multipubkey.sh revision 295367
162449Speter# $OpenBSD: multipubkey.sh,v 1.1 2014/12/22 08:06:03 djm Exp $ 250276Speter# Placed in the Public Domain. 350276Speter 450276Spetertid="multiple pubkey" 550276Speter 650276Speterrm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/user_key* 750276Speterrm -f $OBJ/authorized_principals_$USER $OBJ/cert_user_key* 850276Speter 950276Spetermv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig 1050276Spetermv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig 1150276Speter 1250276Speter# Create a CA key 1350276Speter${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key ||\ 1450276Speter fatal "ssh-keygen failed" 1550276Speter 1650276Speter# Make some keys and a certificate. 1750276Speter${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 || \ 1850276Speter fatal "ssh-keygen failed" 1962449Speter${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key2 || \ 2062449Speter fatal "ssh-keygen failed" 2150276Speter${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ 2250276Speter -z $$ -n ${USER},mekmitasdigoat $OBJ/user_key1 || 2350276Speter fail "couldn't sign user_key1" 2462449Speter# Copy the private key alongside the cert to allow better control of when 2562449Speter# it is offered. 2662449Spetermv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1.pub 2762449Spetercp -p $OBJ/user_key1 $OBJ/cert_user_key1 2862449Speter 2950276Spetergrep -v IdentityFile $OBJ/ssh_proxy.orig > $OBJ/ssh_proxy 3050276Speter 3150276Speteropts="-oProtocol=2 -F $OBJ/ssh_proxy -oIdentitiesOnly=yes" 3250276Speteropts="$opts -i $OBJ/cert_user_key1 -i $OBJ/user_key1 -i $OBJ/user_key2" 3350276Speter 3450276Speterfor privsep in no yes; do 3550276Speter ( 3650276Speter grep -v "Protocol" $OBJ/sshd_proxy.orig 3750276Speter echo "Protocol 2" 3850276Speter echo "UsePrivilegeSeparation $privsep" 3950276Speter echo "AuthenticationMethods publickey,publickey" 4050276Speter echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" 4150276Speter echo "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u" 4250276Speter ) > $OBJ/sshd_proxy 4350276Speter 4450276Speter # Single key should fail. 4550276Speter rm -f $OBJ/authorized_principals_$USER 4650276Speter cat $OBJ/user_key1.pub > $OBJ/authorized_keys_$USER 4750276Speter ${SSH} $opts proxy true && fail "ssh succeeded with key" 4850276Speter 49 # Single key with same-public cert should fail. 50 echo mekmitasdigoat > $OBJ/authorized_principals_$USER 51 cat $OBJ/user_key1.pub > $OBJ/authorized_keys_$USER 52 ${SSH} $opts proxy true && fail "ssh succeeded with key+cert" 53 54 # Multiple plain keys should succeed. 55 rm -f $OBJ/authorized_principals_$USER 56 cat $OBJ/user_key1.pub $OBJ/user_key2.pub > \ 57 $OBJ/authorized_keys_$USER 58 ${SSH} $opts proxy true || fail "ssh failed with multiple keys" 59 # Cert and different key should succeed 60 61 # Key and different-public cert should succeed. 62 echo mekmitasdigoat > $OBJ/authorized_principals_$USER 63 cat $OBJ/user_key2.pub > $OBJ/authorized_keys_$USER 64 ${SSH} $opts proxy true || fail "ssh failed with key/cert" 65done 66 67