1 # $OpenBSD: cert-userkey.sh,v 1.11 2013/05/17 00:37:40 dtucker Exp $
2 # Placed in the Public Domain.
4 tid="certified user keys"
6 # used to disable ECC based tests on platforms without ECC
8 if test "x$TEST_SSH_ECC" = "xyes"; then
12 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
13 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
16 ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\
17 fail "ssh-keygen of user_ca_key failed"
19 # Generate and sign user keys
20 for ktype in rsa dsa $ecdsa ; do
21 verbose "$tid: sign user ${ktype} cert"
22 ${SSHKEYGEN} -q -N '' -t ${ktype} \
23 -f $OBJ/cert_user_key_${ktype} || \
24 fail "ssh-keygen of cert_user_key_${ktype} failed"
25 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
26 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
27 fail "couldn't sign cert_user_key_${ktype}"
28 # v00 ecdsa certs do not exist
29 test "${ktype}" = "ecdsa" && continue
30 cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
31 cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
32 ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
33 "regress user key for $USER" \
34 -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
35 fail "couldn't sign cert_user_key_${ktype}_v00"
38 # Test explicitly-specified principals
39 for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
40 for privsep in yes no ; do
41 _prefix="${ktype} privsep $privsep"
43 # Setup for AuthorizedPrincipalsFile
44 rm -f $OBJ/authorized_keys_$USER
46 cat $OBJ/sshd_proxy_bak
47 echo "UsePrivilegeSeparation $privsep"
48 echo "AuthorizedPrincipalsFile " \
49 "$OBJ/authorized_principals_%u"
50 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
53 # Missing authorized_principals
54 verbose "$tid: ${_prefix} missing authorized_principals"
55 rm -f $OBJ/authorized_principals_$USER
56 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
57 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
59 fail "ssh cert connect succeeded unexpectedly"
62 # Empty authorized_principals
63 verbose "$tid: ${_prefix} empty authorized_principals"
64 echo > $OBJ/authorized_principals_$USER
65 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
66 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
68 fail "ssh cert connect succeeded unexpectedly"
71 # Wrong authorized_principals
72 verbose "$tid: ${_prefix} wrong authorized_principals"
73 echo gregorsamsa > $OBJ/authorized_principals_$USER
74 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
75 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
77 fail "ssh cert connect succeeded unexpectedly"
80 # Correct authorized_principals
81 verbose "$tid: ${_prefix} correct authorized_principals"
82 echo mekmitasdigoat > $OBJ/authorized_principals_$USER
83 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
84 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
86 fail "ssh cert connect failed"
89 # authorized_principals with bad key option
90 verbose "$tid: ${_prefix} authorized_principals bad key opt"
91 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
92 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
93 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
95 fail "ssh cert connect succeeded unexpectedly"
98 # authorized_principals with command=false
99 verbose "$tid: ${_prefix} authorized_principals command=false"
100 echo 'command="false" mekmitasdigoat' > \
101 $OBJ/authorized_principals_$USER
102 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
103 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
104 if [ $? -eq 0 ]; then
105 fail "ssh cert connect succeeded unexpectedly"
109 # authorized_principals with command=true
110 verbose "$tid: ${_prefix} authorized_principals command=true"
111 echo 'command="true" mekmitasdigoat' > \
112 $OBJ/authorized_principals_$USER
113 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
114 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
115 if [ $? -ne 0 ]; then
116 fail "ssh cert connect failed"
119 # Setup for principals= key option
120 rm -f $OBJ/authorized_principals_$USER
122 cat $OBJ/sshd_proxy_bak
123 echo "UsePrivilegeSeparation $privsep"
126 # Wrong principals list
127 verbose "$tid: ${_prefix} wrong principals key option"
129 printf 'cert-authority,principals="gregorsamsa" '
130 cat $OBJ/user_ca_key.pub
131 ) > $OBJ/authorized_keys_$USER
132 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
133 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
134 if [ $? -eq 0 ]; then
135 fail "ssh cert connect succeeded unexpectedly"
138 # Correct principals list
139 verbose "$tid: ${_prefix} correct principals key option"
141 printf 'cert-authority,principals="mekmitasdigoat" '
142 cat $OBJ/user_ca_key.pub
143 ) > $OBJ/authorized_keys_$USER
144 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
145 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
146 if [ $? -ne 0 ]; then
147 fail "ssh cert connect failed"
154 if test "x$auth" = "xauthorized_keys" ; then
155 # Add CA to authorized_keys
157 printf 'cert-authority '
158 cat $OBJ/user_ca_key.pub
159 ) > $OBJ/authorized_keys_$USER
161 echo > $OBJ/authorized_keys_$USER
162 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
165 for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
166 for privsep in yes no ; do
167 _prefix="${ktype} privsep $privsep $auth"
169 verbose "$tid: ${_prefix} connect"
171 cat $OBJ/sshd_proxy_bak
172 echo "UsePrivilegeSeparation $privsep"
176 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
177 -F $OBJ/ssh_proxy somehost true
178 if [ $? -ne 0 ]; then
179 fail "ssh cert connect failed"
183 verbose "$tid: ${_prefix} revoked key"
185 cat $OBJ/sshd_proxy_bak
186 echo "UsePrivilegeSeparation $privsep"
187 echo "RevokedKeys $OBJ/cert_user_key_revoked"
190 cp $OBJ/cert_user_key_${ktype}.pub \
191 $OBJ/cert_user_key_revoked
192 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
193 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
194 if [ $? -eq 0 ]; then
195 fail "ssh cert connect succeeded unexpecedly"
197 verbose "$tid: ${_prefix} revoked via KRL"
198 rm $OBJ/cert_user_key_revoked
199 ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
200 $OBJ/cert_user_key_${ktype}.pub
201 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
202 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
203 if [ $? -eq 0 ]; then
204 fail "ssh cert connect succeeded unexpecedly"
206 verbose "$tid: ${_prefix} empty KRL"
207 ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
208 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
209 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
210 if [ $? -ne 0 ]; then
211 fail "ssh cert connect failed"
216 verbose "$tid: ${ktype} $auth revoked CA key"
218 cat $OBJ/sshd_proxy_bak
219 echo "RevokedKeys $OBJ/user_ca_key.pub"
222 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
223 somehost true >/dev/null 2>&1
224 if [ $? -eq 0 ]; then
225 fail "ssh cert connect succeeded unexpecedly"
229 verbose "$tid: $auth CA does not authenticate"
231 cat $OBJ/sshd_proxy_bak
234 verbose "$tid: ensure CA key does not authenticate user"
235 ${SSH} -2i $OBJ/user_ca_key \
236 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
237 if [ $? -eq 0 ]; then
238 fail "ssh cert connect with CA key succeeded unexpectedly"
242 basic_tests authorized_keys
243 basic_tests TrustedUserCAKeys
252 if test "x$auth_choice" = "x" ; then
253 auth_choice="authorized_keys TrustedUserCAKeys"
256 for auth in $auth_choice ; do
257 for ktype in rsa rsa_v00 ; do
259 *_v00) keyv="-t v00" ;;
263 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
264 if test "x$auth" = "xauthorized_keys" ; then
265 # Add CA to authorized_keys
267 printf "cert-authority${auth_opt} "
268 cat $OBJ/user_ca_key.pub
269 ) > $OBJ/authorized_keys_$USER
271 echo > $OBJ/authorized_keys_$USER
272 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
274 if test "x$auth_opt" != "x" ; then
275 echo $auth_opt >> $OBJ/sshd_proxy
279 verbose "$tid: $ident auth $auth expect $result $ktype"
280 ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
281 -I "regress user key for $USER" \
283 $OBJ/cert_user_key_${ktype} ||
284 fail "couldn't sign cert_user_key_${ktype}"
286 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
287 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
289 if [ "x$result" = "xsuccess" ] ; then
290 if [ $rc -ne 0 ]; then
291 fail "$ident failed unexpectedly"
294 if [ $rc -eq 0 ]; then
295 fail "$ident succeeded unexpectedly"
302 test_one "correct principal" success "-n ${USER}"
303 test_one "host-certificate" failure "-n ${USER} -h"
304 test_one "wrong principals" failure "-n foo"
305 test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101"
306 test_one "cert expired" failure "-n ${USER} -V19800101:19900101"
307 test_one "cert valid interval" success "-n ${USER} -V-1w:+2w"
308 test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8"
309 test_one "force-command" failure "-n ${USER} -Oforce-command=false"
311 # Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals
312 test_one "empty principals" success "" authorized_keys
313 test_one "empty principals" failure "" TrustedUserCAKeys
315 # Check explicitly-specified principals: an empty principals list in the cert
316 # should always be refused.
318 # AuthorizedPrincipalsFile
319 rm -f $OBJ/authorized_keys_$USER
320 echo mekmitasdigoat > $OBJ/authorized_principals_$USER
321 test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \
322 TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
323 test_one "AuthorizedPrincipalsFile no principals" failure "" \
324 TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
326 # principals= key option
327 rm -f $OBJ/authorized_principals_$USER
328 test_one "principals key option principals" success "-n mekmitasdigoat" \
329 authorized_keys ',principals="mekmitasdigoat"'
330 test_one "principals key option no principals" failure "" \
331 authorized_keys ',principals="mekmitasdigoat"'
334 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
335 for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
337 *_v00) args="-t v00" ;;
341 ${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \
342 "regress user key for $USER" \
343 -n $USER $OBJ/cert_user_key_${ktype} ||
344 fail "couldn't sign cert_user_key_${ktype}"
345 verbose "$tid: user ${ktype} connect wrong cert"
346 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
347 somehost true >/dev/null 2>&1
348 if [ $? -eq 0 ]; then
349 fail "ssh cert connect $ident succeeded unexpectedly"
353 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
354 rm -f $OBJ/authorized_principals_$USER