AuthorizedPrincipalsFile - Certificate principal mismatch

[rmilojkovic]

Please answer the following

"OpenSSH for Windows" version 7.7.2.0

Server OperatingSystem LSB Version: :base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch Distributor ID: RedHatEnterpriseServer Description: Red Hat Enterprise Linux Server release 6.7 (Santiago) Release: 6.7 Codename: Santiago

Client OperatingSystem Windows Server Standard 1803

What is failing I’m trying to setup forced command only for root user with authorizedprincipals file in its home directory, because I’m using ssh user and host CA in my environment. My attempt results with an error “Certificate does not contain an authorized principal”_, which is not the case as principal name is the same in _authorizedprincipals file and ssh user certificate - user@domain.com. Principle name can be anything you like as long as it matches in both ssh user certificate and _authorized_principals/authorizedkeys, depending what you use. I have also tried to change the principal to “user” to avoid using “@” and it still throws the same error “Certificate does not contain an authorized principal”. It actualy makes no difference for any other user apart from root, if the same authorized_principals file is present in its home. In my case _authorizedkeys file should not exist in user home directory, because _authorizedprincipals file should be sufficient.

It’s interesting that the same setup works if _authorizedkeys file exists. My conclusion is that if TrustedUserCAKeys is defined in _sshdconfig file of remote server, sshd service will firstly check _authorizedprincipals file for principal match and only if there is no match it will proceed to _authorizedkeys. In my case principal is not recognised in _authorizedprincipals file (“Certificate does not contain an authorized principal”) and further checked in _authorizedkeys file, where there is a match.

Configuration files are as follows:

_authorizedprincipals file in home directory of root user: command=”/sbin/ifconfig”,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding user@domain.com

_authorizedkeys file in home directory of root user: cert-authority,command=”/sbin/ifconfig”,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding,principals=”user@domain.com” ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDFJU7IPlVkSWvMTFVEEaWAuF/6VehtVBEmr0Q4ihqqfnx/JCOzCmhrIcJ+pR+ifOMMriL/6yd7nMQXI8ZFG4j/mTAzbTbV1qK1rhhF5Cjn/Y+zmk47rDD8zANcgdzJ6KyVzjGo6hXdcLuH80QC+OUAttZF0fCNil+48LclsA6tdtCXcl8gkOytbHKYLsT8cYvVdp6vNqBpn7EN7CupQ7+cjfb3iaGOn6LopHwPHA/ccCGTccsRMdqryE085seyoNmGM6bd8K2vkWWzQb/QNQ9NqK+vpzZWKtaY48/F80RAndUQiY5t6am74VLjJrN9VRpKaa1fP+lHahM7nOIi5BT/q2wnKzMzErMAfypy1jGq5PupusZ+CLYHc/qzHm09HCGYYYH6nM0CxhDo1MsUtcyZMDgEr4X8Q41ygdlL+8XIAzY7Oqt18dZPPIvY1mWfiE5z2OdLsyOI7hjsOSoCkLN65rr+z39Una+E66g9GbkTlaFoRXnoEbiuIpASQQY40v2Vz+k0tMqFxaI1VMsxvpg2zOfpRtrRUpOuq2tmNqkOhaHrM6RU4lyV5sgzZLCS1zTdK/9764jTkLYorP3/8GAFSn950sP7bjzWH0ONcWA5kauoyK86BN0ncW/njanxReY0pUbpbtCNo8hjZGH3ZwIfLf4/l5hDUdosCQgd8nnCQ== UserSigningCA

SSH user certificate:

user_key-cert.pub:
Type: ssh-rsa-cert-v01@openssh.com user certificate
Public key: RSA-CERT SHA256:61zNSnUJ/2gyjo838P0U8H8eqQR1EkhJPj7pF9CaxUU
Signing CA: RSA SHA256:AsEE0T/P7Z0o/s6q8egBquay8WLL2sJHOLzYfc3N484
Key ID: “user-0001”
Serial: 0
Valid: from 2018-07-31T11:54:00 to 2020-07-30T11:55:56
Principals:
user@domain.com
Critical Options: (none)
Extensions:
permit-X11-forwarding
permit-agent-forwarding
permit-port-forwarding
permit-pty
permit-user-rc

_Related lines from sshdconfig file:

Protocol 2

HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
HostKey /etc/ssh/ssh_host_rsa_key

RevokedKeys /etc/ssh/revoked_keys
TrustedUserCAKeys /etc/ssh/user_ca_key.pub

SyslogFacility AUTH
SyslogFacility AUTHPRIV
LogLevel DEBUG

PermitRootLogin forced-commands-only
PubkeyAuthentication yes

AuthorizedKeysFile %h/.ssh/authorized_keys
AuthorizedPrincipalsFile %h/.ssh/authorized_principals

PasswordAuthentication yes
ChallengeResponseAuthentication no

GSSAPIAuthentication no
UsePAM yes

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

X11Forwarding yes
UseDNS no

Subsystem sftp /usr/libexec/openssh/sftp-server

Expected output Certificate principal match in authorized_principals file, execution of forced command ”/sbin/ifconfig” and session termination.

Actual output

SSH client log:

OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.4
debug3: Failed to open file:C:\\Users\\user/.ssh/config error:2
debug3: Failed to open file:__PROGRAMDATA__\\ssh/ssh_config error:2
debug2: resolving "server.domain.com" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to server.domain.com [10.123.32.108] port 22.
debug1: Connection established.
debug3: Failed to open file:C:\\Users\\user/.ssh/id_rsa error:2
debug3: Failed to open file:C:\\Users\\user/.ssh/id_rsa.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\user/.ssh/id_rsa type -1
debug3: Failed to open file:C:\\Users\\user/.ssh/id_rsa-cert error:2
debug3: Failed to open file:C:\\Users\\user/.ssh/id_rsa-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\user/.ssh/id_rsa-cert type -1
debug3: Failed to open file:C:\\Users\\user/.ssh/id_dsa error:2
debug3: Failed to open file:C:\\Users\\user/.ssh/id_dsa.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\user/.ssh/id_dsa type -1
debug3: Failed to open file:C:\\Users\\user/.ssh/id_dsa-cert error:2
debug3: Failed to open file:C:\\Users\\user/.ssh/id_dsa-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\user/.ssh/id_dsa-cert type -1
debug3: Failed to open file:C:\\Users\\user/.ssh/id_ecdsa error:2
debug3: Failed to open file:C:\\Users\\user/.ssh/id_ecdsa.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\user/.ssh/id_ecdsa type -1
debug3: Failed to open file:C:\\Users\\user/.ssh/id_ecdsa-cert error:2
debug3: Failed to open file:C:\\Users\\user/.ssh/id_ecdsa-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\user/.ssh/id_ecdsa-cert type -1
debug3: Failed to open file:C:\\Users\\user/.ssh/id_ed25519 error:2
debug3: Failed to open file:C:\\Users\\user/.ssh/id_ed25519.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\user/.ssh/id_ed25519 type -1
debug3: Failed to open file:C:\\Users\\user/.ssh/id_ed25519-cert error:2
debug3: Failed to open file:C:\\Users\\user/.ssh/id_ed25519-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\user/.ssh/id_ed25519-cert type -1
debug3: Failed to open file:C:\\Users\\user/.ssh/id_xmss error:2
debug3: Failed to open file:C:\\Users\\user/.ssh/id_xmss.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\user/.ssh/id_xmss type -1
debug3: Failed to open file:C:\\Users\\user/.ssh/id_xmss-cert error:2
debug3: Failed to open file:C:\\Users\\user/.ssh/id_xmss-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\user/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to server.domain.com:22 as 'root'
debug3: Failed to open file:C:\\Users\\user/.ssh/known_hosts error:2
debug3: Failed to open file:C:\\Users\\user/.ssh/known_hosts2 error:2
debug3: hostkeys_foreach: reading file "__PROGRAMDATA__\\ssh/ssh_known_hosts"
debug3: record_hostkey: found ca key type RSA in file __PROGRAMDATA__\\ssh/ssh_known_hosts:1
debug3: load_hostkeys: loaded 1 keys from server.domain.com
debug3: Failed to open file:__PROGRAMDATA__\\ssh/ssh_known_hosts2 error:2
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa,ssh-rsa-cert-v01@openssh.com
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: MACs ctos: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: MACs stoc: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa-cert-v01@openssh.com
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug3: send packet: type 34
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<3072<8192) sent
debug3: receive packet: type 31
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug2: bits set: 1534/3072
debug3: send packet: type 32
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug3: receive packet: type 33
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host certificate: ssh-rsa-cert-v01@openssh.com SHA256:Tnppnu65tPSX3DuEFtkKzh+zjUb+yFy9G1/NE4vIfhI, serial 0 ID "server_host" CA ssh-rsa SHA256:gBElgErk5f5Z2lV/82+f9qQfQPKVb2peqlnFHiM8U84 valid forever
debug2: Server host certificate hostname: server
debug2: Server host certificate hostname: server
debug3: Failed to open file:C:\\Users\\user/.ssh/known_hosts error:2
debug3: Failed to open file:C:\\Users\\user/.ssh/known_hosts2 error:2
debug3: hostkeys_foreach: reading file "__PROGRAMDATA__\\ssh/ssh_known_hosts"
debug3: record_hostkey: found ca key type RSA in file __PROGRAMDATA__\\ssh/ssh_known_hosts:1
debug3: load_hostkeys: loaded 1 keys from server
debug3: Failed to open file:__PROGRAMDATA__\\ssh/ssh_known_hosts2 error:2
debug1: Host 'server.domain.com' is known and matches the RSA-CERT host certificate.
debug1: Found CA key in __PROGRAMDATA__\\ssh/ssh_known_hosts:1
debug2: bits set: 1566/3072
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 4294967296 blocks
debug2: key: user@it.telekom.yu (000002E5A0C924B0), agent
debug2: key: C:\\Users\\user/.ssh/id_rsa (0000000000000000)
debug2: key: C:\\Users\\user/.ssh/id_dsa (0000000000000000)
debug2: key: C:\\Users\\user/.ssh/id_ecdsa (0000000000000000)
debug2: key: C:\\Users\\user/.ssh/id_ed25519 (0000000000000000)
debug2: key: C:\\Users\\user/.ssh/id_xmss (0000000000000000)
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA-CERT SHA256:61zNSnUJ/2gyjo838P0U8H8eqQR1EkhJPj7pF9CaxUU user@it.telekom.yu
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: C:\\Users\\user/.ssh/id_rsa
debug3: no such identity: C:\\Users\\user/.ssh/id_rsa: No such file or directory
debug1: Trying private key: C:\\Users\\user/.ssh/id_dsa
debug3: no such identity: C:\\Users\\user/.ssh/id_dsa: No such file or directory
debug1: Trying private key: C:\\Users\\user/.ssh/id_ecdsa
debug3: no such identity: C:\\Users\\user/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: C:\\Users\\user/.ssh/id_ed25519
debug3: no such identity: C:\\Users\\user/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: C:\\Users\\user/.ssh/id_xmss
debug3: no such identity: C:\\Users\\user/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
debug3: failed to open file:/dev/tty error:3
debug1: read_passphrase: can't open /dev/tty: No such file or directory
root@server.domain.com's password:

SSHD server log:

debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 898
debug2: parse_server_config: config /etc/ssh/sshd_config len 898
debug3: /etc/ssh/sshd_config:21 setting Protocol 2
debug3: /etc/ssh/sshd_config:23 setting HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
debug3: /etc/ssh/sshd_config:29 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:32 setting RevokedKeys /etc/ssh/revoked_keys
debug3: /etc/ssh/sshd_config:33 setting TrustedUserCAKeys /etc/ssh/user_ca_key.pub
debug3: /etc/ssh/sshd_config:41 setting SyslogFacility AUTH
debug3: /etc/ssh/sshd_config:42 setting SyslogFacility AUTHPRIV
debug3: /etc/ssh/sshd_config:43 setting LogLevel DEBUG
debug3: /etc/ssh/sshd_config:48 setting PermitRootLogin forced-commands-only
debug3: /etc/ssh/sshd_config:54 setting PubkeyAuthentication yes
debug3: /etc/ssh/sshd_config:55 setting AuthorizedKeysFile %h/.ssh/authorized_keys
debug3: /etc/ssh/sshd_config:59 setting AuthorizedPrincipalsFile %h/.ssh/authorized_principals
debug3: /etc/ssh/sshd_config:74 setting PasswordAuthentication yes
debug3: /etc/ssh/sshd_config:78 setting ChallengeResponseAuthentication no
debug3: /etc/ssh/sshd_config:88 setting GSSAPIAuthentication no
debug3: /etc/ssh/sshd_config:104 setting UsePAM yes
debug3: /etc/ssh/sshd_config:107 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
debug3: /etc/ssh/sshd_config:108 setting AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
debug3: /etc/ssh/sshd_config:109 setting AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
debug3: /etc/ssh/sshd_config:110 setting AcceptEnv XMODIFIERS
debug3: /etc/ssh/sshd_config:116 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:129 setting UseDNS no
debug3: /etc/ssh/sshd_config:139 setting Subsystem sftp /usr/libexec/openssh/sftp-server
debug1: sshd version OpenSSH_5.3p1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key-cert.pub.
debug1: ssh_rsa_verify: signature correct
debug1: host certificate: #0 type 5 RSA-CERT
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug3: oom_adjust_setup
Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 898
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 10.3.10.232 port 63837
debug1: Client protocol version 2.0; client software version OpenSSH_for_Windows_7.7
debug1: match: OpenSSH_for_Windows_7.7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug2: Network child is on pid 29410
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug3: privsep user:group 74:74
debug1: permanently_set_uid: 74/74
debug1: list_hostkey_types: ssh-rsa,ssh-rsa-cert-v01@openssh.com
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 856 bytes for a total of 877
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-rsa-cert-v01@openssh.com
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found umac-64@openssh.com
debug1: kex: client->server aes128-ctr umac-64@openssh.com none
debug3: mm_request_send entering: type 78
debug3: mm_request_receive_expect entering: type 79
debug3: mm_request_receive entering
debug3: monitor_read: checking request 78
debug3: mm_request_send entering: type 79
debug3: mm_request_receive entering
debug2: mac_setup: found umac-64@openssh.com
debug1: kex: server->client aes128-ctr umac-64@openssh.com none
debug3: mm_request_send entering: type 78
debug3: mm_request_receive_expect entering: type 79
debug3: mm_request_receive entering
debug3: monitor_read: checking request 78
debug3: mm_request_send entering: type 79
debug3: mm_request_receive entering
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug3: mm_request_send entering: type 0
debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
debug3: mm_request_receive_expect entering: type 1
debug3: mm_request_receive entering
debug3: monitor_read: checking request 0
debug3: mm_answer_moduli: got parameters: 2048 3072 8192
debug3: mm_request_send entering: type 1
debug2: monitor_read: 0 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_choose_dh: remaining 0
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug3: Wrote 408 bytes for a total of 1285
debug2: dh_gen_key: priv key bits set: 124/256
debug2: bits set: 1566/3072
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug2: bits set: 1534/3072
debug3: mm_key_sign entering
debug3: mm_request_send entering: type 5
debug3: monitor_read: checking request 5
debug3: mm_answer_sign
debug3: mm_answer_sign: signature 0x7f33a327f1d0(271)
debug3: mm_request_send entering: type 6
debug2: monitor_read: 5 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
debug3: mm_request_receive_expect entering: type 6
debug3: mm_request_receive entering
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 2216 bytes for a total of 3501
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug3: Wrote 40 bytes for a total of 3541
debug1: userauth-request for user root service ssh-connection method none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 7
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_request_receive_expect entering: type 8
debug3: mm_request_receive entering
debug3: monitor_read: checking request 7
debug3: mm_answer_pwnamallow
debug2: parse_server_config: config reprocess config len 898
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 8
debug2: monitor_read: 7 used once, disabling now
debug3: mm_request_receive entering
debug2: input_userauth_request: setting up authctxt for root
debug3: mm_start_pam entering
debug3: mm_request_send entering: type 50
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug3: mm_inform_authrole entering
debug3: mm_request_send entering: type 4
debug2: input_userauth_request: try method none
debug3: Wrote 56 bytes for a total of 3597
debug3: monitor_read: checking request 50
debug1: PAM: initializing for "root"
debug1: PAM: setting PAM_RHOST to "10.3.10.232"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 50 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 4
debug3: mm_answer_authrole: role=
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive entering
debug1: userauth-request for user root service ssh-connection method publickey
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method publickey
debug1: ssh_rsa_verify: signature correct
debug1: test whether pkalg/pkblob are acceptable
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 21
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 22
debug3: mm_request_receive entering
debug3: monitor_read: checking request 21
debug3: mm_answer_keyallowed entering
debug1: ssh_rsa_verify: signature correct
debug3: mm_answer_keyallowed: key_from_blob: 0x7f33a3293910
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying authorized principals file /root/.ssh/authorized_principals
debug1: fd 4 clearing O_NONBLOCK
debug3: secure_filename: checking '/root/.ssh'
debug3: secure_filename: checking '/root'
debug3: secure_filename: terminating check at '/root'
debug1: restore_uid: 0/0
Certificate does not contain an authorized principal
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: Could not open authorized keys '/root/.ssh/authorized_keys': No such file or directory
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: Could not open authorized keys '/root/.ssh/authorized_keys': No such file or directory
debug1: restore_uid: 0/0
Failed publickey for root from 10.3.10.232 port 63837 ssh2
debug3: mm_answer_keyallowed: key 0x7f33a3293910 is not allowed
debug3: mm_request_send entering: type 22
debug3: mm_request_receive entering
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa-cert-v01@openssh.com
debug3: Wrote 56 bytes for a total of 3653

[dwatley]

Try using domain\user for the principal. See this pull request. https://github.com/PowerShell/openssh-portable/pull/286

[rmilojkovic]

I've decided to issue certificates based on UPN of domain account it belongs to and this is the only reason why certificate principal looks like this. Access to remote Linux machine, as any local user, is controled via AuthorizedPrincipalsFile, where certificate owner principal (in my case UPN) has to be defined.

It makes no difference whatever you pick as certificate principal if AuthorizedPrincipalsFile is used, as log as it matches with the one in file. If AuthorizedPrincipalsFile and AuthorizedKeysFile are not used (defined to none in _sshdconfig) and TrustedUserCAKeys are defined, user certificate principal must mach the username (local or domain) on remote Unix/Windows machine (default behaviour) in order to establish connection. Alternative is custom principal in user certificate and existence of AuthorizedKeysFile with same principal defined (e.g. principals=user@domain.com).

If AuthorizedPrincipalsFile contains just principal of the used certificate, without key options, ssh connection can be established succesfuly and therefore format of the principle is not a problem.

_authorizedprincipals file in home directory of any user: user@domain.com

If extra key options are added, which are required for root user forced command, principle is not recognised. Has anybody managed to successfully use few key options together with the principal in AuthorizedPrincipalsFile?

I've also checked sshd_config documentation, but there isn't much details about mentioned file and I'm not sure if my syntax is correct.

AuthorizedPrincipalsFile Specifies a file that lists principal names that are accepted for certificate authentication. When using certificates signed by a key listed in TrustedUserCAKeys, this file lists names, one of which must appear in the certificate for it to be accepted for authentication. Names are listed one per line preceded by key options (as described in _AUTHORIZEDKEYS FILE FORMAT in sshd(8)). Empty lines and comments starting with ‘#’ are ignored.

[rmilojkovic]

@dwatley I forgot to mention that after setting principal as domain\user, same error is present - “Certificate does not contain an authorized principal”. As I've mentioned in my previous post, principal can be anything as log as it matches in both certificate and authorized_principals file.

Has anybody tested some of avaliable key options, together with defined principal in AuthorizedPrincipalsFile?

Example of key options, that are preceding the principal: command=”/path/somecommand”,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding someprincipal

[maertendMSFT]

Please try the latest release

[leocoolmitra]

I have the same issue @rmilojkovic did your issue get fixed

[rmilojkovic]

@leocoolmitra Issue seems to be related to bug in older versions of OpenSSH. I resolved the issue by upgrading to latest version.

[leocoolmitra]

Which version did you upgraded to? Can you please also share me what to add in the authorized principals file I am using openssh for windows8.1

[leocoolmitra]

Also I am completely a newbie to this please also tell me how to create the authorized principals file

[rmilojkovic]

It was few years ago, so I'm not sure which version it was. I would suggest to use the latest version of OpenSSH for Windows.

Authorized principals file can only contain list of principals and those have te be contained in certificates you intend to use. In my case file looked like below, as I didn't want to let user with certificate to get access to shell, but only force execution of certain command (e.g. ifconfig).

authorized_principals file in home directory of root user: command=”/sbin/ifconfig”,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding user@domain.com

Your file can only contain: user@domain.com

[leocoolmitra]

Hello,

Thank you for your reply. I created a file in my programdata/ssh directory using new-item -path c:\programdata\authorized_principles -itemtype file. Then once the file got created I right clicked on it and opened the file with notepad and typed @.*** and that's the same user I used as a principal while signing the user certificate. Still the same error

On Sun, 25 Sep, 2022, 2:52 am Radmilo Milojković, @.***> wrote:

It was few years ago, so I'm not sure which version it was. I would suggest to use the latest version of OpenSSH for Windows.

Authorized principals file can only contain list of principals and those have te be contained in certificates you intend to use. In my case file looked like below, as I didn't wanted to let user with certificate to get access to shell, but only force execution of certain command (e.g. ifconfig).

authorized_principals file in home directory of root user: command=”/sbin/ifconfig”,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding @.***

Your file can only contain: @.***

— Reply to this email directly, view it on GitHub https://github.com/PowerShell/Win32-OpenSSH/issues/1224#issuecomment-1257067287, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALJNXQHRRUHBEFC572LR5ULV75WIVANCNFSM4FNXFC3Q . You are receiving this because you were mentioned.Message ID: @.***>

[rmilojkovic]

Authorized principals file should be deployed under remote user profile .ssh directory, which you are trying to access with ssh certificate, unless you customized sshd_config file.

Please check below documentation. Get started with OpenSSH for Windows