[Bug 3012] New: Token %s (serial number) truncated with AuthorizedPrincipalsCommand configuration
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Sat May 18 14:52:18 AEST 2019
https://bugzilla.mindrot.org/show_bug.cgi?id=3012
Bug ID: 3012
Summary: Token %s (serial number) truncated with
AuthorizedPrincipalsCommand configuration
Product: Portable OpenSSH
Version: 8.0p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: manoel.domingues.junior at gmail.com
Created attachment 3285
--> https://bugzilla.mindrot.org/attachment.cgi?id=3285&action=edit
server logs
This bug occurs when we use OpenSSH in conjunction with certificate
authentication and the AuthorizedPrincipalsCommand feature. The problem
is truncating one of the available tokens (%s) for use with the
AuthorizedPrincipalsCommand.
The following is a step-by-step guide to reproduce the bug using Alpine
Linux Edge. At the end we explain what happens together with the
OpenSSH server logs.
# Configure OpenSSH Client
==========================
## Generating CA
$ ssh-keygen -t rsa -N '' -f ca
## Generating client key
$ ssh-keygen -t rsa -N '' -f user
## Sign client key with CA key
$ ssh-keygen -s ca -I key-id -n manoel.junior -z 18446744073709551615
user.pub
Since I am using an Alpine Linux image, I created a certificate for a
user other than root.
$ useradd manoel.junior
## Check certificate
$ ssh-keygen -L -f user-cert.pub
user-cert.pub:
Type: ssh-rsa-cert-v01 at openssh.com user certificate
Public key: RSA-CERT
SHA256:cpYB3lg6XGt4Z6P6y3KLaMUY3Q0tFIYWkzj4o4Cc3Rg
Signing CA: RSA
SHA256:2tP4NLG6n2Earm2s2rRWvyWhmVOIAo49M1b4/ol9ol0
Key ID: "key-id"
Serial: 18446744073709551615
Valid: forever
Principals:
manoel.junior
Critical Options: (none)
Extensions:
permit-X11-forwarding
permit-agent-forwarding
permit-port-forwarding
permit-pty
permit-user-rc
# Configure OpenSSH Server
==========================
## Configuring OpenSSH to use AuthorizedPrincipalsCommand
(/etc/ssh/sshd_config):
HostKey /etc/ssh/ssh_host_rsa_key
TrustedUserCAKeys /etc/ssh/cas.pub
AuthorizedPrincipalsCommand /usr/bin/logger -s %s
AuthorizedPrincipalsCommandUser root
## Generating host keys
$ ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
## Starting OpenSSH at Server
#/usr/sbin/sshd -f /etc/ssh/sshd_config -e -d -D
...
... lines omitted (available at debug.txt file)
...
debug1: userauth_pubkey: test pkalg rsa-sha2-512-cert-v01 at openssh.com
pkblob RSA-CERT SHA256:cpYB3lg6XGt4Z6P6y3KLaMUY3Q0tFIYWkzj4o4Cc3Rg CA
RSA SHA256:2tP4NLG6n2Earm2s2rRWvyWhmVOIAo49M1b4/ol9ol0 [preauth]
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 0/0 (e=0/0)
root: 184467440737095
<<----------------------------------------------------<<<<<<-<<<<<<
debug1: restore_uid: 0/0
Certificate does not contain an authorized principal
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /home/manoel.junior/.ssh/authorized_keys
debug1: Could not open authorized keys
'/home/manoel.junior/.ssh/authorized_keys': No such file or directory
debug1: restore_uid: 0/0
Failed publickey for manoel.junior from 172.17.0.3 port 54990 ssh2:
RSA-CERT SHA256:cpYB3lg6XGt4Z6P6y3KLaMUY3Q0tFIYWkzj4o4Cc3Rg ID key-id
(serial 18446744073709551615) CA RSA
SHA256:2tP4NLG6n2Earm2s2rRWvyWhmVOIAo49M1b4/ol9ol0
debug1: userauth-request for user manoel.junior service ssh-connection
method publickey [preauth]
debug1: attempt 3 failures 2 [preauth]
debug1: userauth_pubkey: test pkalg rsa-sha2-512-cert-v01 at openssh.com
pkblob RSA-CERT SHA256:cpYB3lg6XGt4Z6P6y3KLaMUY3Q0tFIYWkzj4o4Cc3Rg CA
RSA SHA256:2tP4NLG6n2Earm2s2rRWvyWhmVOIAo49M1b4/ol9ol0 [preauth]
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 0/0 (e=0/0)
root: 184467440737095
<<----------------------------------------------------<<<<<<-<<<<<<
debug1: restore_uid: 0/0
Certificate does not contain an authorized principal
...
At lines with "root: 184467440737095" we have the execution of the
command defined in the AuthorizedPrincipalsCommand (/usr/bin/logger -s
%s).
As we can see, the certificate was generated with the serial
18446744073709551615, soon we see that there was the truncation of the
serial in the first 15 characters (184467440737095).
This is because in auth2-pubkey.c at line L421, the serial_s variable
has size of 16 while it should have the size of 21 to allocate the
largest possible uint64 (18446744073709551615).
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list