openssh bugs - May 2019 - [Bug 3012] New: Token %s (serial number) truncated with AuthorizedPrincipalsCommand configuration

https://bugzilla.mindrot.org/show_bug.cgi?id=3012

            Bug ID: 3012
           Summary: Token %s (serial number) truncated with
                    AuthorizedPrincipalsCommand configuration
           Product: Portable OpenSSH
           Version: 8.0p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: manoel.domingues.junior at gmail.com

Created attachment 3285
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3285&action=edit
server logs

This bug occurs when we use OpenSSH in conjunction with certificate
authentication and the AuthorizedPrincipalsCommand feature. The problem
is truncating one of the available tokens (%s) for use with the
AuthorizedPrincipalsCommand.
The following is a step-by-step guide to reproduce the bug using Alpine
Linux Edge. At the end we explain what happens together with the
OpenSSH server logs.

# Configure OpenSSH Client
=========================
## Generating CA
$ ssh-keygen -t rsa -N '' -f ca

## Generating client key
$ ssh-keygen -t rsa -N '' -f user

## Sign client key with CA key
$ ssh-keygen -s ca -I key-id -n manoel.junior -z 18446744073709551615
user.pub

Since I am using an Alpine Linux image, I created a certificate for a
user other than root.
$ useradd manoel.junior

## Check certificate
$ ssh-keygen -L -f user-cert.pub 
user-cert.pub:
        Type: ssh-rsa-cert-v01 at openssh.com user certificate
        Public key: RSA-CERT
SHA256:cpYB3lg6XGt4Z6P6y3KLaMUY3Q0tFIYWkzj4o4Cc3Rg
        Signing CA: RSA
SHA256:2tP4NLG6n2Earm2s2rRWvyWhmVOIAo49M1b4/ol9ol0
        Key ID: "key-id"
        Serial: 18446744073709551615
        Valid: forever
        Principals: 
                manoel.junior
        Critical Options: (none)
        Extensions: 
                permit-X11-forwarding
                permit-agent-forwarding
                permit-port-forwarding
                permit-pty
                permit-user-rc


# Configure OpenSSH Server
=========================
## Configuring OpenSSH to use AuthorizedPrincipalsCommand
(/etc/ssh/sshd_config):

HostKey /etc/ssh/ssh_host_rsa_key
TrustedUserCAKeys /etc/ssh/cas.pub
AuthorizedPrincipalsCommand /usr/bin/logger -s %s
AuthorizedPrincipalsCommandUser root

## Generating host keys
$ ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa

## Starting OpenSSH at Server
#/usr/sbin/sshd  -f /etc/ssh/sshd_config -e -d -D
...
... lines omitted (available at debug.txt file)
...
debug1: userauth_pubkey: test pkalg rsa-sha2-512-cert-v01 at openssh.com
pkblob RSA-CERT SHA256:cpYB3lg6XGt4Z6P6y3KLaMUY3Q0tFIYWkzj4o4Cc3Rg CA
RSA SHA256:2tP4NLG6n2Earm2s2rRWvyWhmVOIAo49M1b4/ol9ol0 [preauth]
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 0/0 (e=0/0)
root: 184467440737095
<<----------------------------------------------------<<<<<<-<<<<<<
debug1: restore_uid: 0/0
Certificate does not contain an authorized principal
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /home/manoel.junior/.ssh/authorized_keys
debug1: Could not open authorized keys
'/home/manoel.junior/.ssh/authorized_keys': No such file or directory
debug1: restore_uid: 0/0
Failed publickey for manoel.junior from 172.17.0.3 port 54990 ssh2:
RSA-CERT SHA256:cpYB3lg6XGt4Z6P6y3KLaMUY3Q0tFIYWkzj4o4Cc3Rg ID key-id
(serial 18446744073709551615) CA RSA
SHA256:2tP4NLG6n2Earm2s2rRWvyWhmVOIAo49M1b4/ol9ol0
debug1: userauth-request for user manoel.junior service ssh-connection
method publickey [preauth]
debug1: attempt 3 failures 2 [preauth]
debug1: userauth_pubkey: test pkalg rsa-sha2-512-cert-v01 at openssh.com
pkblob RSA-CERT SHA256:cpYB3lg6XGt4Z6P6y3KLaMUY3Q0tFIYWkzj4o4Cc3Rg CA
RSA SHA256:2tP4NLG6n2Earm2s2rRWvyWhmVOIAo49M1b4/ol9ol0 [preauth]
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 0/0 (e=0/0)
root: 184467440737095
<<----------------------------------------------------<<<<<<-<<<<<<
debug1: restore_uid: 0/0
Certificate does not contain an authorized principal
...

At lines with "root: 184467440737095" we have the execution of the
command defined in the AuthorizedPrincipalsCommand (/usr/bin/logger -s
%s).
As we can see, the certificate was generated with the serial
18446744073709551615, soon we see that there was the truncation of the
serial in the first 15 characters (184467440737095).

This is because in auth2-pubkey.c at line L421, the serial_s variable
has size of 16 while it should have the size of 21 to allocate the
largest possible uint64 (18446744073709551615).

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3012

Manoel Domingues Junior <manoel.domingues.junior at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |manoel.domingues.junior at gma
                   |                            |il.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3012

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED
                 CC|                            |djm at mindrot.org
             Blocks|                            |2988

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
I've increased the buffer size to 32 characters. This will be in the
OpenSSH 8.1 release - thanks


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2988
[Bug 2988] Tracking bug for 8.1 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3012

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Close bugs fixed in openssh-8.1 release cycle

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.