crypto/openssh/regress/principals-command.sh

   1 #       $OpenBSD: principals-command.sh,v 1.1 2015/05/21 06:44:25 djm Exp $
   2 #       Placed in the Public Domain.
   3
   4 tid="authorized principals command"
   5
   6 rm -f $OBJ/user_ca_key* $OBJ/cert_user_key*
   7 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
   8
   9 if test -z "$SUDO" ; then
  10         echo "skipped (SUDO not set)"
  11         echo "need SUDO to create file in /var/run, test won't work without"
  12         exit 0
  13 fi
  14
  15 # Establish a AuthorizedPrincipalsCommand in /var/run where it will have
  16 # acceptable directory permissions.
  17 PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}"
  18 cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'"
  19 #!/bin/sh
  20 test "x\$1" != "x${LOGNAME}" && exit 1
  21 test -f "$OBJ/authorized_principals_${LOGNAME}" &&
  22         exec cat "$OBJ/authorized_principals_${LOGNAME}"
  23 _EOF
  24 test $? -eq 0 || fatal "couldn't prepare principals command"
  25 $SUDO chmod 0755 "$PRINCIPALS_CMD"
  26
  27 if ! $OBJ/check-perm -m keys-command $PRINCIPALS_CMD ; then
  28         echo "skipping: $PRINCIPALS_CMD is unsuitable as " \
  29             "AuthorizedPrincipalsCommand"
  30         $SUDO rm -f $PRINCIPALS_CMD
  31         exit 0
  32 fi
  33
  34 # Create a CA key and a user certificate.
  35 ${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key || \
  36         fatal "ssh-keygen of user_ca_key failed"
  37 ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key || \
  38         fatal "ssh-keygen of cert_user_key failed"
  39 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
  40     -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
  41         fatal "couldn't sign cert_user_key"
  42
  43 if [ -x $PRINCIPALS_CMD ]; then
  44         # Test explicitly-specified principals
  45         for privsep in yes no ; do
  46                 _prefix="privsep $privsep"
  47
  48                 # Setup for AuthorizedPrincipalsCommand
  49                 rm -f $OBJ/authorized_keys_$USER
  50                 (
  51                         cat $OBJ/sshd_proxy_bak
  52                         echo "UsePrivilegeSeparation $privsep"
  53                         echo "AuthorizedKeysFile none"
  54                         echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u"
  55                         echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
  56                         echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
  57                 ) > $OBJ/sshd_proxy
  58
  59                 # XXX test missing command
  60                 # XXX test failing command
  61
  62                 # Empty authorized_principals
  63                 verbose "$tid: ${_prefix} empty authorized_principals"
  64                 echo > $OBJ/authorized_principals_$USER
  65                 ${SSH} -2i $OBJ/cert_user_key \
  66                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
  67                 if [ $? -eq 0 ]; then
  68                         fail "ssh cert connect succeeded unexpectedly"
  69                 fi
  70
  71                 # Wrong authorized_principals
  72                 verbose "$tid: ${_prefix} wrong authorized_principals"
  73                 echo gregorsamsa > $OBJ/authorized_principals_$USER
  74                 ${SSH} -2i $OBJ/cert_user_key \
  75                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
  76                 if [ $? -eq 0 ]; then
  77                         fail "ssh cert connect succeeded unexpectedly"
  78                 fi
  79
  80                 # Correct authorized_principals
  81                 verbose "$tid: ${_prefix} correct authorized_principals"
  82                 echo mekmitasdigoat > $OBJ/authorized_principals_$USER
  83                 ${SSH} -2i $OBJ/cert_user_key \
  84                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
  85                 if [ $? -ne 0 ]; then
  86                         fail "ssh cert connect failed"
  87                 fi
  88
  89                 # authorized_principals with bad key option
  90                 verbose "$tid: ${_prefix} authorized_principals bad key opt"
  91                 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
  92                 ${SSH} -2i $OBJ/cert_user_key \
  93                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
  94                 if [ $? -eq 0 ]; then
  95                         fail "ssh cert connect succeeded unexpectedly"
  96                 fi
  97
  98                 # authorized_principals with command=false
  99                 verbose "$tid: ${_prefix} authorized_principals command=false"
 100                 echo 'command="false" mekmitasdigoat' > \
 101                     $OBJ/authorized_principals_$USER
 102                 ${SSH} -2i $OBJ/cert_user_key \
 103                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 104                 if [ $? -eq 0 ]; then
 105                         fail "ssh cert connect succeeded unexpectedly"
 106                 fi
 107
 108                 # authorized_principals with command=true
 109                 verbose "$tid: ${_prefix} authorized_principals command=true"
 110                 echo 'command="true" mekmitasdigoat' > \
 111                     $OBJ/authorized_principals_$USER
 112                 ${SSH} -2i $OBJ/cert_user_key \
 113                     -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
 114                 if [ $? -ne 0 ]; then
 115                         fail "ssh cert connect failed"
 116                 fi
 117
 118                 # Setup for principals= key option
 119                 rm -f $OBJ/authorized_principals_$USER
 120                 (
 121                         cat $OBJ/sshd_proxy_bak
 122                         echo "UsePrivilegeSeparation $privsep"
 123                 ) > $OBJ/sshd_proxy
 124
 125                 # Wrong principals list
 126                 verbose "$tid: ${_prefix} wrong principals key option"
 127                 (
 128                         printf 'cert-authority,principals="gregorsamsa" '
 129                         cat $OBJ/user_ca_key.pub
 130                 ) > $OBJ/authorized_keys_$USER
 131                 ${SSH} -2i $OBJ/cert_user_key \
 132                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 133                 if [ $? -eq 0 ]; then
 134                         fail "ssh cert connect succeeded unexpectedly"
 135                 fi
 136
 137                 # Correct principals list
 138                 verbose "$tid: ${_prefix} correct principals key option"
 139                 (
 140                         printf 'cert-authority,principals="mekmitasdigoat" '
 141                         cat $OBJ/user_ca_key.pub
 142                 ) > $OBJ/authorized_keys_$USER
 143                 ${SSH} -2i $OBJ/cert_user_key \
 144                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 145                 if [ $? -ne 0 ]; then
 146                         fail "ssh cert connect failed"
 147                 fi
 148         done
 149 else
 150         echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
 151             "(/var/run mounted noexec?)"
 152 fi