1 # $OpenBSD: principals-command.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
2 # Placed in the Public Domain.
4 tid="authorized principals command"
6 rm -f $OBJ/user_ca_key* $OBJ/cert_user_key*
7 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
9 if [ -z "$SUDO" -a ! -w /var/run ]; then
10 echo "skipped (SUDO not set)"
11 echo "need SUDO to create file in /var/run, test won't work without"
17 # Create a CA key and a user certificate.
18 ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \
19 fatal "ssh-keygen of user_ca_key failed"
20 ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/cert_user_key || \
21 fatal "ssh-keygen of cert_user_key failed"
22 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "Joanne User" \
23 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
24 fatal "couldn't sign cert_user_key"
26 CERT_BODY=`cat $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'`
27 CA_BODY=`cat $OBJ/user_ca_key.pub | awk '{ print $2 }'`
28 CERT_FP=`${SSHKEYGEN} -lf $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'`
29 CA_FP=`${SSHKEYGEN} -lf $OBJ/user_ca_key.pub | awk '{ print $2 }'`
31 # Establish a AuthorizedPrincipalsCommand in /var/run where it will have
32 # acceptable directory permissions.
33 PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}"
34 cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
36 test "x\$1" != "x${LOGNAME}" && exit 1
37 test "x\$2" != "xssh-rsa-cert-v01@openssh.com" && exit 1
38 test "x\$3" != "xssh-ed25519" && exit 1
39 test "x\$4" != "xJoanne User" && exit 1
40 test "x\$5" != "x${SERIAL}" && exit 1
41 test "x\$6" != "x${CA_FP}" && exit 1
42 test "x\$7" != "x${CERT_FP}" && exit 1
43 test "x\$8" != "x${CERT_BODY}" && exit 1
44 test "x\$9" != "x${CA_BODY}" && exit 1
45 test -f "$OBJ/authorized_principals_${LOGNAME}" &&
46 exec cat "$OBJ/authorized_principals_${LOGNAME}"
48 test $? -eq 0 || fatal "couldn't prepare principals command"
49 $SUDO chmod 0755 "$PRINCIPALS_COMMAND"
51 if ! $OBJ/check-perm -m keys-command $PRINCIPALS_COMMAND ; then
52 echo "skipping: $PRINCIPALS_COMMAND is unsuitable as " \
53 "AuthorizedPrincipalsCommand"
54 $SUDO rm -f $PRINCIPALS_COMMAND
58 if [ -x $PRINCIPALS_COMMAND ]; then
59 # Test explicitly-specified principals
60 for privsep in yes no ; do
61 _prefix="privsep $privsep"
63 # Setup for AuthorizedPrincipalsCommand
64 rm -f $OBJ/authorized_keys_$USER
66 cat $OBJ/sshd_proxy_bak
67 echo "UsePrivilegeSeparation $privsep"
68 echo "AuthorizedKeysFile none"
69 echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
70 "%u %t %T %i %s %F %f %k %K"
71 echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
72 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
75 # XXX test missing command
76 # XXX test failing command
78 # Empty authorized_principals
79 verbose "$tid: ${_prefix} empty authorized_principals"
80 echo > $OBJ/authorized_principals_$USER
81 ${SSH} -i $OBJ/cert_user_key \
82 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
84 fail "ssh cert connect succeeded unexpectedly"
87 # Wrong authorized_principals
88 verbose "$tid: ${_prefix} wrong authorized_principals"
89 echo gregorsamsa > $OBJ/authorized_principals_$USER
90 ${SSH} -i $OBJ/cert_user_key \
91 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
93 fail "ssh cert connect succeeded unexpectedly"
96 # Correct authorized_principals
97 verbose "$tid: ${_prefix} correct authorized_principals"
98 echo mekmitasdigoat > $OBJ/authorized_principals_$USER
99 ${SSH} -i $OBJ/cert_user_key \
100 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
101 if [ $? -ne 0 ]; then
102 fail "ssh cert connect failed"
105 # authorized_principals with bad key option
106 verbose "$tid: ${_prefix} authorized_principals bad key opt"
107 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
108 ${SSH} -i $OBJ/cert_user_key \
109 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
110 if [ $? -eq 0 ]; then
111 fail "ssh cert connect succeeded unexpectedly"
114 # authorized_principals with command=false
115 verbose "$tid: ${_prefix} authorized_principals command=false"
116 echo 'command="false" mekmitasdigoat' > \
117 $OBJ/authorized_principals_$USER
118 ${SSH} -i $OBJ/cert_user_key \
119 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
120 if [ $? -eq 0 ]; then
121 fail "ssh cert connect succeeded unexpectedly"
124 # authorized_principals with command=true
125 verbose "$tid: ${_prefix} authorized_principals command=true"
126 echo 'command="true" mekmitasdigoat' > \
127 $OBJ/authorized_principals_$USER
128 ${SSH} -i $OBJ/cert_user_key \
129 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
130 if [ $? -ne 0 ]; then
131 fail "ssh cert connect failed"
134 # Setup for principals= key option
135 rm -f $OBJ/authorized_principals_$USER
137 cat $OBJ/sshd_proxy_bak
138 echo "UsePrivilegeSeparation $privsep"
141 # Wrong principals list
142 verbose "$tid: ${_prefix} wrong principals key option"
144 printf 'cert-authority,principals="gregorsamsa" '
145 cat $OBJ/user_ca_key.pub
146 ) > $OBJ/authorized_keys_$USER
147 ${SSH} -i $OBJ/cert_user_key \
148 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
149 if [ $? -eq 0 ]; then
150 fail "ssh cert connect succeeded unexpectedly"
153 # Correct principals list
154 verbose "$tid: ${_prefix} correct principals key option"
156 printf 'cert-authority,principals="mekmitasdigoat" '
157 cat $OBJ/user_ca_key.pub
158 ) > $OBJ/authorized_keys_$USER
159 ${SSH} -i $OBJ/cert_user_key \
160 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
161 if [ $? -ne 0 ]; then
162 fail "ssh cert connect failed"
166 echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
167 "(/var/run mounted noexec?)"