1 # $OpenBSD: principals-command.sh,v 1.1 2015/05/21 06:44:25 djm Exp $
2 # Placed in the Public Domain.
4 tid="authorized principals command"
6 rm -f $OBJ/user_ca_key* $OBJ/cert_user_key*
7 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
9 if test -z "$SUDO" ; then
10 echo "skipped (SUDO not set)"
11 echo "need SUDO to create file in /var/run, test won't work without"
15 # Establish a AuthorizedPrincipalsCommand in /var/run where it will have
16 # acceptable directory permissions.
17 PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}"
18 cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
20 test "x\$1" != "x${LOGNAME}" && exit 1
21 test -f "$OBJ/authorized_principals_${LOGNAME}" &&
22 exec cat "$OBJ/authorized_principals_${LOGNAME}"
24 test $? -eq 0 || fatal "couldn't prepare principals command"
25 $SUDO chmod 0755 "$PRINCIPALS_COMMAND"
27 # Create a CA key and a user certificate.
28 ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \
29 fatal "ssh-keygen of user_ca_key failed"
30 ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key || \
31 fatal "ssh-keygen of cert_user_key failed"
32 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
33 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
34 fatal "couldn't sign cert_user_key"
36 # Test explicitly-specified principals
37 for privsep in yes no ; do
38 _prefix="privsep $privsep"
40 # Setup for AuthorizedPrincipalsCommand
41 rm -f $OBJ/authorized_keys_$USER
43 cat $OBJ/sshd_proxy_bak
44 echo "UsePrivilegeSeparation $privsep"
45 echo "AuthorizedKeysFile none"
46 echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u"
47 echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
48 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
51 # XXX test missing command
52 # XXX test failing command
54 # Empty authorized_principals
55 verbose "$tid: ${_prefix} empty authorized_principals"
56 echo > $OBJ/authorized_principals_$USER
57 ${SSH} -2i $OBJ/cert_user_key \
58 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
60 fail "ssh cert connect succeeded unexpectedly"
63 # Wrong authorized_principals
64 verbose "$tid: ${_prefix} wrong authorized_principals"
65 echo gregorsamsa > $OBJ/authorized_principals_$USER
66 ${SSH} -2i $OBJ/cert_user_key \
67 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
69 fail "ssh cert connect succeeded unexpectedly"
72 # Correct authorized_principals
73 verbose "$tid: ${_prefix} correct authorized_principals"
74 echo mekmitasdigoat > $OBJ/authorized_principals_$USER
75 ${SSH} -2i $OBJ/cert_user_key \
76 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
78 fail "ssh cert connect failed"
81 # authorized_principals with bad key option
82 verbose "$tid: ${_prefix} authorized_principals bad key opt"
83 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
84 ${SSH} -2i $OBJ/cert_user_key \
85 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
87 fail "ssh cert connect succeeded unexpectedly"
90 # authorized_principals with command=false
91 verbose "$tid: ${_prefix} authorized_principals command=false"
92 echo 'command="false" mekmitasdigoat' > \
93 $OBJ/authorized_principals_$USER
94 ${SSH} -2i $OBJ/cert_user_key \
95 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
97 fail "ssh cert connect succeeded unexpectedly"
101 # authorized_principals with command=true
102 verbose "$tid: ${_prefix} authorized_principals command=true"
103 echo 'command="true" mekmitasdigoat' > \
104 $OBJ/authorized_principals_$USER
105 ${SSH} -2i $OBJ/cert_user_key \
106 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
107 if [ $? -ne 0 ]; then
108 fail "ssh cert connect failed"
111 # Setup for principals= key option
112 rm -f $OBJ/authorized_principals_$USER
114 cat $OBJ/sshd_proxy_bak
115 echo "UsePrivilegeSeparation $privsep"
118 # Wrong principals list
119 verbose "$tid: ${_prefix} wrong principals key option"
121 printf 'cert-authority,principals="gregorsamsa" '
122 cat $OBJ/user_ca_key.pub
123 ) > $OBJ/authorized_keys_$USER
124 ${SSH} -2i $OBJ/cert_user_key \
125 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
126 if [ $? -eq 0 ]; then
127 fail "ssh cert connect succeeded unexpectedly"
130 # Correct principals list
131 verbose "$tid: ${_prefix} correct principals key option"
133 printf 'cert-authority,principals="mekmitasdigoat" '
134 cat $OBJ/user_ca_key.pub
135 ) > $OBJ/authorized_keys_$USER
136 ${SSH} -2i $OBJ/cert_user_key \
137 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
138 if [ $? -ne 0 ]; then
139 fail "ssh cert connect failed"