1 # $OpenBSD: agent.sh,v 1.21 2023/03/01 09:29:32 dtucker Exp $
2 # Placed in the Public Domain.
4 tid="simple agent test"
6 SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1
8 fail "ssh-add -l did not fail with exit code 2"
11 trace "start agent, args ${EXTRA_AGENT_ARGS} -s"
12 eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` >`ssh_logfile ssh-agent`
15 fatal "could not start ssh-agent: exit code $r"
18 eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s | sed 's/SSH_/FW_SSH_/g'` > /dev/null
21 fatal "could not start second ssh-agent: exit code $r"
24 ${SSHADD} -l > /dev/null 2>&1
26 fail "ssh-add -l did not fail with exit code 1"
29 rm -f $OBJ/user_ca_key $OBJ/user_ca_key.pub
30 ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key \
31 || fatal "ssh-keygen failed"
33 trace "overwrite authorized keys"
34 printf '' > $OBJ/authorized_keys_$USER
36 for t in ${SSH_KEYTYPES}; do
37 # generate user key for agent
38 rm -f $OBJ/$t-agent $OBJ/$t-agent.pub*
39 ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\
40 fatal "ssh-keygen for $t-agent failed"
41 # Make a certificate for each too.
42 ${SSHKEYGEN} -qs $OBJ/user_ca_key -I "$t cert" \
43 -n estragon $OBJ/$t-agent.pub || fatal "ca sign failed"
45 # add to authorized keys
46 cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER
47 # add private key to agent
48 ${SSHADD} $OBJ/$t-agent > /dev/null 2>&1
50 fail "ssh-add failed exit code $?"
52 # add private key to second agent
53 SSH_AUTH_SOCK=$FW_SSH_AUTH_SOCK ${SSHADD} $OBJ/$t-agent > /dev/null 2>&1
55 fail "ssh-add failed exit code $?"
57 # Move private key to ensure that we aren't accidentally using it.
58 # Keep the corresponding public keys/certs around for later use.
59 mv -f $OBJ/$t-agent $OBJ/$t-agent-private
60 cp -f $OBJ/$t-agent.pub $OBJ/$t-agent-private.pub
61 cp -f $OBJ/$t-agent-cert.pub $OBJ/$t-agent-private-cert.pub
64 # Remove explicit identity directives from ssh_proxy
65 mv $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
66 grep -vi identityfile $OBJ/ssh_proxy_bak > $OBJ/ssh_proxy
68 ${SSHADD} -l > /dev/null 2>&1
71 fail "ssh-add -l failed: exit code $r"
73 # the same for full pubkey output
74 ${SSHADD} -L > /dev/null 2>&1
77 fail "ssh-add -L failed: exit code $r"
80 trace "simple connect via agent"
81 ${SSH} -F $OBJ/ssh_proxy somehost exit 52
83 if [ $r -ne 52 ]; then
84 fail "ssh connect with failed (exit code $r)"
87 for t in ${SSH_KEYTYPES}; do
88 trace "connect via agent using $t key"
89 if [ "$t" = "ssh-dss" ]; then
90 echo "PubkeyAcceptedAlgorithms +ssh-dss" >> $OBJ/ssh_proxy
91 echo "PubkeyAcceptedAlgorithms +ssh-dss" >> $OBJ/sshd_proxy
93 ${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub -oIdentitiesOnly=yes \
96 if [ $r -ne 52 ]; then
97 fail "ssh connect with failed (exit code $r)"
101 trace "agent forwarding"
102 ${SSH} -A -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
104 if [ $r -ne 0 ]; then
105 fail "ssh-add -l via agent fwd failed (exit code $r)"
107 ${SSH} "-oForwardAgent=$SSH_AUTH_SOCK" -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
109 if [ $r -ne 0 ]; then
110 fail "ssh-add -l via agent path fwd failed (exit code $r)"
112 ${SSH} -A -F $OBJ/ssh_proxy somehost \
113 "${SSH} -F $OBJ/ssh_proxy somehost exit 52"
115 if [ $r -ne 52 ]; then
116 fail "agent fwd failed (exit code $r)"
119 trace "agent forwarding different agent"
120 ${SSH} "-oForwardAgent=$FW_SSH_AUTH_SOCK" -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
122 if [ $r -ne 0 ]; then
123 fail "ssh-add -l via agent path fwd of different agent failed (exit code $r)"
125 ${SSH} '-oForwardAgent=$FW_SSH_AUTH_SOCK' -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
127 if [ $r -ne 0 ]; then
128 fail "ssh-add -l via agent path env fwd of different agent failed (exit code $r)"
131 # Remove keys from forwarded agent, ssh-add on remote machine should now fail.
132 SSH_AUTH_SOCK=$FW_SSH_AUTH_SOCK ${SSHADD} -D > /dev/null 2>&1
134 if [ $r -ne 0 ]; then
135 fail "ssh-add -D failed: exit code $r"
137 ${SSH} '-oForwardAgent=$FW_SSH_AUTH_SOCK' -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
139 if [ $r -ne 1 ]; then
140 fail "ssh-add -l with different agent did not fail with exit code 1 (exit code $r)"
143 (printf 'cert-authority,principals="estragon" '; cat $OBJ/user_ca_key.pub) \
144 > $OBJ/authorized_keys_$USER
145 for t in ${SSH_KEYTYPES}; do
146 if [ "$t" != "ssh-dss" ]; then
147 trace "connect via agent using $t key"
148 ${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub \
149 -oCertificateFile=$OBJ/$t-agent-cert.pub \
150 -oIdentitiesOnly=yes somehost exit 52
152 if [ $r -ne 52 ]; then
153 fail "ssh connect with failed (exit code $r)"
160 trace "delete all agent keys"
161 ${SSHADD} -D > /dev/null 2>&1
163 if [ $r -ne 0 ]; then
164 fail "ssh-add -D failed: exit code $r"
166 # make sure they're gone
167 ${SSHADD} -l > /dev/null 2>&1
169 if [ $r -ne 1 ]; then
170 fail "ssh-add -l returned unexpected exit code: $r"
173 # re-add keys/certs to agent
174 for t in ${SSH_KEYTYPES}; do
175 ${SSHADD} $OBJ/$t-agent-private >/dev/null 2>&1 || \
176 fail "ssh-add failed exit code $?"
178 # make sure they are there
179 ${SSHADD} -l > /dev/null 2>&1
181 if [ $r -ne 0 ]; then
182 fail "ssh-add -l failed: exit code $r"
186 ${SSHADD} -L | grep "^$1 " >/dev/null
187 if [ $? -eq 0 ]; then
188 fail "$1 key unexpectedly present"
191 check_key_present() {
192 ${SSHADD} -L | grep "^$1 " >/dev/null
193 if [ $? -ne 0 ]; then
194 fail "$1 key missing from agent"
198 # delete the ed25519 key
199 trace "delete single key by file"
200 ${SSHADD} -qdk $OBJ/ssh-ed25519-agent || fail "ssh-add -d ed25519 failed"
201 check_key_absent ssh-ed25519
202 check_key_present ssh-ed25519-cert-v01@openssh.com
204 ${SSHADD} $OBJ/ssh-ed25519-agent-private >/dev/null 2>&1 || \
205 fail "ssh-add failed exit code $?"
206 check_key_present ssh-ed25519
207 # Delete both key and certificate.
208 trace "delete key/cert by file"
209 ${SSHADD} -qd $OBJ/ssh-ed25519-agent || fail "ssh-add -d ed25519 failed"
210 check_key_absent ssh-ed25519
211 check_key_absent ssh-ed25519-cert-v01@openssh.com
213 ${SSHADD} $OBJ/ssh-ed25519-agent-private >/dev/null 2>&1 || \
214 fail "ssh-add failed exit code $?"
215 check_key_present ssh-ed25519
216 # Delete certificate via stdin
217 ${SSHADD} -qd - < $OBJ/ssh-ed25519-agent-cert.pub || fail "ssh-add -d - failed"
218 check_key_present ssh-ed25519
219 check_key_absent ssh-ed25519-cert-v01@openssh.com
220 # Delete key via stdin
221 ${SSHADD} -qd - < $OBJ/ssh-ed25519-agent.pub || fail "ssh-add -d - failed"
222 check_key_absent ssh-ed25519
223 check_key_absent ssh-ed25519-cert-v01@openssh.com
226 ${SSHAGENT} -k > /dev/null
227 SSH_AGENT_PID=$FW_SSH_AGENT_PID ${SSHAGENT} -k > /dev/null