1 # $OpenBSD: principals-command.sh,v 1.1 2015/05/21 06:44:25 djm Exp $
2 # Placed in the Public Domain.
4 tid="authorized principals command"
6 rm -f $OBJ/user_ca_key* $OBJ/cert_user_key*
7 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
9 if test -z "$SUDO" ; then
10 echo "skipped (SUDO not set)"
11 echo "need SUDO to create file in /var/run, test won't work without"
15 # Establish a AuthorizedPrincipalsCommand in /var/run where it will have
16 # acceptable directory permissions.
17 PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}"
18 cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'"
20 test "x\$1" != "x${LOGNAME}" && exit 1
21 test -f "$OBJ/authorized_principals_${LOGNAME}" &&
22 exec cat "$OBJ/authorized_principals_${LOGNAME}"
24 test $? -eq 0 || fatal "couldn't prepare principals command"
25 $SUDO chmod 0755 "$PRINCIPALS_CMD"
27 if ! $OBJ/check-perm -m keys-command $PRINCIPALS_CMD ; then
28 echo "skipping: $PRINCIPALS_CMD is unsuitable as " \
29 "AuthorizedPrincipalsCommand"
30 $SUDO rm -f $PRINCIPALS_CMD
34 # Create a CA key and a user certificate.
35 ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \
36 fatal "ssh-keygen of user_ca_key failed"
37 ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key || \
38 fatal "ssh-keygen of cert_user_key failed"
39 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
40 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
41 fatal "couldn't sign cert_user_key"
43 if [ -x $PRINCIPALS_CMD ]; then
44 # Test explicitly-specified principals
45 for privsep in yes no ; do
46 _prefix="privsep $privsep"
48 # Setup for AuthorizedPrincipalsCommand
49 rm -f $OBJ/authorized_keys_$USER
51 cat $OBJ/sshd_proxy_bak
52 echo "UsePrivilegeSeparation $privsep"
53 echo "AuthorizedKeysFile none"
54 echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u"
55 echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
56 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
59 # XXX test missing command
60 # XXX test failing command
62 # Empty authorized_principals
63 verbose "$tid: ${_prefix} empty authorized_principals"
64 echo > $OBJ/authorized_principals_$USER
65 ${SSH} -2i $OBJ/cert_user_key \
66 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
68 fail "ssh cert connect succeeded unexpectedly"
71 # Wrong authorized_principals
72 verbose "$tid: ${_prefix} wrong authorized_principals"
73 echo gregorsamsa > $OBJ/authorized_principals_$USER
74 ${SSH} -2i $OBJ/cert_user_key \
75 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
77 fail "ssh cert connect succeeded unexpectedly"
80 # Correct authorized_principals
81 verbose "$tid: ${_prefix} correct authorized_principals"
82 echo mekmitasdigoat > $OBJ/authorized_principals_$USER
83 ${SSH} -2i $OBJ/cert_user_key \
84 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
86 fail "ssh cert connect failed"
89 # authorized_principals with bad key option
90 verbose "$tid: ${_prefix} authorized_principals bad key opt"
91 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
92 ${SSH} -2i $OBJ/cert_user_key \
93 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
95 fail "ssh cert connect succeeded unexpectedly"
98 # authorized_principals with command=false
99 verbose "$tid: ${_prefix} authorized_principals command=false"
100 echo 'command="false" mekmitasdigoat' > \
101 $OBJ/authorized_principals_$USER
102 ${SSH} -2i $OBJ/cert_user_key \
103 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
104 if [ $? -eq 0 ]; then
105 fail "ssh cert connect succeeded unexpectedly"
108 # authorized_principals with command=true
109 verbose "$tid: ${_prefix} authorized_principals command=true"
110 echo 'command="true" mekmitasdigoat' > \
111 $OBJ/authorized_principals_$USER
112 ${SSH} -2i $OBJ/cert_user_key \
113 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
114 if [ $? -ne 0 ]; then
115 fail "ssh cert connect failed"
118 # Setup for principals= key option
119 rm -f $OBJ/authorized_principals_$USER
121 cat $OBJ/sshd_proxy_bak
122 echo "UsePrivilegeSeparation $privsep"
125 # Wrong principals list
126 verbose "$tid: ${_prefix} wrong principals key option"
128 printf 'cert-authority,principals="gregorsamsa" '
129 cat $OBJ/user_ca_key.pub
130 ) > $OBJ/authorized_keys_$USER
131 ${SSH} -2i $OBJ/cert_user_key \
132 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
133 if [ $? -eq 0 ]; then
134 fail "ssh cert connect succeeded unexpectedly"
137 # Correct principals list
138 verbose "$tid: ${_prefix} correct principals key option"
140 printf 'cert-authority,principals="mekmitasdigoat" '
141 cat $OBJ/user_ca_key.pub
142 ) > $OBJ/authorized_keys_$USER
143 ${SSH} -2i $OBJ/cert_user_key \
144 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
145 if [ $? -ne 0 ]; then
146 fail "ssh cert connect failed"
150 echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
151 "(/var/run mounted noexec?)"