1# $OpenBSD: principals-command.sh,v 1.1 2015/05/21 06:44:25 djm Exp $ 2# Placed in the Public Domain. 3 4tid="authorized principals command" 5 6rm -f $OBJ/user_ca_key* $OBJ/cert_user_key* 7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 8 9if [ -z "$SUDO" ]; then 10 fatal "need SUDO to create file in /var/run, test won't work without" 11fi 12 13# Establish a AuthorizedPrincipalsCommand in /var/run where it will have 14# acceptable directory permissions. 15PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}" 16cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" 17#!/bin/sh 18test "x\$1" != "x${LOGNAME}" && exit 1 19test -f "$OBJ/authorized_principals_${LOGNAME}" && 20 exec cat "$OBJ/authorized_principals_${LOGNAME}" 21_EOF 22test $? -eq 0 || fatal "couldn't prepare principals command" 23$SUDO chmod 0755 "$PRINCIPALS_COMMAND" 24 25# Create a CA key and a user certificate. 26${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ 27 fatal "ssh-keygen of user_ca_key failed" 28${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key || \ 29 fatal "ssh-keygen of cert_user_key failed" 30${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ 31 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ 32 fatal "couldn't sign cert_user_key" 33 34# Test explicitly-specified principals 35for privsep in yes no ; do 36 _prefix="privsep $privsep" 37 38 # Setup for AuthorizedPrincipalsCommand 39 rm -f $OBJ/authorized_keys_$USER 40 ( 41 cat $OBJ/sshd_proxy_bak 42 echo "UsePrivilegeSeparation $privsep" 43 echo "AuthorizedKeysFile none" 44 echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u" 45 echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" 46 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" 47 ) > $OBJ/sshd_proxy 48 49 # XXX test missing command 50 # XXX test failing command 51 52 # Empty authorized_principals 53 verbose "$tid: ${_prefix} empty authorized_principals" 54 echo > $OBJ/authorized_principals_$USER 55 ${SSH} -2i $OBJ/cert_user_key \ 56 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 57 if [ $? -eq 0 ]; then 58 fail "ssh cert connect succeeded unexpectedly" 59 fi 60 61 # Wrong authorized_principals 62 verbose "$tid: ${_prefix} wrong authorized_principals" 63 echo gregorsamsa > $OBJ/authorized_principals_$USER 64 ${SSH} -2i $OBJ/cert_user_key \ 65 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 66 if [ $? -eq 0 ]; then 67 fail "ssh cert connect succeeded unexpectedly" 68 fi 69 70 # Correct authorized_principals 71 verbose "$tid: ${_prefix} correct authorized_principals" 72 echo mekmitasdigoat > $OBJ/authorized_principals_$USER 73 ${SSH} -2i $OBJ/cert_user_key \ 74 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 75 if [ $? -ne 0 ]; then 76 fail "ssh cert connect failed" 77 fi 78 79 # authorized_principals with bad key option 80 verbose "$tid: ${_prefix} authorized_principals bad key opt" 81 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER 82 ${SSH} -2i $OBJ/cert_user_key \ 83 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 84 if [ $? -eq 0 ]; then 85 fail "ssh cert connect succeeded unexpectedly" 86 fi 87 88 # authorized_principals with command=false 89 verbose "$tid: ${_prefix} authorized_principals command=false" 90 echo 'command="false" mekmitasdigoat' > \ 91 $OBJ/authorized_principals_$USER 92 ${SSH} -2i $OBJ/cert_user_key \ 93 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 94 if [ $? -eq 0 ]; then 95 fail "ssh cert connect succeeded unexpectedly" 96 fi 97 98 99 # authorized_principals with command=true 100 verbose "$tid: ${_prefix} authorized_principals command=true" 101 echo 'command="true" mekmitasdigoat' > \ 102 $OBJ/authorized_principals_$USER 103 ${SSH} -2i $OBJ/cert_user_key \ 104 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 105 if [ $? -ne 0 ]; then 106 fail "ssh cert connect failed" 107 fi 108 109 # Setup for principals= key option 110 rm -f $OBJ/authorized_principals_$USER 111 ( 112 cat $OBJ/sshd_proxy_bak 113 echo "UsePrivilegeSeparation $privsep" 114 ) > $OBJ/sshd_proxy 115 116 # Wrong principals list 117 verbose "$tid: ${_prefix} wrong principals key option" 118 ( 119 printf 'cert-authority,principals="gregorsamsa" ' 120 cat $OBJ/user_ca_key.pub 121 ) > $OBJ/authorized_keys_$USER 122 ${SSH} -2i $OBJ/cert_user_key \ 123 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 124 if [ $? -eq 0 ]; then 125 fail "ssh cert connect succeeded unexpectedly" 126 fi 127 128 # Correct principals list 129 verbose "$tid: ${_prefix} correct principals key option" 130 ( 131 printf 'cert-authority,principals="mekmitasdigoat" ' 132 cat $OBJ/user_ca_key.pub 133 ) > $OBJ/authorized_keys_$USER 134 ${SSH} -2i $OBJ/cert_user_key \ 135 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 136 if [ $? -ne 0 ]; then 137 fail "ssh cert connect failed" 138 fi 139done 140