1296619Sdes# $OpenBSD: cert-file.sh,v 1.2 2015/09/24 07:15:39 djm Exp $ 2296619Sdes# Placed in the Public Domain. 3296619Sdes 4296619Sdestid="ssh with certificates" 5296619Sdes 6296619Sdesrm -f $OBJ/user_ca_key* $OBJ/user_key* 7296619Sdesrm -f $OBJ/cert_user_key* 8296619Sdes 9296619Sdes# Create a CA key 10296619Sdes${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key1 ||\ 11296619Sdes fatal "ssh-keygen failed" 12296619Sdes${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key2 ||\ 13296619Sdes fatal "ssh-keygen failed" 14296619Sdes 15296619Sdes# Make some keys and certificates. 16296619Sdes${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 || \ 17296619Sdes fatal "ssh-keygen failed" 18296619Sdes${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key2 || \ 19296619Sdes fatal "ssh-keygen failed" 20296619Sdes# Move the certificate to a different address to better control 21296619Sdes# when it is offered. 22296619Sdes${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ 23296619Sdes -z $$ -n ${USER} $OBJ/user_key1 || 24296619Sdes fail "couldn't sign user_key1 with user_ca_key1" 25296619Sdesmv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_1.pub 26296619Sdes${SSHKEYGEN} -q -s $OBJ/user_ca_key2 -I "regress user key for $USER" \ 27296619Sdes -z $$ -n ${USER} $OBJ/user_key1 || 28296619Sdes fail "couldn't sign user_key1 with user_ca_key2" 29296619Sdesmv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_2.pub 30296619Sdes 31296619Sdestrace 'try with identity files' 32296619Sdesopts="-F $OBJ/ssh_proxy -oIdentitiesOnly=yes" 33296619Sdesopts2="$opts -i $OBJ/user_key1 -i $OBJ/user_key2" 34296619Sdesecho "cert-authority $(cat $OBJ/user_ca_key1.pub)" > $OBJ/authorized_keys_$USER 35296619Sdes 36296619Sdesfor p in ${SSH_PROTOCOLS}; do 37296619Sdes # Just keys should fail 38296619Sdes ${SSH} $opts2 somehost exit 5$p 39296619Sdes r=$? 40296619Sdes if [ $r -eq 5$p ]; then 41296619Sdes fail "ssh succeeded with no certs in protocol $p" 42296619Sdes fi 43296619Sdes 44296619Sdes # Keys with untrusted cert should fail. 45296619Sdes opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" 46296619Sdes ${SSH} $opts3 somehost exit 5$p 47296619Sdes r=$? 48296619Sdes if [ $r -eq 5$p ]; then 49296619Sdes fail "ssh succeeded with bad cert in protocol $p" 50296619Sdes fi 51296619Sdes 52296619Sdes # Good cert with bad key should fail. 53296619Sdes opts3="$opts -i $OBJ/user_key2" 54296619Sdes opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" 55296619Sdes ${SSH} $opts3 somehost exit 5$p 56296619Sdes r=$? 57296619Sdes if [ $r -eq 5$p ]; then 58296619Sdes fail "ssh succeeded with no matching key in protocol $p" 59296619Sdes fi 60296619Sdes 61296619Sdes # Keys with one trusted cert, should succeed. 62296619Sdes opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" 63296619Sdes ${SSH} $opts3 somehost exit 5$p 64296619Sdes r=$? 65296619Sdes if [ $r -ne 5$p ]; then 66296619Sdes fail "ssh failed with trusted cert and key in protocol $p" 67296619Sdes fi 68296619Sdes 69296619Sdes # Multiple certs and keys, with one trusted cert, should succeed. 70296619Sdes opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" 71296619Sdes opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" 72296619Sdes ${SSH} $opts3 somehost exit 5$p 73296619Sdes r=$? 74296619Sdes if [ $r -ne 5$p ]; then 75296619Sdes fail "ssh failed with multiple certs in protocol $p" 76296619Sdes fi 77296619Sdes 78296619Sdes #Keys with trusted certificate specified in config options, should succeed. 79296619Sdes opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" 80296619Sdes ${SSH} $opts3 somehost exit 5$p 81296619Sdes r=$? 82296619Sdes if [ $r -ne 5$p ]; then 83296619Sdes fail "ssh failed with trusted cert in config in protocol $p" 84296619Sdes fi 85296619Sdesdone 86296619Sdes 87296619Sdes#next, using an agent in combination with the keys 88296619SdesSSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1 89296619Sdesif [ $? -ne 2 ]; then 90296619Sdes fatal "ssh-add -l did not fail with exit code 2" 91296619Sdesfi 92296619Sdes 93296619Sdestrace "start agent" 94296619Sdeseval `${SSHAGENT} -s` > /dev/null 95296619Sdesr=$? 96296619Sdesif [ $r -ne 0 ]; then 97296619Sdes fatal "could not start ssh-agent: exit code $r" 98296619Sdesfi 99296619Sdes 100296619Sdes# add private keys to agent 101296619Sdes${SSHADD} -k $OBJ/user_key2 > /dev/null 2>&1 102296619Sdesif [ $? -ne 0 ]; then 103296619Sdes fatal "ssh-add did not succeed with exit code 0" 104296619Sdesfi 105296619Sdes${SSHADD} -k $OBJ/user_key1 > /dev/null 2>&1 106296619Sdesif [ $? -ne 0 ]; then 107296619Sdes fatal "ssh-add did not succeed with exit code 0" 108296619Sdesfi 109296619Sdes 110296619Sdes# try ssh with the agent and certificates 111296619Sdes# note: ssh agent only uses certificates in protocol 2 112296619Sdesopts="-F $OBJ/ssh_proxy" 113296619Sdes# with no certificates, shoud fail 114296619Sdes${SSH} -2 $opts somehost exit 52 115296619Sdesif [ $? -eq 52 ]; then 116296619Sdes fail "ssh connect with agent in protocol 2 succeeded with no cert" 117296619Sdesfi 118296619Sdes 119296619Sdes#with an untrusted certificate, should fail 120296619Sdesopts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub" 121296619Sdes${SSH} -2 $opts somehost exit 52 122296619Sdesif [ $? -eq 52 ]; then 123296619Sdes fail "ssh connect with agent in protocol 2 succeeded with bad cert" 124296619Sdesfi 125296619Sdes 126296619Sdes#with an additional trusted certificate, should succeed 127296619Sdesopts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub" 128296619Sdes${SSH} -2 $opts somehost exit 52 129296619Sdesif [ $? -ne 52 ]; then 130296619Sdes fail "ssh connect with agent in protocol 2 failed with good cert" 131296619Sdesfi 132296619Sdes 133296619Sdestrace "kill agent" 134296619Sdes${SSHAGENT} -k > /dev/null 135296619Sdes 136296619Sdes#cleanup 137296619Sdesrm -f $OBJ/user_ca_key* $OBJ/user_key* 138296619Sdesrm -f $OBJ/cert_user_key* 139