1 # $OpenBSD: cert-userkey.sh,v 1.16 2016/05/03 12:15:49 dtucker Exp $
2 # Placed in the Public Domain.
4 tid="certified user keys"
6 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
7 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8 cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
10 PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
12 if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
13 PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
19 # subshell because some seds will add a newline
20 *) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;;
22 echo "$n*,ssh-rsa*,ssh-ed25519*"
26 ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\
27 fail "ssh-keygen of user_ca_key failed"
29 # Generate and sign user keys
30 for ktype in $PLAIN_TYPES $EXTRA_TYPES ; do
31 verbose "$tid: sign user ${ktype} cert"
32 ${SSHKEYGEN} -q -N '' -t ${ktype} \
33 -f $OBJ/cert_user_key_${ktype} || \
34 fatal "ssh-keygen of cert_user_key_${ktype} failed"
35 # Generate RSA/SHA2 certs for rsa-sha2* keys.
37 rsa-sha2-*) tflag="-t $ktype" ;;
40 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -z $$ \
41 -I "regress user key for $USER" \
42 -n ${USER},mekmitasdigoat $tflag $OBJ/cert_user_key_${ktype} || \
43 fatal "couldn't sign cert_user_key_${ktype}"
46 # Test explicitly-specified principals
47 for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
49 for privsep in yes no ; do
50 _prefix="${ktype} privsep $privsep"
52 # Setup for AuthorizedPrincipalsFile
53 rm -f $OBJ/authorized_keys_$USER
55 cat $OBJ/sshd_proxy_bak
56 echo "UsePrivilegeSeparation $privsep"
57 echo "AuthorizedPrincipalsFile " \
58 "$OBJ/authorized_principals_%u"
59 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
60 echo "PubkeyAcceptedKeyTypes ${t}"
63 cat $OBJ/ssh_proxy_bak
64 echo "PubkeyAcceptedKeyTypes ${t}"
67 # Missing authorized_principals
68 verbose "$tid: ${_prefix} missing authorized_principals"
69 rm -f $OBJ/authorized_principals_$USER
70 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
71 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
73 fail "ssh cert connect succeeded unexpectedly"
76 # Empty authorized_principals
77 verbose "$tid: ${_prefix} empty authorized_principals"
78 echo > $OBJ/authorized_principals_$USER
79 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
80 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
82 fail "ssh cert connect succeeded unexpectedly"
85 # Wrong authorized_principals
86 verbose "$tid: ${_prefix} wrong authorized_principals"
87 echo gregorsamsa > $OBJ/authorized_principals_$USER
88 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
89 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
91 fail "ssh cert connect succeeded unexpectedly"
94 # Correct authorized_principals
95 verbose "$tid: ${_prefix} correct authorized_principals"
96 echo mekmitasdigoat > $OBJ/authorized_principals_$USER
97 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
98 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
100 fail "ssh cert connect failed"
103 # authorized_principals with bad key option
104 verbose "$tid: ${_prefix} authorized_principals bad key opt"
105 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
106 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
107 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
108 if [ $? -eq 0 ]; then
109 fail "ssh cert connect succeeded unexpectedly"
112 # authorized_principals with command=false
113 verbose "$tid: ${_prefix} authorized_principals command=false"
114 echo 'command="false" mekmitasdigoat' > \
115 $OBJ/authorized_principals_$USER
116 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
117 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
118 if [ $? -eq 0 ]; then
119 fail "ssh cert connect succeeded unexpectedly"
123 # authorized_principals with command=true
124 verbose "$tid: ${_prefix} authorized_principals command=true"
125 echo 'command="true" mekmitasdigoat' > \
126 $OBJ/authorized_principals_$USER
127 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
128 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
129 if [ $? -ne 0 ]; then
130 fail "ssh cert connect failed"
133 # Setup for principals= key option
134 rm -f $OBJ/authorized_principals_$USER
136 cat $OBJ/sshd_proxy_bak
137 echo "UsePrivilegeSeparation $privsep"
138 echo "PubkeyAcceptedKeyTypes ${t}"
141 cat $OBJ/ssh_proxy_bak
142 echo "PubkeyAcceptedKeyTypes ${t}"
145 # Wrong principals list
146 verbose "$tid: ${_prefix} wrong principals key option"
148 printf 'cert-authority,principals="gregorsamsa" '
149 cat $OBJ/user_ca_key.pub
150 ) > $OBJ/authorized_keys_$USER
151 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
152 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
153 if [ $? -eq 0 ]; then
154 fail "ssh cert connect succeeded unexpectedly"
157 # Correct principals list
158 verbose "$tid: ${_prefix} correct principals key option"
160 printf 'cert-authority,principals="mekmitasdigoat" '
161 cat $OBJ/user_ca_key.pub
162 ) > $OBJ/authorized_keys_$USER
163 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
164 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
165 if [ $? -ne 0 ]; then
166 fail "ssh cert connect failed"
173 if test "x$auth" = "xauthorized_keys" ; then
174 # Add CA to authorized_keys
176 printf 'cert-authority '
177 cat $OBJ/user_ca_key.pub
178 ) > $OBJ/authorized_keys_$USER
180 echo > $OBJ/authorized_keys_$USER
181 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
184 for ktype in $PLAIN_TYPES ; do
186 for privsep in yes no ; do
187 _prefix="${ktype} privsep $privsep $auth"
189 verbose "$tid: ${_prefix} connect"
191 cat $OBJ/sshd_proxy_bak
192 echo "UsePrivilegeSeparation $privsep"
193 echo "PubkeyAcceptedKeyTypes ${t}"
197 cat $OBJ/ssh_proxy_bak
198 echo "PubkeyAcceptedKeyTypes ${t}"
201 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
202 -F $OBJ/ssh_proxy somehost true
203 if [ $? -ne 0 ]; then
204 fail "ssh cert connect failed"
208 verbose "$tid: ${_prefix} revoked key"
210 cat $OBJ/sshd_proxy_bak
211 echo "UsePrivilegeSeparation $privsep"
212 echo "RevokedKeys $OBJ/cert_user_key_revoked"
213 echo "PubkeyAcceptedKeyTypes ${t}"
216 cp $OBJ/cert_user_key_${ktype}.pub \
217 $OBJ/cert_user_key_revoked
218 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
219 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
220 if [ $? -eq 0 ]; then
221 fail "ssh cert connect succeeded unexpecedly"
223 verbose "$tid: ${_prefix} revoked via KRL"
224 rm $OBJ/cert_user_key_revoked
225 ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
226 $OBJ/cert_user_key_${ktype}.pub
227 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
228 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
229 if [ $? -eq 0 ]; then
230 fail "ssh cert connect succeeded unexpecedly"
232 verbose "$tid: ${_prefix} empty KRL"
233 ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
234 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
235 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
236 if [ $? -ne 0 ]; then
237 fail "ssh cert connect failed"
242 verbose "$tid: ${ktype} $auth revoked CA key"
244 cat $OBJ/sshd_proxy_bak
245 echo "RevokedKeys $OBJ/user_ca_key.pub"
246 echo "PubkeyAcceptedKeyTypes ${t}"
249 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
250 somehost true >/dev/null 2>&1
251 if [ $? -eq 0 ]; then
252 fail "ssh cert connect succeeded unexpecedly"
256 verbose "$tid: $auth CA does not authenticate"
258 cat $OBJ/sshd_proxy_bak
259 echo "PubkeyAcceptedKeyTypes ${t}"
262 verbose "$tid: ensure CA key does not authenticate user"
263 ${SSH} -2i $OBJ/user_ca_key \
264 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
265 if [ $? -eq 0 ]; then
266 fail "ssh cert connect with CA key succeeded unexpectedly"
270 basic_tests authorized_keys
271 basic_tests TrustedUserCAKeys
280 if test "x$auth_choice" = "x" ; then
281 auth_choice="authorized_keys TrustedUserCAKeys"
284 for auth in $auth_choice ; do
285 for ktype in rsa ed25519 ; do
286 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
287 if test "x$auth" = "xauthorized_keys" ; then
288 # Add CA to authorized_keys
290 printf "cert-authority${auth_opt} "
291 cat $OBJ/user_ca_key.pub
292 ) > $OBJ/authorized_keys_$USER
294 echo > $OBJ/authorized_keys_$USER
295 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
297 echo "PubkeyAcceptedKeyTypes ${t}*" \
299 if test "x$auth_opt" != "x" ; then
300 echo $auth_opt >> $OBJ/sshd_proxy
304 verbose "$tid: $ident auth $auth expect $result $ktype"
305 ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
306 -I "regress user key for $USER" \
307 $sign_opts $OBJ/cert_user_key_${ktype} ||
308 fail "couldn't sign cert_user_key_${ktype}"
310 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
311 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
313 if [ "x$result" = "xsuccess" ] ; then
314 if [ $rc -ne 0 ]; then
315 fail "$ident failed unexpectedly"
318 if [ $rc -eq 0 ]; then
319 fail "$ident succeeded unexpectedly"
326 test_one "correct principal" success "-n ${USER}"
327 test_one "host-certificate" failure "-n ${USER} -h"
328 test_one "wrong principals" failure "-n foo"
329 test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101"
330 test_one "cert expired" failure "-n ${USER} -V19800101:19900101"
331 test_one "cert valid interval" success "-n ${USER} -V-1w:+2w"
332 test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8"
333 test_one "force-command" failure "-n ${USER} -Oforce-command=false"
335 # Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals
336 test_one "empty principals" success "" authorized_keys
337 test_one "empty principals" failure "" TrustedUserCAKeys
339 # Check explicitly-specified principals: an empty principals list in the cert
340 # should always be refused.
342 # AuthorizedPrincipalsFile
343 rm -f $OBJ/authorized_keys_$USER
344 echo mekmitasdigoat > $OBJ/authorized_principals_$USER
345 test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \
346 TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
347 test_one "AuthorizedPrincipalsFile no principals" failure "" \
348 TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
350 # principals= key option
351 rm -f $OBJ/authorized_principals_$USER
352 test_one "principals key option principals" success "-n mekmitasdigoat" \
353 authorized_keys ',principals="mekmitasdigoat"'
354 test_one "principals key option no principals" failure "" \
355 authorized_keys ',principals="mekmitasdigoat"'
358 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
359 for ktype in $PLAIN_TYPES ; do
362 ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
363 "regress user key for $USER" \
364 -n $USER $OBJ/cert_user_key_${ktype} ||
365 fatal "couldn't sign cert_user_key_${ktype}"
366 verbose "$tid: user ${ktype} connect wrong cert"
367 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
368 somehost true >/dev/null 2>&1
369 if [ $? -eq 0 ]; then
370 fail "ssh cert connect $ident succeeded unexpectedly"
374 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
375 rm -f $OBJ/authorized_principals_$USER