AuthorizedPrincipalsCommand fails with signal 13
Symptoms
OpenSSH certificate authentication from PrivX to target host running OpenSSH server fails with the following errors in target server auth log.
Feb 19 12:43:14 ip-172-31-7-131 sshd[8443]: error: AuthorizedPrincipalsCommand /etc/ssh/principals_command.sh root exited on signal 13
2Feb 19 12:43:14 ip-172-31-7-131 sshd[8443]: error: Certificate does not contain an authorized principal
Solution
Replace the target hosts' /etc/ssh/principals_command.sh
file with the following version:
#!/bin/sh
#
# principals_command.sh
#
# See manual for OpenSSH sshd_config(5)
#
# This is a sample script for authorized principals command for OpenSSH.
#
# The AuthorizedPrincipalsCommand can be used with PrivX instead of using
# AuthorizedPrincipalsFile. The benefit of using AuthorizedPrincipalsCommand
# include:
# - enables lock-down on the system (e.g. stop using per-user authorized_keys
# files)
# - removes need to distribute per-user AuthorizedPrincipalsFile
# This script consults files in directory /etc/ssh/auth_principals/ for the
# shared access accounts. The name of the file is the name of the shared
# account being logged into. The content of the file shall be principal names
# (role-id's) and associated options (as specified for
# AuthorizedPrincipalsFile).
# If such file does not exists, the script consults the file
# /etc/ssh/personal_account_roles for personal user account role id's.
# The content of the file shall be principal role-id's and associated options
# (as specified for AuthorizedPrincipalsFile). If this file does exist this
# script processes role id's listed in this file and outputs personal user
# account principal names in the format 'user@role-id'.
# PrivX CA encodes the shared account and personal user account principal
# names allowed for the certificate subject into OpenSSH Certificate's list
# of principal names. When user 'alice' is accessing the shared account
# 'oracle', she's let in, if her certificate contains the principal name
# required for oracle as specified in file '/etc/ssh/auth_principals/oracle'.
# If she accesses target account 'alice', she's required to have her
# certificate contain a principal name 'alice@role-id' with an role-id that
# is listed in file '/etc/ssh/personal_account_roles'.
# The input for the script is an existing and valid user name ($user),
# e.g. the target user of the incoming connection. SSHd has already checked
# that this account is valid.
#
# Use of this script shall be configured on sshd_config as follows:
#
# AuthorizedPrincipalsCommand "/etc/ssh/principals_command.sh %u"
# AuthorizedPrincipalsCommandUser "nobody"
# # AuthorizedKeysFile /dev/null # uncomment if lockdown desired
# # AuthorizedPrincipalsFile "/etc/ssh/auth_principals/%u
#
# The target system needs to have a user - "nobody" in this example -
# that shall be used only for executing this command. In particular it
# is better not to use privileged accounts for this purpose. The
# account needs to usable, but should not allow remote access.
#
user="$1"
if test -z "$user"; then
exit 0
fi
auth_file="/etc/ssh/auth_principals/$user"
if test -f "$auth_file"; then
cat "$auth_file"
exit 0
fi
trap 'exit 0' SIGPIPE
personal_account_roles_file="/etc/ssh/personal_account_roles"
if test -f "$personal_account_roles_file"; then
while read -r roleid rest; do
if test -z "$roleid"; then continue; fi
case "$roleid" in
\#*) echo "$roleid $rest";;
*) echo "$user@$roleid $rest";;
esac
done < $personal_account_roles_file
exit 0
fi
exit 0
Updated about 3 years ago