1 # $OpenBSD: agent-restrict.sh,v 1.6 2023/03/01 09:29:32 dtucker Exp $
2 # Placed in the Public Domain.
4 tid="agent restrictions"
6 SSH_AUTH_SOCK="$OBJ/agent.sock"
8 rm -f $SSH_AUTH_SOCK $OBJ/agent.log $OBJ/host_[abcdex]* $OBJ/user_[abcdex]*
9 rm -f $OBJ/sshd_proxy_host* $OBJ/ssh_output* $OBJ/expect_*
10 rm -f $OBJ/ssh_proxy[._]* $OBJ/command
12 verbose "generate keys"
13 for h in a b c d e x ca ; do
14 $SSHKEYGEN -q -t ed25519 -C host_$h -N '' -f $OBJ/host_$h || \
15 fatal "ssh-keygen hostkey failed"
16 $SSHKEYGEN -q -t ed25519 -C user_$h -N '' -f $OBJ/user_$h || \
17 fatal "ssh-keygen userkey failed"
23 $SSHKEYGEN -q -s $OBJ/host_ca -I $id -n $id -h $OBJ/host_${h}.pub || \
24 fatal "ssh-keygen certify failed"
27 verbose "prepare client config"
28 egrep -vi '(identityfile|hostname|hostkeyalias|proxycommand)' \
29 $OBJ/ssh_proxy > $OBJ/ssh_proxy.bak
30 cat << _EOF > $OBJ/ssh_proxy
33 ExitOnForwardFailure yes
35 cp $OBJ/ssh_proxy $OBJ/ssh_proxy_noid
36 for h in a b c d e ; do
37 cat << _EOF >> $OBJ/ssh_proxy
41 IdentityFile $OBJ/user_$h
42 ProxyCommand ${SUDO} env SSH_SK_HELPER=\"$SSH_SK_HELPER\" ${OBJ}/sshd-log-wrapper.sh -i -f $OBJ/sshd_proxy_host_$h
44 # Variant with no specified keys.
45 cat << _EOF >> $OBJ/ssh_proxy_noid
49 ProxyCommand ${SUDO} env SSH_SK_HELPER=\"$SSH_SK_HELPER\" ${OBJ}/sshd-log-wrapper.sh -i -f $OBJ/sshd_proxy_host_$h
52 cat $OBJ/ssh_proxy.bak >> $OBJ/ssh_proxy
53 cat $OBJ/ssh_proxy.bak >> $OBJ/ssh_proxy_noid
57 echo "SetEnv LC_ALL=${LC_ALL}" >> sshd_proxy
59 verbose "prepare known_hosts"
60 rm -f $OBJ/known_hosts
62 (printf "host_$h " ; cat $OBJ/host_${h}.pub) >> $OBJ/known_hosts
64 (printf "@cert-authority host_* " ; cat $OBJ/host_ca.pub) >> $OBJ/known_hosts
66 verbose "prepare server configs"
67 egrep -vi '(hostkey|pidfile)' $OBJ/sshd_proxy \
69 for h in a b c d e; do
70 cp $OBJ/sshd_proxy.bak $OBJ/sshd_proxy_host_$h
71 cat << _EOF >> $OBJ/sshd_proxy_host_$h
78 echo "HostCertificate $OBJ/host_${h}-cert.pub" \
79 >> $OBJ/sshd_proxy_host_$h
81 # Create authorized_keys with canned command.
86 authinfo) _command="cat \$SSH_USER_AUTH" ;;
87 keylist) _command="$SSHADD -L | cut -d' ' -f-2 | sort" ;;
88 *) fatal "unsupported command $_whichcmd" ;;
91 >$OBJ/authorized_keys_$USER
92 for h in e d c b a; do
93 (printf "%s" "restrict,agent-forwarding,command=\"$_command\" ";
94 cat $OBJ/user_$h.pub) >> $OBJ/authorized_keys_$USER
97 # Prepare a key for comparison with ExposeAuthInfo/$SSH_USER_AUTH.
101 (printf "publickey " ; cut -d' ' -f-2 $_key) > $_file
103 # Prepare expect_* files to compare against authinfo forced command to ensure
104 # keys used for authentication match.
105 reset_expect_keys() {
106 for u in a b c d e; do
107 expect_key user_$u expect_$u
110 # ssh to host, expecting success and that output matched expectation for
111 # that host (expect_$h file).
115 shift; shift; _extra="$@"
117 trace "connect $_host expect success"
118 rm -f $OBJ/ssh_output
119 ${SSH} $_extra -F $OBJ/ssh_proxy $_host true > $OBJ/ssh_output
121 test $_s -eq 0 || fail "host $_host $_case fail, exit status $_s"
122 diff $OBJ/ssh_output $OBJ/expect_${_id} ||
123 fail "unexpected ssh output"
125 # ssh to host using explicit key, expecting success and that the key was
126 # actually used for authentication.
127 expect_succeed_key() {
131 shift; shift; shift; _extra="$@"
133 trace "connect $_host expect success, with key $_key"
134 _keyfile="$OBJ/$_key"
135 rm -f $OBJ/ssh_output
136 ${SSH} $_extra -F $OBJ/ssh_proxy_noid \
137 -oIdentityFile=$_keyfile $_host true > $OBJ/ssh_output
139 test $_s -eq 0 || fail "host $_host $_key $_case fail, exit status $_s"
140 expect_key $_key expect_key
141 diff $OBJ/ssh_output $OBJ/expect_key ||
142 fail "incorrect key used for authentication"
144 # ssh to a host, expecting it to fail.
148 shift; shift; _extra="$@"
149 trace "connect $_host expect failure"
150 ${SSH} $_extra -F $OBJ/ssh_proxy $_host true >/dev/null && \
151 fail "host $_host $_case succeeded unexpectedly"
153 # ssh to a host using an explicit key, expecting it to fail.
158 shift; shift; shift; _extra="$@"
160 trace "connect $_host expect failure, with key $_key"
161 _keyfile="$OBJ/$_key"
162 ${SSH} $_extra -F $OBJ/ssh_proxy_noid -oIdentityFile=$_keyfile \
163 $_host true > $OBJ/ssh_output && \
164 fail "host $_host $_key $_case succeeded unexpectedly"
166 # Move the private key files out of the way to force use of agent-hosted keys.
168 trace "hide private keys"
169 for u in a b c d e x; do
170 mv $OBJ/user_$u $OBJ/user_x$u || fatal "hide privkey $u"
173 # Put the private key files back.
174 restore_privatekeys() {
175 trace "restore private keys"
176 for u in a b c d e x; do
177 mv $OBJ/user_x$u $OBJ/user_$u || fatal "restore privkey $u"
181 ${SSHADD} -D > /dev/null 2>&1 || fatal "clear agent failed"
187 verbose "authentication w/o agent"
188 for h in a b c d e ; do
189 expect_succeed $h "w/o agent"
191 test "$h" = "e" && wrongkey=user_a
192 expect_succeed_key $h $wrongkey "\"wrong\" key w/o agent"
195 for h in a b c d e ; do
196 expect_fail $h "w/o agent"
200 verbose "start agent"
201 ${SSHAGENT} ${EXTRA_AGENT_ARGS} -d -a $SSH_AUTH_SOCK > $OBJ/agent.log 2>&1 &
203 trap "kill $AGENT_PID" EXIT
204 sleep 4 # Give it a chance to start
205 # Check that it's running.
206 ${SSHADD} -l > /dev/null 2>&1
207 if [ $? -ne 1 ]; then
208 fail "ssh-add -l did not fail with exit code 1"
211 verbose "authentication with agent (no restrict)"
212 for u in a b c d e x; do
213 $SSHADD -q $OBJ/user_$u || fatal "add key $u unrestricted"
216 for h in a b c d e ; do
217 expect_succeed $h "with agent"
219 test "$h" = "e" && wrongkey=user_a
220 expect_succeed_key $h $wrongkey "\"wrong\" key with agent"
223 verbose "unrestricted keylist"
225 rm -f $OBJ/expect_list.pre
226 # List of keys from agent should contain everything.
227 for u in a b c d e x; do
228 cut -d " " -f-2 $OBJ/user_${u}.pub >> $OBJ/expect_list.pre
230 sort $OBJ/expect_list.pre > $OBJ/expect_list
231 for h in a b c d e; do
232 cp $OBJ/expect_list $OBJ/expect_$h
233 expect_succeed $h "unrestricted keylist"
237 verbose "authentication with agent (basic restrict)"
240 for h in a b c d e; do
241 $SSHADD -h host_$h -H $OBJ/known_hosts -q $OBJ/user_$h \
242 || fatal "add key $u basic restrict"
244 # One more, unrestricted
245 $SSHADD -q $OBJ/user_x || fatal "add unrestricted key"
247 # Authentication to host with expected key should work.
248 for h in a b c d e ; do
249 expect_succeed $h "with agent"
251 # Authentication to host with incorrect key should fail.
252 verbose "authentication with agent incorrect key (basic restrict)"
253 for h in a b c d e ; do
255 test "$h" = "e" && wrongkey=user_a
256 expect_fail_key $h $wrongkey "wrong key with agent (basic restrict)"
259 verbose "keylist (basic restrict)"
261 # List from forwarded agent should contain only user_x - the unrestricted key.
262 cut -d " " -f-2 $OBJ/user_x.pub > $OBJ/expect_list
263 for h in a b c d e; do
264 cp $OBJ/expect_list $OBJ/expect_$h
265 expect_succeed $h "keylist (basic restrict)"
272 for h in a b c d e; do
273 $SSHADD -h "${USER}@host_$h" -H $OBJ/known_hosts -q $OBJ/user_$h \
274 || fatal "add key $u basic restrict"
277 for h in a b c d e ; do
278 expect_succeed $h "wildcard user"
282 verbose "username wildcard"
285 for h in a b c d e; do
286 $SSHADD -h "*@host_$h" -H $OBJ/known_hosts -q $OBJ/user_$h \
287 || fatal "add key $u basic restrict"
290 for h in a b c d e ; do
291 expect_succeed $h "wildcard user"
295 verbose "username incorrect"
298 for h in a b c d e; do
299 $SSHADD -h "--BADUSER@host_$h" -H $OBJ/known_hosts -q $OBJ/user_$h \
300 || fatal "add key $u basic restrict"
303 for h in a b c d e ; do
304 expect_fail $h "incorrect user"
309 verbose "agent restriction honours certificate principal"
313 $SSHADD -h host_e -H $OBJ/known_hosts -q $OBJ/user_d || fatal "add key"
315 expect_fail d "restricted agent w/ incorrect cert principal"
318 # Prepares the script used to drive chained ssh connections for the
319 # multihop tests. Believe me, this is easier than getting the escaping
320 # right for 5 hops on the command-line...
321 prepare_multihop_script() {
322 MULTIHOP_RUN=$OBJ/command
323 cat << _EOF > $MULTIHOP_RUN
328 if test ! -z "\$me" ; then
330 echo "HOSTNAME host_\$me"
335 $SSHADD -L | egrep "^ssh" | cut -d" " -f-2 | sort
336 if test -z "\$next" ; then
342 ${SSH} -F $OBJ/ssh_proxy_noid -oIdentityFile=$OBJ/user_a \
343 host_\$next $MULTIHOP_RUN "\$@"
346 echo "COMPLETE \"\$me\""
347 if test ! -z "\$me" ; then
348 if test ! -f $OBJ/done ; then
349 echo "DONE MARKER MISSING"
350 test \$e -eq 0 && e=63
355 chmod u+x $MULTIHOP_RUN
358 # Prepare expected output for multihop tests at expect_a
359 prepare_multihop_expected() {
362 test -z "$2" || _hops="$2"
363 _revhops=$(echo "$_hops" | rev)
364 _lasthop=$(echo "$_hops" | sed 's/.* //')
366 rm -f $OBJ/expect_keys
367 for h in a b c d e; do
368 cut -d" " -f-2 $OBJ/user_${h}.pub >> $OBJ/expect_keys
371 echo "AGENT" >> $OBJ/expect_a
372 test "x$_keys" = "xnone" || sort $OBJ/expect_keys >> $OBJ/expect_a
373 echo "NEXT" >> $OBJ/expect_a
375 echo "HOSTNAME host_$h" >> $OBJ/expect_a
376 echo "AUTHINFO" >> $OBJ/expect_a
377 (printf "publickey " ; cut -d" " -f-2 $OBJ/user_a.pub) >> $OBJ/expect_a
378 echo "AGENT" >> $OBJ/expect_a
379 if test "x$_keys" = "xall" ; then
380 sort $OBJ/expect_keys >> $OBJ/expect_a
382 if test "x$h" != "x$_lasthop" ; then
383 if test "x$_keys" = "xfiltered" ; then
384 cut -d" " -f-2 $OBJ/user_a.pub >> $OBJ/expect_a
386 echo "NEXT" >> $OBJ/expect_a
389 echo "FINISH" >> $OBJ/expect_a
390 for h in $_revhops "" ; do
391 echo "COMPLETE \"$h\"" >> $OBJ/expect_a
395 prepare_multihop_script
396 cp $OBJ/user_a.pub $OBJ/authorized_keys_$USER # only one key used.
398 verbose "multihop without agent"
400 prepare_multihop_expected none
401 $MULTIHOP_RUN "" a b c d e > $OBJ/ssh_output || fail "multihop no agent ssh failed"
402 diff $OBJ/ssh_output $OBJ/expect_a || fail "unexpected ssh output"
404 verbose "multihop agent unrestricted"
406 $SSHADD -q $OBJ/user_[abcde]
407 prepare_multihop_expected all
408 $MULTIHOP_RUN "" a b c d e > $OBJ/ssh_output || fail "multihop no agent ssh failed"
409 diff $OBJ/ssh_output $OBJ/expect_a || fail "unexpected ssh output"
411 verbose "multihop restricted"
413 prepare_multihop_expected filtered
414 # Add user_a, with permission to connect through the whole chain.
415 $SSHADD -h host_a -h "host_a>host_b" -h "host_b>host_c" \
416 -h "host_c>host_d" -h "host_d>host_e" \
417 -H $OBJ/known_hosts -q $OBJ/user_a \
418 || fatal "add key user_a multihop"
419 # Add the other keys, bound to a unused host.
420 $SSHADD -q -h host_x -H $OBJ/known_hosts $OBJ/user_[bcde] || fail "add keys"
422 $MULTIHOP_RUN "" a b c d e > $OBJ/ssh_output || fail "multihop ssh failed"
423 diff $OBJ/ssh_output $OBJ/expect_a || fail "unexpected ssh output"
426 verbose "multihop username"
427 $SSHADD -h host_a -h "host_a>${USER}@host_b" -h "host_b>${USER}@host_c" \
428 -h "host_c>${USER}@host_d" -h "host_d>${USER}@host_e" \
429 -H $OBJ/known_hosts -q $OBJ/user_a || fatal "add key user_a multihop"
431 $MULTIHOP_RUN "" a b c d e > $OBJ/ssh_output || fail "multihop w/ user ssh failed"
432 diff $OBJ/ssh_output $OBJ/expect_a || fail "unexpected ssh output"
435 verbose "multihop wildcard username"
436 $SSHADD -h host_a -h "host_a>*@host_b" -h "host_b>*@host_c" \
437 -h "host_c>*@host_d" -h "host_d>*@host_e" \
438 -H $OBJ/known_hosts -q $OBJ/user_a || fatal "add key user_a multihop"
440 $MULTIHOP_RUN "" a b c d e > $OBJ/ssh_output || fail "multihop w/ user ssh failed"
441 diff $OBJ/ssh_output $OBJ/expect_a || fail "unexpected ssh output"
444 verbose "multihop wrong username"
445 $SSHADD -h host_a -h "host_a>*@host_b" -h "host_b>*@host_c" \
446 -h "host_c>--BADUSER@host_d" -h "host_d>*@host_e" \
447 -H $OBJ/known_hosts -q $OBJ/user_a || fatal "add key user_a multihop"
449 $MULTIHOP_RUN "" a b c d e > $OBJ/ssh_output && \
450 fail "multihop with wrong user succeeded unexpectedly"
453 verbose "multihop cycle no agent"
455 prepare_multihop_expected none "a b a a c d e"
456 $MULTIHOP_RUN "" a b a a c d e > $OBJ/ssh_output || \
457 fail "multihop cycle no-agent fail"
458 diff $OBJ/ssh_output $OBJ/expect_a || fail "unexpected ssh output"
460 verbose "multihop cycle agent unrestricted"
462 $SSHADD -q $OBJ/user_[abcde] || fail "add keys"
463 prepare_multihop_expected all "a b a a c d e"
464 $MULTIHOP_RUN "" a b a a c d e > $OBJ/ssh_output || \
465 fail "multihop cycle agent ssh failed"
466 diff $OBJ/ssh_output $OBJ/expect_a || fail "unexpected ssh output"
468 verbose "multihop cycle restricted deny"
470 $SSHADD -q -h host_x -H $OBJ/known_hosts $OBJ/user_[bcde] || fail "add keys"
471 $SSHADD -h host_a -h "host_a>host_b" -h "host_b>host_c" \
472 -h "host_c>host_d" -h "host_d>host_e" \
473 -H $OBJ/known_hosts -q $OBJ/user_a \
474 || fatal "add key user_a multihop"
475 prepare_multihop_expected filtered "a b a a c d e"
477 $MULTIHOP_RUN "" a b a a c d e > $OBJ/ssh_output && \
478 fail "multihop cycle restricted deny succeded unexpectedly"
481 verbose "multihop cycle restricted allow"
483 $SSHADD -q -h host_x -H $OBJ/known_hosts $OBJ/user_[bcde] || fail "add keys"
484 $SSHADD -h host_a -h "host_a>host_b" -h "host_b>host_c" \
485 -h "host_c>host_d" -h "host_d>host_e" \
486 -h "host_b>host_a" -h "host_a>host_a" -h "host_a>host_c" \
487 -H $OBJ/known_hosts -q $OBJ/user_a \
488 || fatal "add key user_a multihop"
489 prepare_multihop_expected filtered "a b a a c d e"
491 $MULTIHOP_RUN "" a b a a c d e > $OBJ/ssh_output || \
492 fail "multihop cycle restricted allow failed"
493 diff $OBJ/ssh_output $OBJ/expect_a || fail "unexpected ssh output"