s profile scripts, check for this variable before executing any SSH commands:

        if [ -z "$SSH_AUTHED" ]; then
          # Only run SSH command if authenticated via sshd
          ssh ...
        fi

   • Remove the Unnecessary Command: If the SSH command within the profile is not essential, simply remove it.
5. Restart sshd Service: After making changes to sshd_config or user profiles, restart the sshd service for the changes to take effect.

   sudo systemctl restart sshd

6. Verify the Fix: Log in as the user again and check the system logs. You should only see one execution of the AuthorizedKeysCommand per login attempt.