HomeDocumentationAPI Reference
Log In
These docs are for v16. Click to read the latest docs for v33.

AuthorizedPrincipalsCommand fails with signal 13

Symptoms

OpenSSH certificate authentication from PrivX to target host running OpenSSH server fails with the following errors in target server auth log.

Feb 19 12:43:14 ip-172-31-7-131 sshd[8443]: error: AuthorizedPrincipalsCommand /etc/ssh/principals_command.sh root exited on signal 13
2Feb 19 12:43:14 ip-172-31-7-131 sshd[8443]: error: Certificate does not contain an authorized principal

Solution

Replace the target hosts' /etc/ssh/principals_command.sh file with the following version:

#!/bin/sh
#
# principals_command.sh

#
# See manual for OpenSSH sshd_config(5)
#
# This is a sample script for authorized principals command for OpenSSH.
#
# The AuthorizedPrincipalsCommand can be used with PrivX instead of using
# AuthorizedPrincipalsFile. The benefit of using AuthorizedPrincipalsCommand
# include:
# - enables lock-down on the system (e.g. stop using per-user authorized_keys
#   files)
# - removes need to distribute per-user AuthorizedPrincipalsFile

# This script consults files in directory /etc/ssh/auth_principals/ for the
# shared access accounts. The name of the file is the name of the shared
# account being logged into. The content of the file shall be principal names
# (role-id's) and associated options (as specified for
# AuthorizedPrincipalsFile).

# If such file does not exists, the script consults the file
# /etc/ssh/personal_account_roles for personal user account role id's.
# The content of the file shall be principal role-id's and associated options
# (as specified for AuthorizedPrincipalsFile). If this file does exist this
# script processes role id's listed in this file and outputs personal user
# account principal names in the format 'user@role-id'.

# PrivX CA encodes the shared account and personal user account principal
# names allowed for the certificate subject into OpenSSH Certificate's list
# of principal names. When user 'alice' is accessing the shared account
# 'oracle', she's let in, if her certificate contains the principal name
# required for oracle as specified in file '/etc/ssh/auth_principals/oracle'.
# If she accesses target account 'alice', she's required to have her
# certificate contain a principal name 'alice@role-id' with an role-id that
# is listed in file '/etc/ssh/personal_account_roles'.

# The input for the script is an existing and valid user name ($user),
# e.g. the target user of the incoming connection. SSHd has already checked
# that this account is valid.
#
# Use of this script shall be configured on sshd_config as follows:
#
#  AuthorizedPrincipalsCommand "/etc/ssh/principals_command.sh %u"
#  AuthorizedPrincipalsCommandUser "nobody"
#  # AuthorizedKeysFile /dev/null # uncomment if lockdown desired
#  # AuthorizedPrincipalsFile "/etc/ssh/auth_principals/%u
#
# The target system needs to have a user - "nobody" in this example -
# that shall be used only for executing this command. In particular it
# is better not to use privileged accounts for this purpose. The
# account needs to usable, but should not allow remote access.
#

user="$1"
if test -z "$user"; then
    exit 0
fi

auth_file="/etc/ssh/auth_principals/$user"
if test -f "$auth_file"; then
    cat "$auth_file"
    exit 0
fi

trap 'exit 0' SIGPIPE
personal_account_roles_file="/etc/ssh/personal_account_roles"
if test -f "$personal_account_roles_file"; then
    while read -r roleid rest; do
        if test -z "$roleid"; then continue; fi
        case "$roleid" in
            \#*) echo "$roleid $rest";;
            *) echo "$user@$roleid $rest";;
        esac
    done < $personal_account_roles_file
    exit 0
fi

exit 0