crypto/openssh/regress/principals-command.sh

   1 #       $OpenBSD: principals-command.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
   2 #       Placed in the Public Domain.
   3
   4 tid="authorized principals command"
   5
   6 rm -f $OBJ/user_ca_key* $OBJ/cert_user_key*
   7 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
   8
   9 if [ -z "$SUDO" -a ! -w /var/run ]; then
  10         echo "skipped (SUDO not set)"
  11         echo "need SUDO to create file in /var/run, test won't work without"
  12         exit 0
  13 fi
  14
  15 SERIAL=$$
  16
  17 # Create a CA key and a user certificate.
  18 ${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key || \
  19         fatal "ssh-keygen of user_ca_key failed"
  20 ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/cert_user_key || \
  21         fatal "ssh-keygen of cert_user_key failed"
  22 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "Joanne User" \
  23     -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
  24         fatal "couldn't sign cert_user_key"
  25
  26 CERT_BODY=`cat $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'`
  27 CA_BODY=`cat $OBJ/user_ca_key.pub | awk '{ print $2 }'`
  28 CERT_FP=`${SSHKEYGEN} -lf $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'`
  29 CA_FP=`${SSHKEYGEN} -lf $OBJ/user_ca_key.pub | awk '{ print $2 }'`
  30
  31 # Establish a AuthorizedPrincipalsCommand in /var/run where it will have
  32 # acceptable directory permissions.
  33 PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}"
  34 cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
  35 #!/bin/sh
  36 test "x\$1" != "x${LOGNAME}" && exit 1
  37 test "x\$2" != "xssh-rsa-cert-v01@openssh.com" && exit 1
  38 test "x\$3" != "xssh-ed25519" && exit 1
  39 test "x\$4" != "xJoanne User" && exit 1
  40 test "x\$5" != "x${SERIAL}" && exit 1
  41 test "x\$6" != "x${CA_FP}" && exit 1
  42 test "x\$7" != "x${CERT_FP}" && exit 1
  43 test "x\$8" != "x${CERT_BODY}" && exit 1
  44 test "x\$9" != "x${CA_BODY}" && exit 1
  45 test -f "$OBJ/authorized_principals_${LOGNAME}" &&
  46         exec cat "$OBJ/authorized_principals_${LOGNAME}"
  47 _EOF
  48 test $? -eq 0 || fatal "couldn't prepare principals command"
  49 $SUDO chmod 0755 "$PRINCIPALS_COMMAND"
  50
  51 if ! $OBJ/check-perm -m keys-command $PRINCIPALS_COMMAND ; then
  52         echo "skipping: $PRINCIPALS_COMMAND is unsuitable as " \
  53             "AuthorizedPrincipalsCommand"
  54         $SUDO rm -f $PRINCIPALS_COMMAND
  55         exit 0
  56 fi
  57
  58 if [ -x $PRINCIPALS_COMMAND ]; then
  59         # Test explicitly-specified principals
  60         for privsep in yes no ; do
  61                 _prefix="privsep $privsep"
  62
  63                 # Setup for AuthorizedPrincipalsCommand
  64                 rm -f $OBJ/authorized_keys_$USER
  65                 (
  66                         cat $OBJ/sshd_proxy_bak
  67                         echo "UsePrivilegeSeparation $privsep"
  68                         echo "AuthorizedKeysFile none"
  69                         echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
  70                             "%u %t %T %i %s %F %f %k %K"
  71                         echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
  72                         echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
  73                 ) > $OBJ/sshd_proxy
  74
  75                 # XXX test missing command
  76                 # XXX test failing command
  77
  78                 # Empty authorized_principals
  79                 verbose "$tid: ${_prefix} empty authorized_principals"
  80                 echo > $OBJ/authorized_principals_$USER
  81                 ${SSH} -i $OBJ/cert_user_key \
  82                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
  83                 if [ $? -eq 0 ]; then
  84                         fail "ssh cert connect succeeded unexpectedly"
  85                 fi
  86
  87                 # Wrong authorized_principals
  88                 verbose "$tid: ${_prefix} wrong authorized_principals"
  89                 echo gregorsamsa > $OBJ/authorized_principals_$USER
  90                 ${SSH} -i $OBJ/cert_user_key \
  91                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
  92                 if [ $? -eq 0 ]; then
  93                         fail "ssh cert connect succeeded unexpectedly"
  94                 fi
  95
  96                 # Correct authorized_principals
  97                 verbose "$tid: ${_prefix} correct authorized_principals"
  98                 echo mekmitasdigoat > $OBJ/authorized_principals_$USER
  99                 ${SSH} -i $OBJ/cert_user_key \
 100                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 101                 if [ $? -ne 0 ]; then
 102                         fail "ssh cert connect failed"
 103                 fi
 104
 105                 # authorized_principals with bad key option
 106                 verbose "$tid: ${_prefix} authorized_principals bad key opt"
 107                 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
 108                 ${SSH} -i $OBJ/cert_user_key \
 109                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 110                 if [ $? -eq 0 ]; then
 111                         fail "ssh cert connect succeeded unexpectedly"
 112                 fi
 113
 114                 # authorized_principals with command=false
 115                 verbose "$tid: ${_prefix} authorized_principals command=false"
 116                 echo 'command="false" mekmitasdigoat' > \
 117                     $OBJ/authorized_principals_$USER
 118                 ${SSH} -i $OBJ/cert_user_key \
 119                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 120                 if [ $? -eq 0 ]; then
 121                         fail "ssh cert connect succeeded unexpectedly"
 122                 fi
 123
 124                 # authorized_principals with command=true
 125                 verbose "$tid: ${_prefix} authorized_principals command=true"
 126                 echo 'command="true" mekmitasdigoat' > \
 127                     $OBJ/authorized_principals_$USER
 128                 ${SSH} -i $OBJ/cert_user_key \
 129                     -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
 130                 if [ $? -ne 0 ]; then
 131                         fail "ssh cert connect failed"
 132                 fi
 133
 134                 # Setup for principals= key option
 135                 rm -f $OBJ/authorized_principals_$USER
 136                 (
 137                         cat $OBJ/sshd_proxy_bak
 138                         echo "UsePrivilegeSeparation $privsep"
 139                 ) > $OBJ/sshd_proxy
 140
 141                 # Wrong principals list
 142                 verbose "$tid: ${_prefix} wrong principals key option"
 143                 (
 144                         printf 'cert-authority,principals="gregorsamsa" '
 145                         cat $OBJ/user_ca_key.pub
 146                 ) > $OBJ/authorized_keys_$USER
 147                 ${SSH} -i $OBJ/cert_user_key \
 148                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 149                 if [ $? -eq 0 ]; then
 150                         fail "ssh cert connect succeeded unexpectedly"
 151                 fi
 152
 153                 # Correct principals list
 154                 verbose "$tid: ${_prefix} correct principals key option"
 155                 (
 156                         printf 'cert-authority,principals="mekmitasdigoat" '
 157                         cat $OBJ/user_ca_key.pub
 158                 ) > $OBJ/authorized_keys_$USER
 159                 ${SSH} -i $OBJ/cert_user_key \
 160                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 161                 if [ $? -ne 0 ]; then
 162                         fail "ssh cert connect failed"
 163                 fi
 164         done
 165 else
 166         echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
 167             "(/var/run mounted noexec?)"
 168 fi