OpenSSH: The Run-Time token %s (Certificate Serial Number) Parsed by AuthorizedPrincipalsCommand is Truncated to only 15 digits.
(Doc ID 2613236.1)
Last updated on NOVEMBER 28, 2019
Applies to:Linux OS - Version Oracle Linux 7.0 and later
SSH authentication by user certificates can be used in conjunction with the AuthorizedPrincipalsCommand feature. This feature can make use of tokens parsed during run-time to expand to certain certificate attributes.
The sshd_config(5) manual page states:
Specifies a program to be used to look up the user's public keys.
The program must be owned by root, not writable by group or oth‐
ers and specified by an absolute path. Arguments to
AuthorizedKeysCommand accept the tokens described in the TOKENS
section. If no arguments are specified then the username of the
target user is used.
Arguments to some keywords can make use of tokens, which are expanded at
%s The serial number of the certificate.
AuthorizedPrincipalsCommand accepts the tokens %%, %F, %f, %K, %k, %h,
%i, %s, %T, %t, and %u.
In this case, the run-time token %s (serial number) is truncated to only 15 digits. But, a normal certificate serial number is a 64bit unsigned entity, ranging between 0 ~ 18446744073709551615, which should hold upto 20 digits. At 15 digits, a certificate serial number say "18446744073709551615" is truncated to only "184467440737095". If your custom program specified by AuthorizedPrincipalsCommand looks up the authorized principle based on %s, then it is very likely that an authorized principle be determined as not authorized, thus have its login request denied.
To illustrate this problem, you need to setup SSH authenticate by user certificate as per Document 2613189.1, then follow these steps in order.
Copy the user's *.pub over to the CA for signing a user certificate, but you just specify a really big certificate serial number.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document