TL;DR
Your sshd service is calling the AuthorizedKeysCommand twice on login, causing performance issues or unexpected behaviour. This usually happens when a user’s shell configuration (like .bashrc or .zshrc) indirectly triggers another ssh connection attempt during login. The fix involves identifying and preventing this recursive call.
Solution
- Understand the Problem: The
AuthorizedKeysCommandis executed to generate a list of authorized keys for a user. If it’s called twice, it means sshd is running the command unnecessarily. This can happen if your shell setup attempts to connect via SSH itself during login. - Check System Logs: Examine your system logs (usually
/var/log/auth.logor/var/log/secure) for clues. Look for multiple entries related to theAuthorizedKeysCommandexecution around the time of a user’s login. - Identify the Recursive Call: The most common cause is a shell script within the user’s profile (e.g.,
~/.bashrc,~/.zshrc) that attempts an SSH connection. Here’s how to find it:- Temporarily disable user profiles: Start by disabling the user’s shell configuration files. You can do this by temporarily changing their shell to a minimal one like
/bin/falseor/bin/sh.sudo usermod -s /bin/false - Test login: Attempt to log in as the user. If the problem disappears, it confirms that a script within their profile is causing the issue.
- Re-enable and isolate: Revert the shell change.
sudo usermod -s - Comment out sections of the profile: Start commenting out large blocks of code in the user’s
.bashrc,.zshrcor other relevant profile files one by one, testing login after each change to pinpoint the offending script.
- Temporarily disable user profiles: Start by disabling the user’s shell configuration files. You can do this by temporarily changing their shell to a minimal one like
- Prevent the Recursive Call: Once you’ve identified the script causing the issue, there are several ways to prevent it:
- Conditional Execution: Modify the script to only execute SSH commands when necessary. For example, check if the script is being run interactively before attempting an SSH connection.
if [ -z "$SSH_CLIENT" ]; then # Only run SSH command if not in an SSH session ssh ... fi - Environment Variable Check: Set an environment variable during the initial ssh login and check for its presence within the user’s profile scripts. This prevents recursive calls.
- In
sshd_config, add a line to set an environment variable on successful authentication (e.g., in the `AuthorizedKeysCommand` or using the `Match User` block):Environment SSH_AUTHED=true - Within the user’s profile scripts, check for this variable before executing any SSH commands:
if [ -z "$SSH_AUTHED" ]; then # Only run SSH command if authenticated via sshd ssh ... fi
- In
- Remove the Unnecessary Command: If the SSH command within the profile is not essential, simply remove it.
- Conditional Execution: Modify the script to only execute SSH commands when necessary. For example, check if the script is being run interactively before attempting an SSH connection.
- Restart sshd Service: After making changes to
sshd_configor user profiles, restart thesshdservice for the changes to take effect.sudo systemctl restart sshd - Verify the Fix: Log in as the user again and check the system logs. You should only see one execution of the
AuthorizedKeysCommandper login attempt.