14d3fc8b0SEd Maste# $OpenBSD: agent.sh,v 1.21 2023/03/01 09:29:32 dtucker Exp $ 2ce3adf43SDag-Erling Smørgrav# Placed in the Public Domain. 3ce3adf43SDag-Erling Smørgrav 4ce3adf43SDag-Erling Smørgravtid="simple agent test" 5ce3adf43SDag-Erling Smørgrav 6ce3adf43SDag-Erling SmørgravSSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1 7ce3adf43SDag-Erling Smørgravif [ $? -ne 2 ]; then 8ce3adf43SDag-Erling Smørgrav fail "ssh-add -l did not fail with exit code 2" 9ce3adf43SDag-Erling Smørgravfi 10ce3adf43SDag-Erling Smørgrav 1119261079SEd Mastetrace "start agent, args ${EXTRA_AGENT_ARGS} -s" 124d3fc8b0SEd Masteeval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` >`ssh_logfile ssh-agent` 13ce3adf43SDag-Erling Smørgravr=$? 14ce3adf43SDag-Erling Smørgravif [ $r -ne 0 ]; then 1547dd1d1bSDag-Erling Smørgrav fatal "could not start ssh-agent: exit code $r" 1647dd1d1bSDag-Erling Smørgravfi 1747dd1d1bSDag-Erling Smørgrav 1819261079SEd Masteeval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s | sed 's/SSH_/FW_SSH_/g'` > /dev/null 1919261079SEd Master=$? 2019261079SEd Masteif [ $r -ne 0 ]; then 2119261079SEd Maste fatal "could not start second ssh-agent: exit code $r" 2219261079SEd Mastefi 2319261079SEd Maste 24ce3adf43SDag-Erling Smørgrav${SSHADD} -l > /dev/null 2>&1 25ce3adf43SDag-Erling Smørgravif [ $? -ne 1 ]; then 26ce3adf43SDag-Erling Smørgrav fail "ssh-add -l did not fail with exit code 1" 27ce3adf43SDag-Erling Smørgravfi 2847dd1d1bSDag-Erling Smørgrav 2947dd1d1bSDag-Erling Smørgravrm -f $OBJ/user_ca_key $OBJ/user_ca_key.pub 3047dd1d1bSDag-Erling Smørgrav${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key \ 3147dd1d1bSDag-Erling Smørgrav || fatal "ssh-keygen failed" 3247dd1d1bSDag-Erling Smørgrav 33ce3adf43SDag-Erling Smørgravtrace "overwrite authorized keys" 34ce3adf43SDag-Erling Smørgravprintf '' > $OBJ/authorized_keys_$USER 3547dd1d1bSDag-Erling Smørgrav 36bc5531deSDag-Erling Smørgravfor t in ${SSH_KEYTYPES}; do 37ce3adf43SDag-Erling Smørgrav # generate user key for agent 3847dd1d1bSDag-Erling Smørgrav rm -f $OBJ/$t-agent $OBJ/$t-agent.pub* 39ce3adf43SDag-Erling Smørgrav ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\ 4047dd1d1bSDag-Erling Smørgrav fatal "ssh-keygen for $t-agent failed" 4147dd1d1bSDag-Erling Smørgrav # Make a certificate for each too. 4247dd1d1bSDag-Erling Smørgrav ${SSHKEYGEN} -qs $OBJ/user_ca_key -I "$t cert" \ 4347dd1d1bSDag-Erling Smørgrav -n estragon $OBJ/$t-agent.pub || fatal "ca sign failed" 4447dd1d1bSDag-Erling Smørgrav 45ce3adf43SDag-Erling Smørgrav # add to authorized keys 46ce3adf43SDag-Erling Smørgrav cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER 4719261079SEd Maste # add private key to agent 48ce3adf43SDag-Erling Smørgrav ${SSHADD} $OBJ/$t-agent > /dev/null 2>&1 49ce3adf43SDag-Erling Smørgrav if [ $? -ne 0 ]; then 5019261079SEd Maste fail "ssh-add failed exit code $?" 51ce3adf43SDag-Erling Smørgrav fi 5219261079SEd Maste # add private key to second agent 5319261079SEd Maste SSH_AUTH_SOCK=$FW_SSH_AUTH_SOCK ${SSHADD} $OBJ/$t-agent > /dev/null 2>&1 5419261079SEd Maste if [ $? -ne 0 ]; then 5519261079SEd Maste fail "ssh-add failed exit code $?" 5619261079SEd Maste fi 5719261079SEd Maste # Move private key to ensure that we aren't accidentally using it. 5819261079SEd Maste # Keep the corresponding public keys/certs around for later use. 5919261079SEd Maste mv -f $OBJ/$t-agent $OBJ/$t-agent-private 6019261079SEd Maste cp -f $OBJ/$t-agent.pub $OBJ/$t-agent-private.pub 6119261079SEd Maste cp -f $OBJ/$t-agent-cert.pub $OBJ/$t-agent-private-cert.pub 62ce3adf43SDag-Erling Smørgravdone 6347dd1d1bSDag-Erling Smørgrav 6447dd1d1bSDag-Erling Smørgrav# Remove explicit identity directives from ssh_proxy 6547dd1d1bSDag-Erling Smørgravmv $OBJ/ssh_proxy $OBJ/ssh_proxy_bak 6647dd1d1bSDag-Erling Smørgravgrep -vi identityfile $OBJ/ssh_proxy_bak > $OBJ/ssh_proxy 6747dd1d1bSDag-Erling Smørgrav 68ce3adf43SDag-Erling Smørgrav${SSHADD} -l > /dev/null 2>&1 69f7167e0eSDag-Erling Smørgravr=$? 70f7167e0eSDag-Erling Smørgravif [ $r -ne 0 ]; then 71f7167e0eSDag-Erling Smørgrav fail "ssh-add -l failed: exit code $r" 72ce3adf43SDag-Erling Smørgravfi 73ce3adf43SDag-Erling Smørgrav# the same for full pubkey output 74ce3adf43SDag-Erling Smørgrav${SSHADD} -L > /dev/null 2>&1 75f7167e0eSDag-Erling Smørgravr=$? 76f7167e0eSDag-Erling Smørgravif [ $r -ne 0 ]; then 77f7167e0eSDag-Erling Smørgrav fail "ssh-add -L failed: exit code $r" 78ce3adf43SDag-Erling Smørgravfi 79ce3adf43SDag-Erling Smørgrav 80ce3adf43SDag-Erling Smørgravtrace "simple connect via agent" 814f52dfbbSDag-Erling Smørgrav${SSH} -F $OBJ/ssh_proxy somehost exit 52 82f7167e0eSDag-Erling Smørgravr=$? 834f52dfbbSDag-Erling Smørgravif [ $r -ne 52 ]; then 844f52dfbbSDag-Erling Smørgrav fail "ssh connect with failed (exit code $r)" 85ce3adf43SDag-Erling Smørgravfi 86ce3adf43SDag-Erling Smørgrav 8747dd1d1bSDag-Erling Smørgravfor t in ${SSH_KEYTYPES}; do 8847dd1d1bSDag-Erling Smørgrav trace "connect via agent using $t key" 8919261079SEd Maste if [ "$t" = "ssh-dss" ]; then 9019261079SEd Maste echo "PubkeyAcceptedAlgorithms +ssh-dss" >> $OBJ/ssh_proxy 9119261079SEd Maste echo "PubkeyAcceptedAlgorithms +ssh-dss" >> $OBJ/sshd_proxy 9219261079SEd Maste fi 9347dd1d1bSDag-Erling Smørgrav ${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub -oIdentitiesOnly=yes \ 9447dd1d1bSDag-Erling Smørgrav somehost exit 52 9547dd1d1bSDag-Erling Smørgrav r=$? 9647dd1d1bSDag-Erling Smørgrav if [ $r -ne 52 ]; then 9747dd1d1bSDag-Erling Smørgrav fail "ssh connect with failed (exit code $r)" 9847dd1d1bSDag-Erling Smørgrav fi 9947dd1d1bSDag-Erling Smørgravdone 10047dd1d1bSDag-Erling Smørgrav 101ce3adf43SDag-Erling Smørgravtrace "agent forwarding" 1024f52dfbbSDag-Erling Smørgrav${SSH} -A -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 103f7167e0eSDag-Erling Smørgravr=$? 104f7167e0eSDag-Erling Smørgravif [ $r -ne 0 ]; then 1054f52dfbbSDag-Erling Smørgrav fail "ssh-add -l via agent fwd failed (exit code $r)" 106ce3adf43SDag-Erling Smørgravfi 10719261079SEd Maste${SSH} "-oForwardAgent=$SSH_AUTH_SOCK" -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 10819261079SEd Master=$? 10919261079SEd Masteif [ $r -ne 0 ]; then 11019261079SEd Maste fail "ssh-add -l via agent path fwd failed (exit code $r)" 11119261079SEd Mastefi 1124f52dfbbSDag-Erling Smørgrav${SSH} -A -F $OBJ/ssh_proxy somehost \ 1134f52dfbbSDag-Erling Smørgrav "${SSH} -F $OBJ/ssh_proxy somehost exit 52" 114f7167e0eSDag-Erling Smørgravr=$? 1154f52dfbbSDag-Erling Smørgravif [ $r -ne 52 ]; then 1164f52dfbbSDag-Erling Smørgrav fail "agent fwd failed (exit code $r)" 117ce3adf43SDag-Erling Smørgravfi 118ce3adf43SDag-Erling Smørgrav 11919261079SEd Mastetrace "agent forwarding different agent" 12019261079SEd Maste${SSH} "-oForwardAgent=$FW_SSH_AUTH_SOCK" -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 12119261079SEd Master=$? 12219261079SEd Masteif [ $r -ne 0 ]; then 12319261079SEd Maste fail "ssh-add -l via agent path fwd of different agent failed (exit code $r)" 12419261079SEd Mastefi 12519261079SEd Maste${SSH} '-oForwardAgent=$FW_SSH_AUTH_SOCK' -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 12619261079SEd Master=$? 12719261079SEd Masteif [ $r -ne 0 ]; then 12819261079SEd Maste fail "ssh-add -l via agent path env fwd of different agent failed (exit code $r)" 12919261079SEd Mastefi 13019261079SEd Maste 13119261079SEd Maste# Remove keys from forwarded agent, ssh-add on remote machine should now fail. 13219261079SEd MasteSSH_AUTH_SOCK=$FW_SSH_AUTH_SOCK ${SSHADD} -D > /dev/null 2>&1 13319261079SEd Master=$? 13419261079SEd Masteif [ $r -ne 0 ]; then 13519261079SEd Maste fail "ssh-add -D failed: exit code $r" 13619261079SEd Mastefi 13719261079SEd Maste${SSH} '-oForwardAgent=$FW_SSH_AUTH_SOCK' -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 13819261079SEd Master=$? 13919261079SEd Masteif [ $r -ne 1 ]; then 14019261079SEd Maste fail "ssh-add -l with different agent did not fail with exit code 1 (exit code $r)" 14119261079SEd Mastefi 14219261079SEd Maste 14347dd1d1bSDag-Erling Smørgrav(printf 'cert-authority,principals="estragon" '; cat $OBJ/user_ca_key.pub) \ 14447dd1d1bSDag-Erling Smørgrav > $OBJ/authorized_keys_$USER 14547dd1d1bSDag-Erling Smørgravfor t in ${SSH_KEYTYPES}; do 14619261079SEd Maste if [ "$t" != "ssh-dss" ]; then 14747dd1d1bSDag-Erling Smørgrav trace "connect via agent using $t key" 14847dd1d1bSDag-Erling Smørgrav ${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub \ 14947dd1d1bSDag-Erling Smørgrav -oCertificateFile=$OBJ/$t-agent-cert.pub \ 15047dd1d1bSDag-Erling Smørgrav -oIdentitiesOnly=yes somehost exit 52 15147dd1d1bSDag-Erling Smørgrav r=$? 15247dd1d1bSDag-Erling Smørgrav if [ $r -ne 52 ]; then 15347dd1d1bSDag-Erling Smørgrav fail "ssh connect with failed (exit code $r)" 15447dd1d1bSDag-Erling Smørgrav fi 15519261079SEd Maste fi 15647dd1d1bSDag-Erling Smørgravdone 15747dd1d1bSDag-Erling Smørgrav 15819261079SEd Maste## Deletion tests. 15919261079SEd Maste 160ce3adf43SDag-Erling Smørgravtrace "delete all agent keys" 161ce3adf43SDag-Erling Smørgrav${SSHADD} -D > /dev/null 2>&1 162f7167e0eSDag-Erling Smørgravr=$? 163f7167e0eSDag-Erling Smørgravif [ $r -ne 0 ]; then 164f7167e0eSDag-Erling Smørgrav fail "ssh-add -D failed: exit code $r" 165ce3adf43SDag-Erling Smørgravfi 16619261079SEd Maste# make sure they're gone 16719261079SEd Maste${SSHADD} -l > /dev/null 2>&1 16819261079SEd Master=$? 16919261079SEd Masteif [ $r -ne 1 ]; then 17019261079SEd Maste fail "ssh-add -l returned unexpected exit code: $r" 17119261079SEd Mastefi 17219261079SEd Mastetrace "readd keys" 17319261079SEd Maste# re-add keys/certs to agent 17419261079SEd Mastefor t in ${SSH_KEYTYPES}; do 17519261079SEd Maste ${SSHADD} $OBJ/$t-agent-private >/dev/null 2>&1 || \ 17619261079SEd Maste fail "ssh-add failed exit code $?" 17719261079SEd Mastedone 17819261079SEd Maste# make sure they are there 17919261079SEd Maste${SSHADD} -l > /dev/null 2>&1 18019261079SEd Master=$? 18119261079SEd Masteif [ $r -ne 0 ]; then 18219261079SEd Maste fail "ssh-add -l failed: exit code $r" 18319261079SEd Mastefi 18419261079SEd Maste 18519261079SEd Mastecheck_key_absent() { 18619261079SEd Maste ${SSHADD} -L | grep "^$1 " >/dev/null 18719261079SEd Maste if [ $? -eq 0 ]; then 18819261079SEd Maste fail "$1 key unexpectedly present" 18919261079SEd Maste fi 19019261079SEd Maste} 19119261079SEd Mastecheck_key_present() { 19219261079SEd Maste ${SSHADD} -L | grep "^$1 " >/dev/null 19319261079SEd Maste if [ $? -ne 0 ]; then 19419261079SEd Maste fail "$1 key missing from agent" 19519261079SEd Maste fi 19619261079SEd Maste} 19719261079SEd Maste 19819261079SEd Maste# delete the ed25519 key 19919261079SEd Mastetrace "delete single key by file" 20019261079SEd Maste${SSHADD} -qdk $OBJ/ssh-ed25519-agent || fail "ssh-add -d ed25519 failed" 20119261079SEd Mastecheck_key_absent ssh-ed25519 20219261079SEd Mastecheck_key_present ssh-ed25519-cert-v01@openssh.com 20319261079SEd Maste# Put key/cert back. 20419261079SEd Maste${SSHADD} $OBJ/ssh-ed25519-agent-private >/dev/null 2>&1 || \ 20519261079SEd Maste fail "ssh-add failed exit code $?" 20619261079SEd Mastecheck_key_present ssh-ed25519 20719261079SEd Maste# Delete both key and certificate. 20819261079SEd Mastetrace "delete key/cert by file" 20919261079SEd Maste${SSHADD} -qd $OBJ/ssh-ed25519-agent || fail "ssh-add -d ed25519 failed" 21019261079SEd Mastecheck_key_absent ssh-ed25519 21119261079SEd Mastecheck_key_absent ssh-ed25519-cert-v01@openssh.com 21219261079SEd Maste# Put key/cert back. 21319261079SEd Maste${SSHADD} $OBJ/ssh-ed25519-agent-private >/dev/null 2>&1 || \ 21419261079SEd Maste fail "ssh-add failed exit code $?" 21519261079SEd Mastecheck_key_present ssh-ed25519 21619261079SEd Maste# Delete certificate via stdin 21719261079SEd Maste${SSHADD} -qd - < $OBJ/ssh-ed25519-agent-cert.pub || fail "ssh-add -d - failed" 21819261079SEd Mastecheck_key_present ssh-ed25519 21919261079SEd Mastecheck_key_absent ssh-ed25519-cert-v01@openssh.com 22019261079SEd Maste# Delete key via stdin 22119261079SEd Maste${SSHADD} -qd - < $OBJ/ssh-ed25519-agent.pub || fail "ssh-add -d - failed" 22219261079SEd Mastecheck_key_absent ssh-ed25519 22319261079SEd Mastecheck_key_absent ssh-ed25519-cert-v01@openssh.com 224ce3adf43SDag-Erling Smørgrav 225ce3adf43SDag-Erling Smørgravtrace "kill agent" 226ce3adf43SDag-Erling Smørgrav${SSHAGENT} -k > /dev/null 22719261079SEd MasteSSH_AGENT_PID=$FW_SSH_AGENT_PID ${SSHAGENT} -k > /dev/null 228