1 # $OpenBSD: cert-userkey.sh,v 1.19 2018/03/12 00:54:04 djm Exp $
2 # Placed in the Public Domain.
4 tid="certified user keys"
6 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
7 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8 cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
10 PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
13 if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
14 PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
19 rsa-sha2-*) n="$ktype" ;;
20 # subshell because some seds will add a newline
21 *) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;;
23 echo "$n*,ssh-rsa*,ssh-ed25519*"
27 ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\
28 fail "ssh-keygen of user_ca_key failed"
30 # Generate and sign user keys
31 for ktype in $PLAIN_TYPES $EXTRA_TYPES ; do
32 verbose "$tid: sign user ${ktype} cert"
33 ${SSHKEYGEN} -q -N '' -t ${ktype} \
34 -f $OBJ/cert_user_key_${ktype} || \
35 fatal "ssh-keygen of cert_user_key_${ktype} failed"
36 # Generate RSA/SHA2 certs for rsa-sha2* keys.
38 rsa-sha2-*) tflag="-t $ktype" ;;
41 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -z $$ \
42 -I "regress user key for $USER" \
43 -n ${USER},mekmitasdigoat $tflag $OBJ/cert_user_key_${ktype} || \
44 fatal "couldn't sign cert_user_key_${ktype}"
47 # Test explicitly-specified principals
48 for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
50 for privsep in yes no ; do
51 _prefix="${ktype} privsep $privsep"
53 # Setup for AuthorizedPrincipalsFile
54 rm -f $OBJ/authorized_keys_$USER
56 cat $OBJ/sshd_proxy_bak
57 echo "UsePrivilegeSeparation $privsep"
58 echo "AuthorizedPrincipalsFile " \
59 "$OBJ/authorized_principals_%u"
60 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
61 echo "PubkeyAcceptedKeyTypes ${t}"
64 cat $OBJ/ssh_proxy_bak
65 echo "PubkeyAcceptedKeyTypes ${t}"
68 # Missing authorized_principals
69 verbose "$tid: ${_prefix} missing authorized_principals"
70 rm -f $OBJ/authorized_principals_$USER
71 ${SSH} -i $OBJ/cert_user_key_${ktype} \
72 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
74 fail "ssh cert connect succeeded unexpectedly"
77 # Empty authorized_principals
78 verbose "$tid: ${_prefix} empty authorized_principals"
79 echo > $OBJ/authorized_principals_$USER
80 ${SSH} -i $OBJ/cert_user_key_${ktype} \
81 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
83 fail "ssh cert connect succeeded unexpectedly"
86 # Wrong authorized_principals
87 verbose "$tid: ${_prefix} wrong authorized_principals"
88 echo gregorsamsa > $OBJ/authorized_principals_$USER
89 ${SSH} -i $OBJ/cert_user_key_${ktype} \
90 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
92 fail "ssh cert connect succeeded unexpectedly"
95 # Correct authorized_principals
96 verbose "$tid: ${_prefix} correct authorized_principals"
97 echo mekmitasdigoat > $OBJ/authorized_principals_$USER
98 ${SSH} -i $OBJ/cert_user_key_${ktype} \
99 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
100 if [ $? -ne 0 ]; then
101 fail "ssh cert connect failed"
104 # authorized_principals with bad key option
105 verbose "$tid: ${_prefix} authorized_principals bad key opt"
106 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
107 ${SSH} -i $OBJ/cert_user_key_${ktype} \
108 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
109 if [ $? -eq 0 ]; then
110 fail "ssh cert connect succeeded unexpectedly"
113 # authorized_principals with command=false
114 verbose "$tid: ${_prefix} authorized_principals command=false"
115 echo 'command="false" mekmitasdigoat' > \
116 $OBJ/authorized_principals_$USER
117 ${SSH} -i $OBJ/cert_user_key_${ktype} \
118 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
119 if [ $? -eq 0 ]; then
120 fail "ssh cert connect succeeded unexpectedly"
124 # authorized_principals with command=true
125 verbose "$tid: ${_prefix} authorized_principals command=true"
126 echo 'command="true" mekmitasdigoat' > \
127 $OBJ/authorized_principals_$USER
128 ${SSH} -i $OBJ/cert_user_key_${ktype} \
129 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
130 if [ $? -ne 0 ]; then
131 fail "ssh cert connect failed"
134 # Setup for principals= key option
135 rm -f $OBJ/authorized_principals_$USER
137 cat $OBJ/sshd_proxy_bak
138 echo "UsePrivilegeSeparation $privsep"
139 echo "PubkeyAcceptedKeyTypes ${t}"
142 cat $OBJ/ssh_proxy_bak
143 echo "PubkeyAcceptedKeyTypes ${t}"
146 # Wrong principals list
147 verbose "$tid: ${_prefix} wrong principals key option"
149 printf 'cert-authority,principals="gregorsamsa" '
150 cat $OBJ/user_ca_key.pub
151 ) > $OBJ/authorized_keys_$USER
152 ${SSH} -i $OBJ/cert_user_key_${ktype} \
153 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
154 if [ $? -eq 0 ]; then
155 fail "ssh cert connect succeeded unexpectedly"
158 # Correct principals list
159 verbose "$tid: ${_prefix} correct principals key option"
161 printf 'cert-authority,principals="mekmitasdigoat" '
162 cat $OBJ/user_ca_key.pub
163 ) > $OBJ/authorized_keys_$USER
164 ${SSH} -i $OBJ/cert_user_key_${ktype} \
165 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
166 if [ $? -ne 0 ]; then
167 fail "ssh cert connect failed"
174 if test "x$auth" = "xauthorized_keys" ; then
175 # Add CA to authorized_keys
177 printf 'cert-authority '
178 cat $OBJ/user_ca_key.pub
179 ) > $OBJ/authorized_keys_$USER
181 echo > $OBJ/authorized_keys_$USER
182 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
185 for ktype in $PLAIN_TYPES ; do
187 for privsep in yes no ; do
188 _prefix="${ktype} privsep $privsep $auth"
190 verbose "$tid: ${_prefix} connect"
192 cat $OBJ/sshd_proxy_bak
193 echo "UsePrivilegeSeparation $privsep"
194 echo "PubkeyAcceptedKeyTypes ${t}"
198 cat $OBJ/ssh_proxy_bak
199 echo "PubkeyAcceptedKeyTypes ${t}"
202 ${SSH} -i $OBJ/cert_user_key_${ktype} \
203 -F $OBJ/ssh_proxy somehost true
204 if [ $? -ne 0 ]; then
205 fail "ssh cert connect failed"
209 verbose "$tid: ${_prefix} revoked key"
211 cat $OBJ/sshd_proxy_bak
212 echo "UsePrivilegeSeparation $privsep"
213 echo "RevokedKeys $OBJ/cert_user_key_revoked"
214 echo "PubkeyAcceptedKeyTypes ${t}"
217 cp $OBJ/cert_user_key_${ktype}.pub \
218 $OBJ/cert_user_key_revoked
219 ${SSH} -i $OBJ/cert_user_key_${ktype} \
220 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
221 if [ $? -eq 0 ]; then
222 fail "ssh cert connect succeeded unexpecedly"
224 verbose "$tid: ${_prefix} revoked via KRL"
225 rm $OBJ/cert_user_key_revoked
226 ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
227 $OBJ/cert_user_key_${ktype}.pub
228 ${SSH} -i $OBJ/cert_user_key_${ktype} \
229 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
230 if [ $? -eq 0 ]; then
231 fail "ssh cert connect succeeded unexpecedly"
233 verbose "$tid: ${_prefix} empty KRL"
234 ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
235 ${SSH} -i $OBJ/cert_user_key_${ktype} \
236 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
237 if [ $? -ne 0 ]; then
238 fail "ssh cert connect failed"
243 verbose "$tid: ${ktype} $auth revoked CA key"
245 cat $OBJ/sshd_proxy_bak
246 echo "RevokedKeys $OBJ/user_ca_key.pub"
247 echo "PubkeyAcceptedKeyTypes ${t}"
250 ${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
251 somehost true >/dev/null 2>&1
252 if [ $? -eq 0 ]; then
253 fail "ssh cert connect succeeded unexpecedly"
257 verbose "$tid: $auth CA does not authenticate"
259 cat $OBJ/sshd_proxy_bak
260 echo "PubkeyAcceptedKeyTypes ${t}"
263 verbose "$tid: ensure CA key does not authenticate user"
264 ${SSH} -i $OBJ/user_ca_key \
265 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
266 if [ $? -eq 0 ]; then
267 fail "ssh cert connect with CA key succeeded unexpectedly"
271 basic_tests authorized_keys
272 basic_tests TrustedUserCAKeys
281 if test "x$auth_choice" = "x" ; then
282 auth_choice="authorized_keys TrustedUserCAKeys"
285 for auth in $auth_choice ; do
286 for ktype in rsa ed25519 ; do
287 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
288 if test "x$auth" = "xauthorized_keys" ; then
289 # Add CA to authorized_keys
291 printf "cert-authority${auth_opt} "
292 cat $OBJ/user_ca_key.pub
293 ) > $OBJ/authorized_keys_$USER
295 echo > $OBJ/authorized_keys_$USER
296 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
298 echo "PubkeyAcceptedKeyTypes ${t}*" \
300 if test "x$auth_opt" != "x" ; then
301 echo $auth_opt >> $OBJ/sshd_proxy
305 verbose "$tid: $ident auth $auth expect $result $ktype"
306 ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
307 -I "regress user key for $USER" \
308 $sign_opts $OBJ/cert_user_key_${ktype} ||
309 fail "couldn't sign cert_user_key_${ktype}"
311 ${SSH} -i $OBJ/cert_user_key_${ktype} \
312 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
314 if [ "x$result" = "xsuccess" ] ; then
315 if [ $rc -ne 0 ]; then
316 fail "$ident failed unexpectedly"
319 if [ $rc -eq 0 ]; then
320 fail "$ident succeeded unexpectedly"
327 test_one "correct principal" success "-n ${USER}"
328 test_one "host-certificate" failure "-n ${USER} -h"
329 test_one "wrong principals" failure "-n foo"
330 test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101"
331 test_one "cert expired" failure "-n ${USER} -V19800101:19900101"
332 test_one "cert valid interval" success "-n ${USER} -V-1w:+2w"
333 test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8"
334 test_one "force-command" failure "-n ${USER} -Oforce-command=false"
336 # Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals
337 test_one "empty principals" success "" authorized_keys
338 test_one "empty principals" failure "" TrustedUserCAKeys
340 # Check explicitly-specified principals: an empty principals list in the cert
341 # should always be refused.
343 # AuthorizedPrincipalsFile
344 rm -f $OBJ/authorized_keys_$USER
345 echo mekmitasdigoat > $OBJ/authorized_principals_$USER
346 test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \
347 TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
348 test_one "AuthorizedPrincipalsFile no principals" failure "" \
349 TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
351 # principals= key option
352 rm -f $OBJ/authorized_principals_$USER
353 test_one "principals key option principals" success "-n mekmitasdigoat" \
354 authorized_keys ',principals="mekmitasdigoat"'
355 test_one "principals key option no principals" failure "" \
356 authorized_keys ',principals="mekmitasdigoat"'
358 # command= options vs. force-command in key
359 test_one "force-command match true" success \
360 "-n ${USER} -Oforce-command=true" \
361 authorized_keys ',command="true"'
362 test_one "force-command match true" failure \
363 "-n ${USER} -Oforce-command=false" \
364 authorized_keys ',command="false"'
365 test_one "force-command mismatch 1" failure \
366 "-n ${USER} -Oforce-command=false" \
367 authorized_keys ',command="true"'
368 test_one "force-command mismatch 2" failure \
369 "-n ${USER} -Oforce-command=true" \
370 authorized_keys ',command="false"'
373 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
374 for ktype in $PLAIN_TYPES ; do
377 ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
378 "regress user key for $USER" \
379 -n $USER $OBJ/cert_user_key_${ktype} ||
380 fatal "couldn't sign cert_user_key_${ktype}"
381 verbose "$tid: user ${ktype} connect wrong cert"
382 ${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
383 somehost true >/dev/null 2>&1
384 if [ $? -eq 0 ]; then
385 fail "ssh cert connect $ident succeeded unexpectedly"
389 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
390 rm -f $OBJ/authorized_principals_$USER