`AuthorizedPrincipalsFile` behavior does not match `AuthorizedKeysFile`

[Nnnes]

Prerequisites

• Write a descriptive title.
• Make sure you are able to repro it on the latest version
• Search the existing issues.

Steps to reproduce

The sshd_config directive AuthorizedPrincipalsFile fails to read many formats.

1. sign a user key with a principal that is not a valid username on the server
2. create $env:USERPROFILE\.ssh\authorized_principals on the server and add the principal
3. make sure all other forms of authentication are disabled for that user
4. add AuthorizedPrincipalsFile .ssh/authorized_principals to sshd_config (same format as AuthorizedKeysFile .ssh/authorized_keys)
5. observe that logging in fails with error: Certificate does not contain an authorized principal in the sshd log

Expected behavior

`AuthorizedPrincipalsFile` has the same behavior as `AuthorizedKeysFile`

Actual behavior

The following fail:


AuthorizedPrincipalsFile .ssh/authorized_principals
AuthorizedPrincipalsFile .ssh\authorized_principals
AuthorizedPrincipalsFile %h/.ssh/authorized_principals
AuthorizedPrincipalsFile %h\.ssh\authorized_principals
AuthorizedPrincipalsFile C:\Users\%u\.ssh\authorized_principals


This one works:


AuthorizedPrincipalsFile C:/Users/%u/.ssh/authorized_principals

Error details

Environment data

PSVersion                      5.1.26100.7462
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.26100.7462
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version

OpenSSH_for_Windows_10.0p2 Win32-OpenSSH-GitHub, LibreSSL 4.2.0

Visuals

No response

[tgauth]

Any chance you're able to check if this repros with a ssh server on a Linux machine, as well?

The codepaths for the keywords do seem to be the same, based on a brief, initial look: https://github.com/PowerShell/openssh-portable/blob/latestw_all/servconf.c#L2263-L2306

[Nnnes]

I'll try it out shortly. Maybe worth looking in here too:

https://github.com/PowerShell/openssh-portable/blob/745466fbfcf9617f198793e5eab22ad408ba21f4/auth2-pubkey.c#L336

I haven't read it extra carefully but there seems to be a bit of handling missing vs. here:

https://github.com/PowerShell/openssh-portable/blob/745466fbfcf9617f198793e5eab22ad408ba21f4/auth2-pubkey.c#L818-L826

[Nnnes]

ee1b4e0 is PowerShell/openssh-portable trivially patched on Linux
d7950ac is upstream openssh/openssh-portable on Linux
745466f is PowerShell/openssh-portable on Windows

Directive	ee1b4e0	d7950ac	745466f
AuthorizedKeysFile .ssh/authorized_keys	ok	ok	ok
AuthorizedKeysFile %h/.ssh/authorized_keys	ok	ok	ok
AuthorizedKeysFile /home/%u/.ssh/authorized_keys	ok	ok
AuthorizedKeysFile C:/Users/%u/.ssh/authorized_keys			ok
AuthorizedKeysFile .ssh\authorized_keys	fail	fail	ok
AuthorizedKeysFile %h\.ssh\authorized_keys	fail	fail	ok
AuthorizedKeysFile \home\%u\.ssh\authorized_keys	fail	fail
AuthorizedKeysFile C:\Users\%u\.ssh\authorized_keys			ok

Directive	ee1b4e0	d7950ac	745466f
AuthorizedPrincipalsFile .ssh/authorized_principals	ok	ok	fail
AuthorizedPrincipalsFile %h/.ssh/authorized_principals	ok	ok	fail
AuthorizedPrincipalsFile /home/%u/.ssh/authorized_principals	ok	ok
AuthorizedPrincipalsFile C:/Users/%u/.ssh/authorized_principals			ok
AuthorizedPrincipalsFile .ssh\authorized_principals	fail	fail	fail
AuthorizedPrincipalsFile %h\.ssh\authorized_principals	fail	fail	fail
AuthorizedPrincipalsFile \home\%u\.ssh\authorized_principals	fail	fail
AuthorizedPrincipalsFile C:\Users\%u\.ssh\authorized_principals			fail