principals-command.sh revision 294336
1# $OpenBSD: principals-command.sh,v 1.1 2015/05/21 06:44:25 djm Exp $ 2# Placed in the Public Domain. 3 4tid="authorized principals command" 5 6rm -f $OBJ/user_ca_key* $OBJ/cert_user_key* 7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 8 9if test -z "$SUDO" ; then 10 echo "skipped (SUDO not set)" 11 echo "need SUDO to create file in /var/run, test won't work without" 12 exit 0 13fi 14 15# Establish a AuthorizedPrincipalsCommand in /var/run where it will have 16# acceptable directory permissions. 17PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}" 18cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" 19#!/bin/sh 20test "x\$1" != "x${LOGNAME}" && exit 1 21test -f "$OBJ/authorized_principals_${LOGNAME}" && 22 exec cat "$OBJ/authorized_principals_${LOGNAME}" 23_EOF 24test $? -eq 0 || fatal "couldn't prepare principals command" 25$SUDO chmod 0755 "$PRINCIPALS_COMMAND" 26 27# Create a CA key and a user certificate. 28${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ 29 fatal "ssh-keygen of user_ca_key failed" 30${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key || \ 31 fatal "ssh-keygen of cert_user_key failed" 32${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ 33 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ 34 fatal "couldn't sign cert_user_key" 35 36# Test explicitly-specified principals 37for privsep in yes no ; do 38 _prefix="privsep $privsep" 39 40 # Setup for AuthorizedPrincipalsCommand 41 rm -f $OBJ/authorized_keys_$USER 42 ( 43 cat $OBJ/sshd_proxy_bak 44 echo "UsePrivilegeSeparation $privsep" 45 echo "AuthorizedKeysFile none" 46 echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u" 47 echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" 48 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" 49 ) > $OBJ/sshd_proxy 50 51 # XXX test missing command 52 # XXX test failing command 53 54 # Empty authorized_principals 55 verbose "$tid: ${_prefix} empty authorized_principals" 56 echo > $OBJ/authorized_principals_$USER 57 ${SSH} -2i $OBJ/cert_user_key \ 58 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 59 if [ $? -eq 0 ]; then 60 fail "ssh cert connect succeeded unexpectedly" 61 fi 62 63 # Wrong authorized_principals 64 verbose "$tid: ${_prefix} wrong authorized_principals" 65 echo gregorsamsa > $OBJ/authorized_principals_$USER 66 ${SSH} -2i $OBJ/cert_user_key \ 67 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 68 if [ $? -eq 0 ]; then 69 fail "ssh cert connect succeeded unexpectedly" 70 fi 71 72 # Correct authorized_principals 73 verbose "$tid: ${_prefix} correct authorized_principals" 74 echo mekmitasdigoat > $OBJ/authorized_principals_$USER 75 ${SSH} -2i $OBJ/cert_user_key \ 76 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 77 if [ $? -ne 0 ]; then 78 fail "ssh cert connect failed" 79 fi 80 81 # authorized_principals with bad key option 82 verbose "$tid: ${_prefix} authorized_principals bad key opt" 83 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER 84 ${SSH} -2i $OBJ/cert_user_key \ 85 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 86 if [ $? -eq 0 ]; then 87 fail "ssh cert connect succeeded unexpectedly" 88 fi 89 90 # authorized_principals with command=false 91 verbose "$tid: ${_prefix} authorized_principals command=false" 92 echo 'command="false" mekmitasdigoat' > \ 93 $OBJ/authorized_principals_$USER 94 ${SSH} -2i $OBJ/cert_user_key \ 95 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 96 if [ $? -eq 0 ]; then 97 fail "ssh cert connect succeeded unexpectedly" 98 fi 99 100 101 # authorized_principals with command=true 102 verbose "$tid: ${_prefix} authorized_principals command=true" 103 echo 'command="true" mekmitasdigoat' > \ 104 $OBJ/authorized_principals_$USER 105 ${SSH} -2i $OBJ/cert_user_key \ 106 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 107 if [ $? -ne 0 ]; then 108 fail "ssh cert connect failed" 109 fi 110 111 # Setup for principals= key option 112 rm -f $OBJ/authorized_principals_$USER 113 ( 114 cat $OBJ/sshd_proxy_bak 115 echo "UsePrivilegeSeparation $privsep" 116 ) > $OBJ/sshd_proxy 117 118 # Wrong principals list 119 verbose "$tid: ${_prefix} wrong principals key option" 120 ( 121 printf 'cert-authority,principals="gregorsamsa" ' 122 cat $OBJ/user_ca_key.pub 123 ) > $OBJ/authorized_keys_$USER 124 ${SSH} -2i $OBJ/cert_user_key \ 125 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 126 if [ $? -eq 0 ]; then 127 fail "ssh cert connect succeeded unexpectedly" 128 fi 129 130 # Correct principals list 131 verbose "$tid: ${_prefix} correct principals key option" 132 ( 133 printf 'cert-authority,principals="mekmitasdigoat" ' 134 cat $OBJ/user_ca_key.pub 135 ) > $OBJ/authorized_keys_$USER 136 ${SSH} -2i $OBJ/cert_user_key \ 137 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 138 if [ $? -ne 0 ]; then 139 fail "ssh cert connect failed" 140 fi 141done 142