]> CyberLeo.Net >> Repos - FreeBSD/stable/10.git/blob - crypto/openssh/regress/cert-userkey.sh
projects / FreeBSD / stable / 10.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
MFH (r265214, r294333, r294407, r294467): misc prop fixes
[FreeBSD/stable/10.git] / crypto / openssh / regress / cert-userkey.sh
1 #       $OpenBSD: cert-userkey.sh,v 1.14 2015/07/10 06:23:25 markus Exp $
2 #       Placed in the Public Domain.
3
4 tid="certified user keys"
5
6 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
7 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8 cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
9
10 PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
11
12 kname() {
13         n=`echo "$1" | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'`
14         echo "$n*,ssh-rsa*,ssh-ed25519*"
15 }
16
17 # Create a CA key
18 ${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/user_ca_key ||\
19         fail "ssh-keygen of user_ca_key failed"
20
21 # Generate and sign user keys
22 for ktype in $PLAIN_TYPES ; do 
23         verbose "$tid: sign user ${ktype} cert"
24         ${SSHKEYGEN} -q -N '' -t ${ktype} \
25             -f $OBJ/cert_user_key_${ktype} || \
26                 fail "ssh-keygen of cert_user_key_${ktype} failed"
27         ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
28             -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
29                 fail "couldn't sign cert_user_key_${ktype}"
30 done
31
32 # Test explicitly-specified principals
33 for ktype in $PLAIN_TYPES ; do 
34         t=$(kname $ktype)
35         for privsep in yes no ; do
36                 _prefix="${ktype} privsep $privsep"
37
38                 # Setup for AuthorizedPrincipalsFile
39                 rm -f $OBJ/authorized_keys_$USER
40                 (
41                         cat $OBJ/sshd_proxy_bak
42                         echo "UsePrivilegeSeparation $privsep"
43                         echo "AuthorizedPrincipalsFile " \
44                             "$OBJ/authorized_principals_%u"
45                         echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
46                         echo "PubkeyAcceptedKeyTypes ${t}"
47                 ) > $OBJ/sshd_proxy
48                 (
49                         cat $OBJ/ssh_proxy_bak
50                         echo "PubkeyAcceptedKeyTypes ${t}"
51                 ) > $OBJ/ssh_proxy
52
53                 # Missing authorized_principals
54                 verbose "$tid: ${_prefix} missing authorized_principals"
55                 rm -f $OBJ/authorized_principals_$USER
56                 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
57                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
58                 if [ $? -eq 0 ]; then
59                         fail "ssh cert connect succeeded unexpectedly"
60                 fi
61
62                 # Empty authorized_principals
63                 verbose "$tid: ${_prefix} empty authorized_principals"
64                 echo > $OBJ/authorized_principals_$USER
65                 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
66                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
67                 if [ $? -eq 0 ]; then
68                         fail "ssh cert connect succeeded unexpectedly"
69                 fi
70         
71                 # Wrong authorized_principals
72                 verbose "$tid: ${_prefix} wrong authorized_principals"
73                 echo gregorsamsa > $OBJ/authorized_principals_$USER
74                 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
75                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
76                 if [ $? -eq 0 ]; then
77                         fail "ssh cert connect succeeded unexpectedly"
78                 fi
79
80                 # Correct authorized_principals
81                 verbose "$tid: ${_prefix} correct authorized_principals"
82                 echo mekmitasdigoat > $OBJ/authorized_principals_$USER
83                 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
84                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
85                 if [ $? -ne 0 ]; then
86                         fail "ssh cert connect failed"
87                 fi
88
89                 # authorized_principals with bad key option
90                 verbose "$tid: ${_prefix} authorized_principals bad key opt"
91                 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
92                 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
93                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
94                 if [ $? -eq 0 ]; then
95                         fail "ssh cert connect succeeded unexpectedly"
96                 fi
97
98                 # authorized_principals with command=false
99                 verbose "$tid: ${_prefix} authorized_principals command=false"
100                 echo 'command="false" mekmitasdigoat' > \
101                     $OBJ/authorized_principals_$USER
102                 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
103                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
104                 if [ $? -eq 0 ]; then
105                         fail "ssh cert connect succeeded unexpectedly"
106                 fi
107
108
109                 # authorized_principals with command=true
110                 verbose "$tid: ${_prefix} authorized_principals command=true"
111                 echo 'command="true" mekmitasdigoat' > \
112                     $OBJ/authorized_principals_$USER
113                 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
114                     -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
115                 if [ $? -ne 0 ]; then
116                         fail "ssh cert connect failed"
117                 fi
118
119                 # Setup for principals= key option
120                 rm -f $OBJ/authorized_principals_$USER
121                 (
122                         cat $OBJ/sshd_proxy_bak
123                         echo "UsePrivilegeSeparation $privsep"
124                         echo "PubkeyAcceptedKeyTypes ${t}"
125                 ) > $OBJ/sshd_proxy
126                 (
127                         cat $OBJ/ssh_proxy_bak
128                         echo "PubkeyAcceptedKeyTypes ${t}"
129                 ) > $OBJ/ssh_proxy
130
131                 # Wrong principals list
132                 verbose "$tid: ${_prefix} wrong principals key option"
133                 (
134                         printf 'cert-authority,principals="gregorsamsa" '
135                         cat $OBJ/user_ca_key.pub
136                 ) > $OBJ/authorized_keys_$USER
137                 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
138                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
139                 if [ $? -eq 0 ]; then
140                         fail "ssh cert connect succeeded unexpectedly"
141                 fi
142
143                 # Correct principals list
144                 verbose "$tid: ${_prefix} correct principals key option"
145                 (
146                         printf 'cert-authority,principals="mekmitasdigoat" '
147                         cat $OBJ/user_ca_key.pub
148                 ) > $OBJ/authorized_keys_$USER
149                 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
150                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
151                 if [ $? -ne 0 ]; then
152                         fail "ssh cert connect failed"
153                 fi
154         done
155 done
156
157 basic_tests() {
158         auth=$1
159         if test "x$auth" = "xauthorized_keys" ; then
160                 # Add CA to authorized_keys
161                 (
162                         printf 'cert-authority '
163                         cat $OBJ/user_ca_key.pub
164                 ) > $OBJ/authorized_keys_$USER
165         else
166                 echo > $OBJ/authorized_keys_$USER
167                 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
168         fi
169         
170         for ktype in $PLAIN_TYPES ; do 
171                 t=$(kname $ktype)
172                 for privsep in yes no ; do
173                         _prefix="${ktype} privsep $privsep $auth"
174                         # Simple connect
175                         verbose "$tid: ${_prefix} connect"
176                         (
177                                 cat $OBJ/sshd_proxy_bak
178                                 echo "UsePrivilegeSeparation $privsep"
179                                 echo "PubkeyAcceptedKeyTypes ${t}"
180                                 echo "$extra_sshd"
181                         ) > $OBJ/sshd_proxy
182                         (
183                                 cat $OBJ/ssh_proxy_bak
184                                 echo "PubkeyAcceptedKeyTypes ${t}"
185                         ) > $OBJ/ssh_proxy
186         
187                         ${SSH} -2i $OBJ/cert_user_key_${ktype} \
188                             -F $OBJ/ssh_proxy somehost true
189                         if [ $? -ne 0 ]; then
190                                 fail "ssh cert connect failed"
191                         fi
192
193                         # Revoked keys
194                         verbose "$tid: ${_prefix} revoked key"
195                         (
196                                 cat $OBJ/sshd_proxy_bak
197                                 echo "UsePrivilegeSeparation $privsep"
198                                 echo "RevokedKeys $OBJ/cert_user_key_revoked"
199                                 echo "PubkeyAcceptedKeyTypes ${t}"
200                                 echo "$extra_sshd"
201                         ) > $OBJ/sshd_proxy
202                         cp $OBJ/cert_user_key_${ktype}.pub \
203                             $OBJ/cert_user_key_revoked
204                         ${SSH} -2i $OBJ/cert_user_key_${ktype} \
205                             -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
206                         if [ $? -eq 0 ]; then
207                                 fail "ssh cert connect succeeded unexpecedly"
208                         fi
209                         verbose "$tid: ${_prefix} revoked via KRL"
210                         rm $OBJ/cert_user_key_revoked
211                         ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
212                             $OBJ/cert_user_key_${ktype}.pub
213                         ${SSH} -2i $OBJ/cert_user_key_${ktype} \
214                             -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
215                         if [ $? -eq 0 ]; then
216                                 fail "ssh cert connect succeeded unexpecedly"
217                         fi
218                         verbose "$tid: ${_prefix} empty KRL"
219                         ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
220                         ${SSH} -2i $OBJ/cert_user_key_${ktype} \
221                             -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
222                         if [ $? -ne 0 ]; then
223                                 fail "ssh cert connect failed"
224                         fi
225                 done
226         
227                 # Revoked CA
228                 verbose "$tid: ${ktype} $auth revoked CA key"
229                 (
230                         cat $OBJ/sshd_proxy_bak
231                         echo "RevokedKeys $OBJ/user_ca_key.pub"
232                         echo "PubkeyAcceptedKeyTypes ${t}"
233                         echo "$extra_sshd"
234                 ) > $OBJ/sshd_proxy
235                 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
236                     somehost true >/dev/null 2>&1
237                 if [ $? -eq 0 ]; then
238                         fail "ssh cert connect succeeded unexpecedly"
239                 fi
240         done
241         
242         verbose "$tid: $auth CA does not authenticate"
243         (
244                 cat $OBJ/sshd_proxy_bak
245                 echo "PubkeyAcceptedKeyTypes ${t}"
246                 echo "$extra_sshd"
247         ) > $OBJ/sshd_proxy
248         verbose "$tid: ensure CA key does not authenticate user"
249         ${SSH} -2i $OBJ/user_ca_key \
250             -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
251         if [ $? -eq 0 ]; then
252                 fail "ssh cert connect with CA key succeeded unexpectedly"
253         fi
254 }
255
256 basic_tests authorized_keys
257 basic_tests TrustedUserCAKeys
258
259 test_one() {
260         ident=$1
261         result=$2
262         sign_opts=$3
263         auth_choice=$4
264         auth_opt=$5
265
266         if test "x$auth_choice" = "x" ; then
267                 auth_choice="authorized_keys TrustedUserCAKeys"
268         fi
269
270         for auth in $auth_choice ; do
271                 for ktype in rsa ed25519 ; do
272                         cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
273                         if test "x$auth" = "xauthorized_keys" ; then
274                                 # Add CA to authorized_keys
275                                 (
276                                         printf "cert-authority${auth_opt} "
277                                         cat $OBJ/user_ca_key.pub
278                                 ) > $OBJ/authorized_keys_$USER
279                         else
280                                 echo > $OBJ/authorized_keys_$USER
281                                 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
282                                     >> $OBJ/sshd_proxy
283                                 echo "PubkeyAcceptedKeyTypes ${t}*" \
284                                     >> $OBJ/sshd_proxy
285                                 if test "x$auth_opt" != "x" ; then
286                                         echo $auth_opt >> $OBJ/sshd_proxy
287                                 fi
288                         fi
289                         
290                         verbose "$tid: $ident auth $auth expect $result $ktype"
291                         ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
292                             -I "regress user key for $USER" \
293                             $sign_opts $OBJ/cert_user_key_${ktype} ||
294                                 fail "couldn't sign cert_user_key_${ktype}"
295
296                         ${SSH} -2i $OBJ/cert_user_key_${ktype} \
297                             -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
298                         rc=$?
299                         if [ "x$result" = "xsuccess" ] ; then
300                                 if [ $rc -ne 0 ]; then
301                                         fail "$ident failed unexpectedly"
302                                 fi
303                         else
304                                 if [ $rc -eq 0 ]; then
305                                         fail "$ident succeeded unexpectedly"
306                                 fi
307                         fi
308                 done
309         done
310 }
311
312 test_one "correct principal"    success "-n ${USER}"
313 test_one "host-certificate"     failure "-n ${USER} -h"
314 test_one "wrong principals"     failure "-n foo"
315 test_one "cert not yet valid"   failure "-n ${USER} -V20200101:20300101"
316 test_one "cert expired"         failure "-n ${USER} -V19800101:19900101"
317 test_one "cert valid interval"  success "-n ${USER} -V-1w:+2w"
318 test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8"
319 test_one "force-command"        failure "-n ${USER} -Oforce-command=false"
320
321 # Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals
322 test_one "empty principals"     success "" authorized_keys
323 test_one "empty principals"     failure "" TrustedUserCAKeys
324
325 # Check explicitly-specified principals: an empty principals list in the cert
326 # should always be refused.
327
328 # AuthorizedPrincipalsFile
329 rm -f $OBJ/authorized_keys_$USER
330 echo mekmitasdigoat > $OBJ/authorized_principals_$USER
331 test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \
332     TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
333 test_one "AuthorizedPrincipalsFile no principals" failure "" \
334     TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
335
336 # principals= key option
337 rm -f $OBJ/authorized_principals_$USER
338 test_one "principals key option principals" success "-n mekmitasdigoat" \
339     authorized_keys ',principals="mekmitasdigoat"'
340 test_one "principals key option no principals" failure "" \
341     authorized_keys ',principals="mekmitasdigoat"'
342
343 # Wrong certificate
344 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
345 for ktype in $PLAIN_TYPES ; do 
346         t=$(kname $ktype)
347         # Self-sign
348         ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
349             "regress user key for $USER" \
350             -n $USER $OBJ/cert_user_key_${ktype} ||
351                 fail "couldn't sign cert_user_key_${ktype}"
352         verbose "$tid: user ${ktype} connect wrong cert"
353         ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
354             somehost true >/dev/null 2>&1
355         if [ $? -eq 0 ]; then
356                 fail "ssh cert connect $ident succeeded unexpectedly"
357         fi
358 done
359
360 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
361 rm -f $OBJ/authorized_principals_$USER
362
10-STABLE