Created attachment 3285 [details] server logs This bug occurs when we use OpenSSH in conjunction with certificate authentication and the AuthorizedPrincipalsCommand feature. The problem is truncating one of the available tokens (%s) for use with the AuthorizedPrincipalsCommand. The following is a step-by-step guide to reproduce the bug using Alpine Linux Edge. At the end we explain what happens together with the OpenSSH server logs. # Configure OpenSSH Client ========================== ## Generating CA $ ssh-keygen -t rsa -N '' -f ca ## Generating client key $ ssh-keygen -t rsa -N '' -f user ## Sign client key with CA key $ ssh-keygen -s ca -I key-id -n manoel.junior -z 18446744073709551615 user.pub Since I am using an Alpine Linux image, I created a certificate for a user other than root. $ useradd manoel.junior ## Check certificate $ ssh-keygen -L -f user-cert.pub user-cert.pub: Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:cpYB3lg6XGt4Z6P6y3KLaMUY3Q0tFIYWkzj4o4Cc3Rg Signing CA: RSA SHA256:2tP4NLG6n2Earm2s2rRWvyWhmVOIAo49M1b4/ol9ol0 Key ID: "key-id" Serial: 18446744073709551615 Valid: forever Principals: manoel.junior Critical Options: (none) Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc # Configure OpenSSH Server ========================== ## Configuring OpenSSH to use AuthorizedPrincipalsCommand (/etc/ssh/sshd_config): HostKey /etc/ssh/ssh_host_rsa_key TrustedUserCAKeys /etc/ssh/cas.pub AuthorizedPrincipalsCommand /usr/bin/logger -s %s AuthorizedPrincipalsCommandUser root ## Generating host keys $ ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa ## Starting OpenSSH at Server #/usr/sbin/sshd -f /etc/ssh/sshd_config -e -d -D ... ... lines omitted (available at debug.txt file) ... debug1: userauth_pubkey: test pkalg rsa-sha2-512-cert-v01@openssh.com pkblob RSA-CERT SHA256:cpYB3lg6XGt4Z6P6y3KLaMUY3Q0tFIYWkzj4o4Cc3Rg CA RSA SHA256:2tP4NLG6n2Earm2s2rRWvyWhmVOIAo49M1b4/ol9ol0 [preauth] debug1: temporarily_use_uid: 0/0 (e=0/0) debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 0/0 (e=0/0) root: 184467440737095 <<----------------------------------------------------<<<<<<-<<<<<< debug1: restore_uid: 0/0 Certificate does not contain an authorized principal debug1: temporarily_use_uid: 1000/1000 (e=0/0) debug1: trying public key file /home/manoel.junior/.ssh/authorized_keys debug1: Could not open authorized keys '/home/manoel.junior/.ssh/authorized_keys': No such file or directory debug1: restore_uid: 0/0 Failed publickey for manoel.junior from 172.17.0.3 port 54990 ssh2: RSA-CERT SHA256:cpYB3lg6XGt4Z6P6y3KLaMUY3Q0tFIYWkzj4o4Cc3Rg ID key-id (serial 18446744073709551615) CA RSA SHA256:2tP4NLG6n2Earm2s2rRWvyWhmVOIAo49M1b4/ol9ol0 debug1: userauth-request for user manoel.junior service ssh-connection method publickey [preauth] debug1: attempt 3 failures 2 [preauth] debug1: userauth_pubkey: test pkalg rsa-sha2-512-cert-v01@openssh.com pkblob RSA-CERT SHA256:cpYB3lg6XGt4Z6P6y3KLaMUY3Q0tFIYWkzj4o4Cc3Rg CA RSA SHA256:2tP4NLG6n2Earm2s2rRWvyWhmVOIAo49M1b4/ol9ol0 [preauth] debug1: temporarily_use_uid: 0/0 (e=0/0) debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 0/0 (e=0/0) root: 184467440737095 <<----------------------------------------------------<<<<<<-<<<<<< debug1: restore_uid: 0/0 Certificate does not contain an authorized principal ... At lines with "root: 184467440737095" we have the execution of the command defined in the AuthorizedPrincipalsCommand (/usr/bin/logger -s %s). As we can see, the certificate was generated with the serial 18446744073709551615, soon we see that there was the truncation of the serial in the first 15 characters (184467440737095). This is because in auth2-pubkey.c at line L421, the serial_s variable has size of 16 while it should have the size of 21 to allocate the largest possible uint64 (18446744073709551615).
I've increased the buffer size to 32 characters. This will be in the OpenSSH 8.1 release - thanks
Close bugs fixed in openssh-8.1 release cycle