Bug 3012

Created attachment 3285 [details]
server logs

This bug occurs when we use OpenSSH in conjunction with certificate authentication and the AuthorizedPrincipalsCommand feature. The problem is truncating one of the available tokens (%s) for use with the AuthorizedPrincipalsCommand.
The following is a step-by-step guide to reproduce the bug using Alpine Linux Edge. At the end we explain what happens together with the OpenSSH server logs.

# Configure OpenSSH Client
==========================

## Generating CA
$ ssh-keygen -t rsa -N '' -f ca

## Generating client key
$ ssh-keygen -t rsa -N '' -f user

## Sign client key with CA key
$ ssh-keygen -s ca -I key-id -n manoel.junior -z 18446744073709551615 user.pub

Since I am using an Alpine Linux image, I created a certificate for a user other than root.
$ useradd manoel.junior

## Check certificate
$ ssh-keygen -L -f user-cert.pub 
user-cert.pub:
        Type: ssh-rsa-cert-v01@openssh.com user certificate
        Public key: RSA-CERT SHA256:cpYB3lg6XGt4Z6P6y3KLaMUY3Q0tFIYWkzj4o4Cc3Rg
        Signing CA: RSA SHA256:2tP4NLG6n2Earm2s2rRWvyWhmVOIAo49M1b4/ol9ol0
        Key ID: "key-id"
        Serial: 18446744073709551615
        Valid: forever
        Principals: 
                manoel.junior
        Critical Options: (none)
        Extensions: 
                permit-X11-forwarding
                permit-agent-forwarding
                permit-port-forwarding
                permit-pty
                permit-user-rc


# Configure OpenSSH Server
==========================

## Configuring OpenSSH to use AuthorizedPrincipalsCommand (/etc/ssh/sshd_config):

HostKey /etc/ssh/ssh_host_rsa_key
TrustedUserCAKeys /etc/ssh/cas.pub
AuthorizedPrincipalsCommand /usr/bin/logger -s %s
AuthorizedPrincipalsCommandUser root

## Generating host keys
$ ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa

## Starting OpenSSH at Server
#/usr/sbin/sshd  -f /etc/ssh/sshd_config -e -d -D
...
... lines omitted (available at debug.txt file)
...
debug1: userauth_pubkey: test pkalg rsa-sha2-512-cert-v01@openssh.com pkblob RSA-CERT SHA256:cpYB3lg6XGt4Z6P6y3KLaMUY3Q0tFIYWkzj4o4Cc3Rg CA RSA SHA256:2tP4NLG6n2Earm2s2rRWvyWhmVOIAo49M1b4/ol9ol0 [preauth]
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 0/0 (e=0/0)
root: 184467440737095 <<----------------------------------------------------<<<<<<-<<<<<<
debug1: restore_uid: 0/0
Certificate does not contain an authorized principal
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /home/manoel.junior/.ssh/authorized_keys
debug1: Could not open authorized keys '/home/manoel.junior/.ssh/authorized_keys': No such file or directory
debug1: restore_uid: 0/0
Failed publickey for manoel.junior from 172.17.0.3 port 54990 ssh2: RSA-CERT SHA256:cpYB3lg6XGt4Z6P6y3KLaMUY3Q0tFIYWkzj4o4Cc3Rg ID key-id (serial 18446744073709551615) CA RSA SHA256:2tP4NLG6n2Earm2s2rRWvyWhmVOIAo49M1b4/ol9ol0
debug1: userauth-request for user manoel.junior service ssh-connection method publickey [preauth]
debug1: attempt 3 failures 2 [preauth]
debug1: userauth_pubkey: test pkalg rsa-sha2-512-cert-v01@openssh.com pkblob RSA-CERT SHA256:cpYB3lg6XGt4Z6P6y3KLaMUY3Q0tFIYWkzj4o4Cc3Rg CA RSA SHA256:2tP4NLG6n2Earm2s2rRWvyWhmVOIAo49M1b4/ol9ol0 [preauth]
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 0/0 (e=0/0)
root: 184467440737095 <<----------------------------------------------------<<<<<<-<<<<<<
debug1: restore_uid: 0/0
Certificate does not contain an authorized principal
...

At lines with "root: 184467440737095" we have the execution of the command defined in the AuthorizedPrincipalsCommand (/usr/bin/logger -s %s).
As we can see, the certificate was generated with the serial 18446744073709551615, soon we see that there was the truncation of the serial in the first 15 characters (184467440737095).

This is because in auth2-pubkey.c at line L421, the serial_s variable has size of 16 while it should have the size of 21 to allocate the largest possible uint64 (18446744073709551615).