crypto/openssh/regress/principals-command.sh

   1 #       $OpenBSD: principals-command.sh,v 1.1 2015/05/21 06:44:25 djm Exp $
   2 #       Placed in the Public Domain.
   3
   4 tid="authorized principals command"
   5
   6 rm -f $OBJ/user_ca_key* $OBJ/cert_user_key*
   7 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
   8
   9 if test -z "$SUDO" ; then
  10         echo "skipped (SUDO not set)"
  11         echo "need SUDO to create file in /var/run, test won't work without"
  12         exit 0
  13 fi
  14
  15 # Establish a AuthorizedPrincipalsCommand in /var/run where it will have
  16 # acceptable directory permissions.
  17 PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}"
  18 cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'"
  19 #!/bin/sh
  20 test "x\$1" != "x${LOGNAME}" && exit 1
  21 test -f "$OBJ/authorized_principals_${LOGNAME}" &&
  22         exec cat "$OBJ/authorized_principals_${LOGNAME}"
  23 _EOF
  24 test $? -eq 0 || fatal "couldn't prepare principals command"
  25 $SUDO chmod 0755 "$PRINCIPALS_CMD"
  26
  27 # Create a CA key and a user certificate.
  28 ${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key || \
  29         fatal "ssh-keygen of user_ca_key failed"
  30 ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key || \
  31         fatal "ssh-keygen of cert_user_key failed"
  32 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
  33     -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
  34         fatal "couldn't sign cert_user_key"
  35
  36 if [ -x $PRINCIPALS_CMD ]; then
  37         # Test explicitly-specified principals
  38         for privsep in yes no ; do
  39                 _prefix="privsep $privsep"
  40
  41                 # Setup for AuthorizedPrincipalsCommand
  42                 rm -f $OBJ/authorized_keys_$USER
  43                 (
  44                         cat $OBJ/sshd_proxy_bak
  45                         echo "UsePrivilegeSeparation $privsep"
  46                         echo "AuthorizedKeysFile none"
  47                         echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u"
  48                         echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
  49                         echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
  50                 ) > $OBJ/sshd_proxy
  51
  52                 # XXX test missing command
  53                 # XXX test failing command
  54
  55                 # Empty authorized_principals
  56                 verbose "$tid: ${_prefix} empty authorized_principals"
  57                 echo > $OBJ/authorized_principals_$USER
  58                 ${SSH} -2i $OBJ/cert_user_key \
  59                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
  60                 if [ $? -eq 0 ]; then
  61                         fail "ssh cert connect succeeded unexpectedly"
  62                 fi
  63
  64                 # Wrong authorized_principals
  65                 verbose "$tid: ${_prefix} wrong authorized_principals"
  66                 echo gregorsamsa > $OBJ/authorized_principals_$USER
  67                 ${SSH} -2i $OBJ/cert_user_key \
  68                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
  69                 if [ $? -eq 0 ]; then
  70                         fail "ssh cert connect succeeded unexpectedly"
  71                 fi
  72
  73                 # Correct authorized_principals
  74                 verbose "$tid: ${_prefix} correct authorized_principals"
  75                 echo mekmitasdigoat > $OBJ/authorized_principals_$USER
  76                 ${SSH} -2i $OBJ/cert_user_key \
  77                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
  78                 if [ $? -ne 0 ]; then
  79                         fail "ssh cert connect failed"
  80                 fi
  81
  82                 # authorized_principals with bad key option
  83                 verbose "$tid: ${_prefix} authorized_principals bad key opt"
  84                 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
  85                 ${SSH} -2i $OBJ/cert_user_key \
  86                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
  87                 if [ $? -eq 0 ]; then
  88                         fail "ssh cert connect succeeded unexpectedly"
  89                 fi
  90
  91                 # authorized_principals with command=false
  92                 verbose "$tid: ${_prefix} authorized_principals command=false"
  93                 echo 'command="false" mekmitasdigoat' > \
  94                     $OBJ/authorized_principals_$USER
  95                 ${SSH} -2i $OBJ/cert_user_key \
  96                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
  97                 if [ $? -eq 0 ]; then
  98                         fail "ssh cert connect succeeded unexpectedly"
  99                 fi
 100
 101                 # authorized_principals with command=true
 102                 verbose "$tid: ${_prefix} authorized_principals command=true"
 103                 echo 'command="true" mekmitasdigoat' > \
 104                     $OBJ/authorized_principals_$USER
 105                 ${SSH} -2i $OBJ/cert_user_key \
 106                     -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
 107                 if [ $? -ne 0 ]; then
 108                         fail "ssh cert connect failed"
 109                 fi
 110
 111                 # Setup for principals= key option
 112                 rm -f $OBJ/authorized_principals_$USER
 113                 (
 114                         cat $OBJ/sshd_proxy_bak
 115                         echo "UsePrivilegeSeparation $privsep"
 116                 ) > $OBJ/sshd_proxy
 117
 118                 # Wrong principals list
 119                 verbose "$tid: ${_prefix} wrong principals key option"
 120                 (
 121                         printf 'cert-authority,principals="gregorsamsa" '
 122                         cat $OBJ/user_ca_key.pub
 123                 ) > $OBJ/authorized_keys_$USER
 124                 ${SSH} -2i $OBJ/cert_user_key \
 125                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 126                 if [ $? -eq 0 ]; then
 127                         fail "ssh cert connect succeeded unexpectedly"
 128                 fi
 129
 130                 # Correct principals list
 131                 verbose "$tid: ${_prefix} correct principals key option"
 132                 (
 133                         printf 'cert-authority,principals="mekmitasdigoat" '
 134                         cat $OBJ/user_ca_key.pub
 135                 ) > $OBJ/authorized_keys_$USER
 136                 ${SSH} -2i $OBJ/cert_user_key \
 137                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 138                 if [ $? -ne 0 ]; then
 139                         fail "ssh cert connect failed"
 140                 fi
 141         done
 142 else
 143         echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
 144             "(/var/run mounted noexec?)"
 145 fi