ena: Upgrade ena-com to freebsd v2.7.0

[FreeBSD/FreeBSD.git] / crypto / openssh / regress / agent-restrict.sh

#       $OpenBSD: agent-restrict.sh,v 1.6 2023/03/01 09:29:32 dtucker Exp $
#       Placed in the Public Domain.

tid="agent restrictions"

SSH_AUTH_SOCK="$OBJ/agent.sock"
export SSH_AUTH_SOCK
rm -f $SSH_AUTH_SOCK $OBJ/agent.log $OBJ/host_[abcdex]* $OBJ/user_[abcdex]*
rm -f $OBJ/sshd_proxy_host* $OBJ/ssh_output* $OBJ/expect_*
rm -f $OBJ/ssh_proxy[._]* $OBJ/command

verbose "generate keys"
for h in a b c d e x ca ; do
        $SSHKEYGEN -q -t ed25519 -C host_$h -N '' -f $OBJ/host_$h || \
                fatal "ssh-keygen hostkey failed"
        $SSHKEYGEN -q -t ed25519 -C user_$h -N '' -f $OBJ/user_$h || \
                fatal "ssh-keygen userkey failed"
done

# Make some hostcerts
for h in d e ; do
        id="host_$h"
        $SSHKEYGEN -q -s $OBJ/host_ca -I $id -n $id -h $OBJ/host_${h}.pub || \
                fatal "ssh-keygen certify failed"
done

verbose "prepare client config"
egrep -vi '(identityfile|hostname|hostkeyalias|proxycommand)' \
        $OBJ/ssh_proxy > $OBJ/ssh_proxy.bak
cat << _EOF > $OBJ/ssh_proxy
IdentitiesOnly yes
ForwardAgent yes
ExitOnForwardFailure yes
_EOF
cp $OBJ/ssh_proxy $OBJ/ssh_proxy_noid
for h in a b c d e ; do
        cat << _EOF >> $OBJ/ssh_proxy
Host host_$h
        Hostname host_$h
        HostkeyAlias host_$h
        IdentityFile $OBJ/user_$h
        ProxyCommand ${SUDO} env SSH_SK_HELPER=\"$SSH_SK_HELPER\" ${OBJ}/sshd-log-wrapper.sh -i -f $OBJ/sshd_proxy_host_$h
_EOF
        # Variant with no specified keys.
        cat << _EOF >> $OBJ/ssh_proxy_noid
Host host_$h
        Hostname host_$h
        HostkeyAlias host_$h
        ProxyCommand ${SUDO} env SSH_SK_HELPER=\"$SSH_SK_HELPER\" ${OBJ}/sshd-log-wrapper.sh -i -f $OBJ/sshd_proxy_host_$h
_EOF
done
cat $OBJ/ssh_proxy.bak >> $OBJ/ssh_proxy
cat $OBJ/ssh_proxy.bak >> $OBJ/ssh_proxy_noid

LC_ALL=C
export LC_ALL
echo "SetEnv LC_ALL=${LC_ALL}" >> sshd_proxy

verbose "prepare known_hosts"
rm -f $OBJ/known_hosts
for h in a b c x ; do
        (printf "host_$h " ; cat $OBJ/host_${h}.pub) >> $OBJ/known_hosts
done
(printf "@cert-authority host_* " ; cat $OBJ/host_ca.pub) >> $OBJ/known_hosts

verbose "prepare server configs"
egrep -vi '(hostkey|pidfile)' $OBJ/sshd_proxy \
        > $OBJ/sshd_proxy.bak
for h in a b c d e; do
        cp $OBJ/sshd_proxy.bak $OBJ/sshd_proxy_host_$h
        cat << _EOF >> $OBJ/sshd_proxy_host_$h
ExposeAuthInfo yes
PidFile none
Hostkey $OBJ/host_$h
_EOF
done
for h in d e ; do
        echo "HostCertificate $OBJ/host_${h}-cert.pub" \
                >> $OBJ/sshd_proxy_host_$h
done
# Create authorized_keys with canned command.
reset_keys() {
        _whichcmd="$1"
        _command=""
        case "$_whichcmd" in
        authinfo)       _command="cat \$SSH_USER_AUTH" ;;
        keylist)                _command="$SSHADD -L | cut -d' ' -f-2 | sort" ;;
        *)              fatal "unsupported command $_whichcmd" ;;
        esac
        trace "reset keys"
        >$OBJ/authorized_keys_$USER
        for h in e d c b a; do
                (printf "%s" "restrict,agent-forwarding,command=\"$_command\" ";
                 cat $OBJ/user_$h.pub) >> $OBJ/authorized_keys_$USER
        done
}
# Prepare a key for comparison with ExposeAuthInfo/$SSH_USER_AUTH.
expect_key() {
        _key="$OBJ/${1}.pub"
        _file="$OBJ/$2"
        (printf "publickey " ; cut -d' ' -f-2 $_key) > $_file
}
# Prepare expect_* files to compare against authinfo forced command to ensure
# keys used for authentication match.
reset_expect_keys() {
        for u in a b c d e; do
                expect_key user_$u expect_$u
        done
}
# ssh to host, expecting success and that output matched expectation for
# that host (expect_$h file).
expect_succeed() {
        _id="$1"
        _case="$2"
        shift; shift; _extra="$@"
        _host="host_$_id"
        trace "connect $_host expect success"
        rm -f $OBJ/ssh_output
        ${SSH} $_extra -F $OBJ/ssh_proxy $_host true > $OBJ/ssh_output
        _s=$?
        test $_s -eq 0 || fail "host $_host $_case fail, exit status $_s"
        diff $OBJ/ssh_output $OBJ/expect_${_id} ||
                fail "unexpected ssh output"
}
# ssh to host using explicit key, expecting success and that the key was
# actually used for authentication.
expect_succeed_key() {
        _id="$1"
        _key="$2"
        _case="$3"
        shift; shift; shift; _extra="$@"
        _host="host_$_id"
        trace "connect $_host expect success, with key $_key"
        _keyfile="$OBJ/$_key"
        rm -f $OBJ/ssh_output
        ${SSH} $_extra -F $OBJ/ssh_proxy_noid \
            -oIdentityFile=$_keyfile $_host true > $OBJ/ssh_output
        _s=$?
        test $_s -eq 0 || fail "host $_host $_key $_case fail, exit status $_s"
        expect_key $_key expect_key
        diff $OBJ/ssh_output $OBJ/expect_key ||
                fail "incorrect key used for authentication"
}
# ssh to a host, expecting it to fail.
expect_fail() {
        _host="$1"
        _case="$2"
        shift; shift; _extra="$@"
        trace "connect $_host expect failure"
        ${SSH} $_extra -F $OBJ/ssh_proxy $_host true >/dev/null && \
                fail "host $_host $_case succeeded unexpectedly"
}
# ssh to a host using an explicit key, expecting it to fail.
expect_fail_key() {
        _id="$1"
        _key="$2"
        _case="$3"
        shift; shift; shift; _extra="$@"
        _host="host_$_id"
        trace "connect $_host expect failure, with key $_key"
        _keyfile="$OBJ/$_key"
        ${SSH} $_extra -F $OBJ/ssh_proxy_noid -oIdentityFile=$_keyfile \
            $_host true > $OBJ/ssh_output && \
                fail "host $_host $_key $_case succeeded unexpectedly"
}
# Move the private key files out of the way to force use of agent-hosted keys.
hide_privatekeys() {
        trace "hide private keys"
        for u in a b c d e x; do
                mv $OBJ/user_$u $OBJ/user_x$u || fatal "hide privkey $u"
        done
}
# Put the private key files back.
restore_privatekeys() {
        trace "restore private keys"
        for u in a b c d e x; do
                mv $OBJ/user_x$u $OBJ/user_$u || fatal "restore privkey $u"
        done
}
clear_agent() {
        ${SSHADD} -D > /dev/null 2>&1 || fatal "clear agent failed"
}

reset_keys authinfo
reset_expect_keys

verbose "authentication w/o agent"
for h in a b c d e ; do
        expect_succeed $h "w/o agent"
        wrongkey=user_e
        test "$h" = "e" && wrongkey=user_a
        expect_succeed_key $h $wrongkey "\"wrong\" key w/o agent"
done
hide_privatekeys
for h in a b c d e ; do
        expect_fail $h "w/o agent"
done
restore_privatekeys

verbose "start agent"
${SSHAGENT} ${EXTRA_AGENT_ARGS} -d -a $SSH_AUTH_SOCK > $OBJ/agent.log 2>&1 &
AGENT_PID=$!
trap "kill $AGENT_PID" EXIT
sleep 4 # Give it a chance to start
# Check that it's running.
${SSHADD} -l > /dev/null 2>&1
if [ $? -ne 1 ]; then
        fail "ssh-add -l did not fail with exit code 1"
fi

verbose "authentication with agent (no restrict)"
for u in a b c d e x; do
        $SSHADD -q $OBJ/user_$u || fatal "add key $u unrestricted"
done
hide_privatekeys
for h in a b c d e ; do
        expect_succeed $h "with agent"
        wrongkey=user_e
        test "$h" = "e" && wrongkey=user_a
        expect_succeed_key $h $wrongkey "\"wrong\" key with agent"
done

verbose "unrestricted keylist"
reset_keys keylist
rm -f $OBJ/expect_list.pre
# List of keys from agent should contain everything.
for u in a b c d e x; do
        cut -d " " -f-2 $OBJ/user_${u}.pub >> $OBJ/expect_list.pre
done
sort $OBJ/expect_list.pre > $OBJ/expect_list
for h in a b c d e; do
        cp $OBJ/expect_list $OBJ/expect_$h
        expect_succeed $h "unrestricted keylist"
done
restore_privatekeys

verbose "authentication with agent (basic restrict)"
reset_keys authinfo
reset_expect_keys
for h in a b c d e; do
        $SSHADD -h host_$h -H $OBJ/known_hosts -q $OBJ/user_$h \
                || fatal "add key $u basic restrict"
done
# One more, unrestricted
$SSHADD -q $OBJ/user_x || fatal "add unrestricted key"
hide_privatekeys
# Authentication to host with expected key should work.
for h in a b c d e ; do
        expect_succeed $h "with agent"
done
# Authentication to host with incorrect key should fail.
verbose "authentication with agent incorrect key (basic restrict)"
for h in a b c d e ; do
        wrongkey=user_e
        test "$h" = "e" && wrongkey=user_a
        expect_fail_key $h $wrongkey "wrong key with agent (basic restrict)"
done

verbose "keylist (basic restrict)"
reset_keys keylist
# List from forwarded agent should contain only user_x - the unrestricted key.
cut -d " " -f-2 $OBJ/user_x.pub > $OBJ/expect_list
for h in a b c d e; do
        cp $OBJ/expect_list $OBJ/expect_$h
        expect_succeed $h "keylist (basic restrict)"
done
restore_privatekeys

verbose "username"
reset_keys authinfo
reset_expect_keys
for h in a b c d e; do
        $SSHADD -h "${USER}@host_$h" -H $OBJ/known_hosts -q $OBJ/user_$h \
                || fatal "add key $u basic restrict"
done
hide_privatekeys
for h in a b c d e ; do
        expect_succeed $h "wildcard user"
done
restore_privatekeys

verbose "username wildcard"
reset_keys authinfo
reset_expect_keys
for h in a b c d e; do
        $SSHADD -h "*@host_$h" -H $OBJ/known_hosts -q $OBJ/user_$h \
                || fatal "add key $u basic restrict"
done
hide_privatekeys
for h in a b c d e ; do
        expect_succeed $h "wildcard user"
done
restore_privatekeys

verbose "username incorrect"
reset_keys authinfo
reset_expect_keys
for h in a b c d e; do
        $SSHADD -h "--BADUSER@host_$h" -H $OBJ/known_hosts -q $OBJ/user_$h \
                || fatal "add key $u basic restrict"
done
hide_privatekeys
for h in a b c d e ; do
        expect_fail $h "incorrect user"
done
restore_privatekeys


verbose "agent restriction honours certificate principal"
reset_keys authinfo
reset_expect_keys
clear_agent
$SSHADD -h host_e -H $OBJ/known_hosts -q $OBJ/user_d || fatal "add key"
hide_privatekeys
expect_fail d "restricted agent w/ incorrect cert principal"
restore_privatekeys

# Prepares the script used to drive chained ssh connections for the
# multihop tests. Believe me, this is easier than getting the escaping
# right for 5 hops on the command-line...
prepare_multihop_script() {
        MULTIHOP_RUN=$OBJ/command
        cat << _EOF > $MULTIHOP_RUN
#!/bin/sh
#set -x
me="\$1" ; shift
next="\$1"
if test ! -z "\$me" ; then 
        rm -f $OBJ/done
        echo "HOSTNAME host_\$me"
        echo "AUTHINFO"
        cat \$SSH_USER_AUTH
fi
echo AGENT
$SSHADD -L | egrep "^ssh" | cut -d" " -f-2 | sort
if test -z "\$next" ; then 
        touch $OBJ/done
        echo "FINISH"
        e=0
else
        echo NEXT
        ${SSH} -F $OBJ/ssh_proxy_noid -oIdentityFile=$OBJ/user_a \
                host_\$next $MULTIHOP_RUN "\$@"
        e=\$?
fi
echo "COMPLETE \"\$me\""
if test ! -z "\$me" ; then 
        if test ! -f $OBJ/done ; then
                echo "DONE MARKER MISSING"
                test \$e -eq 0 && e=63
        fi
fi
exit \$e
_EOF
        chmod u+x $MULTIHOP_RUN
}

# Prepare expected output for multihop tests at expect_a
prepare_multihop_expected() {
        _keys="$1"
        _hops="a b c d e"
        test -z "$2" || _hops="$2"
        _revhops=$(echo "$_hops" | rev)
        _lasthop=$(echo "$_hops" | sed 's/.* //')

        rm -f $OBJ/expect_keys
        for h in a b c d e; do
                cut -d" " -f-2 $OBJ/user_${h}.pub >> $OBJ/expect_keys
        done
        rm -f $OBJ/expect_a
        echo "AGENT" >> $OBJ/expect_a
        test "x$_keys" = "xnone" || sort $OBJ/expect_keys >> $OBJ/expect_a
        echo "NEXT" >> $OBJ/expect_a
        for h in $_hops ; do 
                echo "HOSTNAME host_$h" >> $OBJ/expect_a
                echo "AUTHINFO" >> $OBJ/expect_a
                (printf "publickey " ; cut -d" " -f-2 $OBJ/user_a.pub) >> $OBJ/expect_a
                echo "AGENT" >> $OBJ/expect_a
                if test "x$_keys" = "xall" ; then
                        sort $OBJ/expect_keys >> $OBJ/expect_a
                fi
                if test "x$h" != "x$_lasthop" ; then
                        if test "x$_keys" = "xfiltered" ; then
                                cut -d" " -f-2 $OBJ/user_a.pub >> $OBJ/expect_a
                        fi
                        echo "NEXT" >> $OBJ/expect_a
                fi
        done
        echo "FINISH" >> $OBJ/expect_a
        for h in $_revhops "" ; do 
                echo "COMPLETE \"$h\"" >> $OBJ/expect_a
        done
}

prepare_multihop_script
cp $OBJ/user_a.pub $OBJ/authorized_keys_$USER # only one key used.

verbose "multihop without agent"
clear_agent
prepare_multihop_expected none
$MULTIHOP_RUN "" a b c d e > $OBJ/ssh_output || fail "multihop no agent ssh failed"
diff $OBJ/ssh_output $OBJ/expect_a || fail "unexpected ssh output"

verbose "multihop agent unrestricted"
clear_agent
$SSHADD -q $OBJ/user_[abcde]
prepare_multihop_expected all
$MULTIHOP_RUN "" a b c d e > $OBJ/ssh_output || fail "multihop no agent ssh failed"
diff $OBJ/ssh_output $OBJ/expect_a || fail "unexpected ssh output"

verbose "multihop restricted"
clear_agent
prepare_multihop_expected filtered
# Add user_a, with permission to connect through the whole chain.
$SSHADD -h host_a -h "host_a>host_b" -h "host_b>host_c" \
        -h "host_c>host_d" -h "host_d>host_e" \
        -H $OBJ/known_hosts -q $OBJ/user_a \
        || fatal "add key user_a multihop"
# Add the other keys, bound to a unused host.
$SSHADD -q -h host_x -H $OBJ/known_hosts $OBJ/user_[bcde] || fail "add keys"
hide_privatekeys
$MULTIHOP_RUN "" a b c d e > $OBJ/ssh_output || fail "multihop ssh failed"
diff $OBJ/ssh_output $OBJ/expect_a || fail "unexpected ssh output"
restore_privatekeys

verbose "multihop username"
$SSHADD -h host_a -h "host_a>${USER}@host_b" -h "host_b>${USER}@host_c" \
        -h "host_c>${USER}@host_d"  -h "host_d>${USER}@host_e" \
        -H $OBJ/known_hosts -q $OBJ/user_a || fatal "add key user_a multihop"
hide_privatekeys
$MULTIHOP_RUN "" a b c d e > $OBJ/ssh_output || fail "multihop w/ user ssh failed"
diff $OBJ/ssh_output $OBJ/expect_a || fail "unexpected ssh output"
restore_privatekeys

verbose "multihop wildcard username"
$SSHADD -h host_a -h "host_a>*@host_b" -h "host_b>*@host_c" \
        -h "host_c>*@host_d"  -h "host_d>*@host_e" \
        -H $OBJ/known_hosts -q $OBJ/user_a || fatal "add key user_a multihop"
hide_privatekeys
$MULTIHOP_RUN "" a b c d e > $OBJ/ssh_output || fail "multihop w/ user ssh failed"
diff $OBJ/ssh_output $OBJ/expect_a || fail "unexpected ssh output"
restore_privatekeys

verbose "multihop wrong username"
$SSHADD -h host_a -h "host_a>*@host_b" -h "host_b>*@host_c" \
        -h "host_c>--BADUSER@host_d"  -h "host_d>*@host_e" \
        -H $OBJ/known_hosts -q $OBJ/user_a || fatal "add key user_a multihop"
hide_privatekeys
$MULTIHOP_RUN "" a b c d e > $OBJ/ssh_output && \
        fail "multihop with wrong user succeeded unexpectedly"
restore_privatekeys

verbose "multihop cycle no agent"
clear_agent
prepare_multihop_expected none "a b a a c d e"
$MULTIHOP_RUN "" a b a a c d e > $OBJ/ssh_output || \
        fail "multihop cycle no-agent fail"
diff $OBJ/ssh_output $OBJ/expect_a || fail "unexpected ssh output"

verbose "multihop cycle agent unrestricted"
clear_agent
$SSHADD -q $OBJ/user_[abcde] || fail "add keys"
prepare_multihop_expected all "a b a a c d e"
$MULTIHOP_RUN "" a b a a c d e > $OBJ/ssh_output || \
        fail "multihop cycle agent ssh failed"
diff $OBJ/ssh_output $OBJ/expect_a || fail "unexpected ssh output"

verbose "multihop cycle restricted deny"
clear_agent
$SSHADD -q -h host_x -H $OBJ/known_hosts $OBJ/user_[bcde] || fail "add keys"
$SSHADD -h host_a -h "host_a>host_b" -h "host_b>host_c" \
        -h "host_c>host_d" -h "host_d>host_e" \
        -H $OBJ/known_hosts -q $OBJ/user_a \
        || fatal "add key user_a multihop"
prepare_multihop_expected filtered "a b a a c d e"
hide_privatekeys
$MULTIHOP_RUN "" a b a a c d e > $OBJ/ssh_output && \
        fail "multihop cycle restricted deny succeded unexpectedly"
restore_privatekeys

verbose "multihop cycle restricted allow"
clear_agent
$SSHADD -q -h host_x -H $OBJ/known_hosts $OBJ/user_[bcde] || fail "add keys"
$SSHADD -h host_a -h "host_a>host_b" -h "host_b>host_c" \
        -h "host_c>host_d" -h "host_d>host_e" \
        -h "host_b>host_a" -h "host_a>host_a" -h "host_a>host_c" \
        -H $OBJ/known_hosts -q $OBJ/user_a \
        || fatal "add key user_a multihop"
prepare_multihop_expected filtered "a b a a c d e"
hide_privatekeys
$MULTIHOP_RUN "" a b a a c d e > $OBJ/ssh_output || \
        fail "multihop cycle restricted allow failed"
diff $OBJ/ssh_output $OBJ/expect_a || fail "unexpected ssh output"
restore_privatekeys