[Bug 3950] New: principals= keyopt auth bypass via comma-split in match_principals_option (≤10.2p1, silently fixed fd1c7e1, no CVE)

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Apr 20 11:25:09 AEST 2026 

https://bugzilla.mindrot.org/show_bug.cgi?id=3950

            Bug ID: 3950
           Summary: principals= keyopt auth bypass via comma-split in
                    match_principals_option (≤10.2p1, silently fixed
                    fd1c7e1, no CVE)
           Product: Portable OpenSSH
           Version: 10.2p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: critical
          Priority: P5
         Component: Miscellaneous
          Assignee: unassigned-bugs at mindrot.org
          Reporter: ashishkunwar280 at gmail.com

Created attachment 3957
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3957&action=edit
Full validation report: root cause analysis, pre/post-fix code diff, 5
test case results (bypass confirmed on 10.2p1, fix confirmed on
fd1c7e1), and reproduction steps.

== Summary ==
match_principals_option() calls match_list() which strsep()-splits BOTH
the cert 
principal AND the authorized_keys principals= list on commas. A cert
signed with 
principal "bob,root" (one entry, embedded comma) splits into tokens
["bob","root"] 
at auth time. If any token matches an allowed principal, authentication
succeeds — 
bypassing the principals= restriction.

== Affected versions ==
All OpenSSH ≥ 5.4 up to and including 10.2p1 (authorized_keys
principals= keyopt path only).
AuthorizedPrincipalsFile path is NOT affected (uses strcmp directly).

== Silent fix ==
Fixed in commit fd1c7e1 (2026-04-02) with no CVE assigned and no
security advisory.
The commit message only mentions an unrelated ECDSA algorithm matching
change.
Distributions shipping 10.2p1 remain vulnerable with no notification.

== Root cause ==
Pre-fix (auth2-pubkeyfile.c @ 487e8ac):
  match_list(cert->principals[i], principal_list, NULL)
  → strsep() splits cert->principals[i] on commas → bypass

Post-fix (fd1c7e1):
  strsep() only splits the config list; strcmp() used against raw cert
principal → no split

== Preconditions ==
1. Attacker holds a private key
2. CA trusted by target sshd signs a cert with embedded comma in
principal (e.g. "bob,root")
3. authorized_keys uses principals= keyopt

== Attack scenario ==
Enterprise CA APIs (HashiCorp Vault SSH, Teleport, step-ca) may allow
requesting 
certs with arbitrary principal strings. Attacker requests principal
"attacker,admin", 
bypassing the principals= restriction that should limit them to
"attacker" only.

== Validation ==
Fully validated against real sshd built at pre-fix commit 487e8ac:
- CASE 1: cert "bob,root" vs principals="alice,bob" → BYPASSED (auth
succeeds)
- CASE 2: cert "bob" vs principals="alice,bob" → auth succeeds
(expected)
- CASE 3: cert "eve" vs principals="alice,bob" → denied (expected)
- CASE 4: cert "bob,root" vs post-fix sshd → denied (fix works)

PoC: Go tool using x/crypto/ssh to sign certs with literal comma in
principal string.

== Request ==
Please assign a CVE and issue a security advisory so downstream
distributions 
can notify their users.

Reporter: Ashish Kunwar

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list