Hello,
I’m trying to setup forced command only for root user with authorized_principals file in its home directory, because I’m using ssh user and host CA in my environment. My attempt results with an error “Certificate does not contain an authorized principal”, which is not the case as principal name is the same in authorized_principals file and ssh user certificate -
us...@domain.com. Principle name can be anything you like and it’s only important to match in both ssh user certificate and authorized_principals/authorized_keys, depending what you use. I have also tried to change the principal to “user” to avoid using “@” and it still throws the same error “Certificate does not contain an authorized principal”. In my case authorized_keys file should not exist in user home directory, because authorized_principals file should be sufficient.
It’s interesting that the same setup works if authorized_keys file is used instead and it has similar syntax as authorized_principals file. Maybe I’m missing something because it looks like syntax issue…
authorized_principals file in home directory of root user:
command=”/sbin/ifconfig”,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding
us...@domain.com
authorized_keys file in home directory of root user:
cert-authority,command=”/sbin/ifconfig”,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding,principals=”
us...@domain.com” ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDFJU7IPlVkSWvMTFVEEaWAuF/6VehtVBEmr0Q4ihqqfnx/JCOzCmhrIcJ+pR+ifOMMriL/6yd7nMQXI8ZFG4j/mTAzbTbV1qK1rhhF5Cjn/Y+zmk47rDD8zANcgdzJ6KyVzjGo6hXdcLuH80QC+OUAttZF0fCNil+48LclsA6tdtCXcl8gkOytbHKYLsT8cYvVdp6vNqBpn7EN7CupQ7+cjfb3iaGOn6LopHwPHA/ccCGTccsRMdqryE085seyoNmGM6bd8K2vkWWzQb/QNQ9NqK+vpzZWKtaY48/F80RAndUQiY5t6am74VLjJrN9VRpKaa1fP+lHahM7nOIi5BT/q2wnKzMzErMAfypy1jGq5PupusZ+CLYHc/qzHm09HCGYYYH6nM0CxhDo1MsUtcyZMDgEr4X8Q41ygdlL+8XIAzY7Oqt18dZPPIvY1mWfiE5z2OdLsyOI7hjsOSoCkLN65rr+z39Una+E66g9GbkTlaFoRXnoEbiuIpASQQY40v2Vz+k0tMqFxaI1VMsxvpg2zOfpRtrRUpOuq2tmNqkOhaHrM6RU4lyV5sgzZLCS1zTdK/9764jTkLYorP3/8GAFSn950sP7bjzWH0ONcWA5kauoyK86BN0ncW/njanxReY0pUbpbtCNo8hjZGH3ZwIfLf4/l5hDUdosCQgd8nnCQ== UserSigningCA
SSH user certificate:
user_key-cert.pub:
Type:
ssh-rsa-...@openssh.com user certificate
Public key: RSA-CERT SHA256:61zNSnUJ/2gyjo838P0U8H8eqQR1EkhJPj7pF9CaxUU
Signing CA: RSA SHA256:AsEE0T/P7Z0o/s6q8egBquay8WLL2sJHOLzYfc3N484
Key ID: “user-0001”
Serial: 0
Valid: from 2018-07-31T11:54:00 to 2020-07-30T11:55:56
Principals:
us...@domain.com
Critical Options: (none)
Extensions:
permit-X11-forwarding
permit-agent-forwarding
permit-port-forwarding
permit-pty
permit-user-rc
Related lines from sshd_config file:
TrustedUserCAKeys /etc/ssh/user_ca_key.pub
PermitRootLogin forced-commands-only
AuthorizedKeysFile %h/.ssh/authorized_keys
AuthorizedPrincipalsFile %h/.ssh/authorized_principals
My conclusion is that if TrustedUserCAKeys is defined in sshd_config file of remote server, sshd service will firstly check authorized_principals file for principal match and only if there is no match it will proceed to authorized_keys. This can be seen in server logs.
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 898
debug2: parse_server_config: config /etc/ssh/sshd_config len 898
debug3: /etc/ssh/sshd_config:21 setting Protocol 2
debug3: /etc/ssh/sshd_config:23 setting HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
debug3: /etc/ssh/sshd_config:29 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:32 setting RevokedKeys /etc/ssh/revoked_keys
debug3: /etc/ssh/sshd_config:33 setting TrustedUserCAKeys /etc/ssh/user_ca_key.pub
debug3: /etc/ssh/sshd_config:41 setting SyslogFacility AUTH
debug3: /etc/ssh/sshd_config:42 setting SyslogFacility AUTHPRIV
debug3: /etc/ssh/sshd_config:43 setting LogLevel DEBUG
debug3: /etc/ssh/sshd_config:48 setting PermitRootLogin forced-commands-only
debug3: /etc/ssh/sshd_config:54 setting PubkeyAuthentication yes
debug3: /etc/ssh/sshd_config:55 setting AuthorizedKeysFile %h/.ssh/authorized_keys
debug3: /etc/ssh/sshd_config:59 setting AuthorizedPrincipalsFile %h/.ssh/authorized_principals
debug3: /etc/ssh/sshd_config:74 setting PasswordAuthentication yes
debug3: /etc/ssh/sshd_config:78 setting ChallengeResponseAuthentication no
debug3: /etc/ssh/sshd_config:88 setting GSSAPIAuthentication no
debug3: /etc/ssh/sshd_config:104 setting UsePAM yes
debug3: /etc/ssh/sshd_config:107 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
debug3: /etc/ssh/sshd_config:108 setting AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
debug3: /etc/ssh/sshd_config:109 setting AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
debug3: /etc/ssh/sshd_config:110 setting AcceptEnv XMODIFIERS
debug3: /etc/ssh/sshd_config:116 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:129 setting UseDNS no
debug3: /etc/ssh/sshd_config:139 setting Subsystem sftp /usr/libexec/openssh/sftp-server
debug1: sshd version OpenSSH_5.3p1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key-cert.pub.
debug1: ssh_rsa_verify: signature correct
debug1: host certificate: #0 type 5 RSA-CERT
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug3: oom_adjust_setup
Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 898
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from X.X.X.X port 49780
debug1: Client protocol version 2.0; client software version OpenSSH_for_Windows_7.7
debug1: match: OpenSSH_for_Windows_7.7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug2: Network child is on pid 15856
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug3: privsep user:group 74:74
debug1: permanently_set_uid: 74/74
debug1: list_hostkey_types: ssh-rsa,
ssh-rsa-...@openssh.com
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 856 bytes for a total of 877
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,
ssh-rsa-...@openssh.com
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijnda...@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijnda...@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,
uma...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
hmac-ri...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,
uma...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
hmac-ri...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,
zl...@openssh.com
debug2: kex_parse_kexinit: none,
zl...@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: curve25519-sha256,
curve255...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: kex_parse_kexinit:
ecdsa-sha2-nis...@openssh.com,
ecdsa-sha2-nis...@openssh.com,
ecdsa-sha2-nis...@openssh.com,
ssh-ed2551...@openssh.com,
ssh-rsa-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: kex_parse_kexinit:
chacha20...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,
aes12...@openssh.com,
aes25...@openssh.com
debug2: kex_parse_kexinit:
chacha20...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,
aes12...@openssh.com,
aes25...@openssh.com
debug2: kex_parse_kexinit:
umac-...@openssh.com,
umac-1...@openssh.com,
hmac-sha...@openssh.com,
hmac-sha...@openssh.com,
hmac-s...@openssh.com,
uma...@openssh.com,
umac...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: kex_parse_kexinit:
umac-...@openssh.com,
umac-1...@openssh.com,
hmac-sha...@openssh.com,
hmac-sha...@openssh.com,
hmac-s...@openssh.com,
uma...@openssh.com,
umac...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found
uma...@openssh.com
debug1: kex: client->server aes128-ctr
uma...@openssh.com none
debug3: mm_request_send entering: type 78
debug3: mm_request_receive_expect entering: type 79
debug3: mm_request_receive entering
debug3: monitor_read: checking request 78
debug3: mm_request_send entering: type 79
debug3: mm_request_receive entering
debug2: mac_setup: found
uma...@openssh.com
debug1: kex: server->client aes128-ctr
uma...@openssh.com none
debug3: mm_request_send entering: type 78
debug3: mm_request_receive_expect entering: type 79
debug3: mm_request_receive entering
debug3: monitor_read: checking request 78
debug3: mm_request_send entering: type 79
debug3: mm_request_receive entering
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug3: mm_request_send entering: type 0
debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
debug3: mm_request_receive_expect entering: type 1
debug3: mm_request_receive entering
debug3: monitor_read: checking request 0
debug3: mm_answer_moduli: got parameters: 2048 3072 8192
debug3: mm_request_send entering: type 1
debug2: monitor_read: 0 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_choose_dh: remaining 0
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug3: Wrote 408 bytes for a total of 1285
debug2: dh_gen_key: priv key bits set: 133/256
debug2: bits set: 1555/3072
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug2: bits set: 1538/3072
debug3: mm_key_sign entering
debug3: mm_request_send entering: type 5
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
debug3: mm_request_receive_expect entering: type 6
debug3: mm_request_receive entering
debug3: monitor_read: checking request 5
debug3: mm_answer_sign
debug3: mm_answer_sign: signature 0x7fb71cdd13c0(271)
debug3: mm_request_send entering: type 6
debug2: monitor_read: 5 used once, disabling now
debug3: mm_request_receive entering
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 2216 bytes for a total of 3501
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug3: Wrote 40 bytes for a total of 3541
debug1: userauth-request for user root service ssh-connection method none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 7
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_request_receive_expect entering: type 8
debug3: mm_request_receive entering
debug3: monitor_read: checking request 7
debug3: mm_answer_pwnamallow
debug2: parse_server_config: config reprocess config len 898
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 8
debug2: monitor_read: 7 used once, disabling now
debug3: mm_request_receive entering
debug2: input_userauth_request: setting up authctxt for root
debug3: mm_start_pam entering
debug3: mm_request_send entering: type 50
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug3: mm_inform_authrole entering
debug3: mm_request_send entering: type 4
debug2: input_userauth_request: try method none
debug3: Wrote 56 bytes for a total of 3597
debug3: monitor_read: checking request 50
debug1: PAM: initializing for "root"
debug1: PAM: setting PAM_RHOST to "X.X.X.X"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 50 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 4
debug3: mm_answer_authrole: role=
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive entering
debug1: userauth-request for user root service ssh-connection method publickey
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method publickey
debug1: ssh_rsa_verify: signature correct
debug1: test whether pkalg/pkblob are acceptable
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 21
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 22
debug3: mm_request_receive entering
debug3: monitor_read: checking request 21
debug3: mm_answer_keyallowed entering
debug1: ssh_rsa_verify: signature correct
debug3: mm_answer_keyallowed: key_from_blob: 0x7fb71cddd940
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying authorized principals file /root/.ssh/authorized_principals
debug1: fd 4 clearing O_NONBLOCK
debug3: secure_filename: checking '/root/.ssh'
debug3: secure_filename: checking '/root'
debug3: secure_filename: terminating check at '/root'
debug1: restore_uid: 0/0
Certificate does not contain an authorized principal
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: Could not open authorized keys '/root/.ssh/authorized_keys': No such file or directory
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: Could not open authorized keys '/root/.ssh/authorized_keys': No such file or directory
debug1: restore_uid: 0/0
Failed publickey for root from X.X.X.X port 49780 ssh2
debug3: mm_answer_keyallowed: key 0x7fb71cddd940 is not allowed
debug3: mm_request_send entering: type 22
debug3: mm_request_receive entering
debug2: userauth_pubkey: authenticated 0 pkalg
ssh-rsa-...@openssh.com
debug3: Wrote 56 bytes for a total of 3653