principals-command.sh revision 323134 
1#	$OpenBSD: principals-command.sh,v 1.3 2016/09/26 21:34:38 bluhm Exp $
2#	Placed in the Public Domain.
3
4tid="authorized principals command"
5
6rm -f $OBJ/user_ca_key* $OBJ/cert_user_key*
7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8
9if [ -z "$SUDO" -a ! -w /var/run ]; then
10	echo "skipped (SUDO not set)"
11	echo "need SUDO to create file in /var/run, test won't work without"
12	exit 0
13fi
14
15SERIAL=$$
16
17# Create a CA key and a user certificate.
18${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key || \
19	fatal "ssh-keygen of user_ca_key failed"
20${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/cert_user_key || \
21	fatal "ssh-keygen of cert_user_key failed"
22${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "Joanne User" \
23    -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
24	fatal "couldn't sign cert_user_key"
25
26CERT_BODY=`cat $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'`
27CA_BODY=`cat $OBJ/user_ca_key.pub | awk '{ print $2 }'`
28CERT_FP=`${SSHKEYGEN} -lf $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'`
29CA_FP=`${SSHKEYGEN} -lf $OBJ/user_ca_key.pub | awk '{ print $2 }'`
30
31# Establish a AuthorizedPrincipalsCommand in /var/run where it will have
32# acceptable directory permissions.
33PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}"
34cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
35#!/bin/sh
36test "x\$1" != "x${LOGNAME}" && exit 1
37test "x\$2" != "xssh-rsa-cert-v01@openssh.com" && exit 1
38test "x\$3" != "xssh-ed25519" && exit 1
39test "x\$4" != "xJoanne User" && exit 1
40test "x\$5" != "x${SERIAL}" && exit 1
41test "x\$6" != "x${CA_FP}" && exit 1
42test "x\$7" != "x${CERT_FP}" && exit 1
43test "x\$8" != "x${CERT_BODY}" && exit 1
44test "x\$9" != "x${CA_BODY}" && exit 1
45test -f "$OBJ/authorized_principals_${LOGNAME}" &&
46	exec cat "$OBJ/authorized_principals_${LOGNAME}"
47_EOF
48test $? -eq 0 || fatal "couldn't prepare principals command"
49$SUDO chmod 0755 "$PRINCIPALS_COMMAND"
50
51if ! $OBJ/check-perm -m keys-command $PRINCIPALS_COMMAND ; then
52	echo "skipping: $PRINCIPALS_COMMAND is unsuitable as " \
53	    "AuthorizedPrincipalsCommand"
54	$SUDO rm -f $PRINCIPALS_COMMAND
55	exit 0
56fi
57
58if [ -x $PRINCIPALS_COMMAND ]; then
59	# Test explicitly-specified principals
60	for privsep in yes no ; do
61		_prefix="privsep $privsep"
62
63		# Setup for AuthorizedPrincipalsCommand
64		rm -f $OBJ/authorized_keys_$USER
65		(
66			cat $OBJ/sshd_proxy_bak
67			echo "UsePrivilegeSeparation $privsep"
68			echo "AuthorizedKeysFile none"
69			echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
70			    "%u %t %T %i %s %F %f %k %K"
71			echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
72			echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
73		) > $OBJ/sshd_proxy
74
75		# XXX test missing command
76		# XXX test failing command
77
78		# Empty authorized_principals
79		verbose "$tid: ${_prefix} empty authorized_principals"
80		echo > $OBJ/authorized_principals_$USER
81		${SSH} -2i $OBJ/cert_user_key \
82		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
83		if [ $? -eq 0 ]; then
84			fail "ssh cert connect succeeded unexpectedly"
85		fi
86
87		# Wrong authorized_principals
88		verbose "$tid: ${_prefix} wrong authorized_principals"
89		echo gregorsamsa > $OBJ/authorized_principals_$USER
90		${SSH} -2i $OBJ/cert_user_key \
91		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
92		if [ $? -eq 0 ]; then
93			fail "ssh cert connect succeeded unexpectedly"
94		fi
95
96		# Correct authorized_principals
97		verbose "$tid: ${_prefix} correct authorized_principals"
98		echo mekmitasdigoat > $OBJ/authorized_principals_$USER
99		${SSH} -2i $OBJ/cert_user_key \
100		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
101		if [ $? -ne 0 ]; then
102			fail "ssh cert connect failed"
103		fi
104
105		# authorized_principals with bad key option
106		verbose "$tid: ${_prefix} authorized_principals bad key opt"
107		echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
108		${SSH} -2i $OBJ/cert_user_key \
109		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
110		if [ $? -eq 0 ]; then
111			fail "ssh cert connect succeeded unexpectedly"
112		fi
113
114		# authorized_principals with command=false
115		verbose "$tid: ${_prefix} authorized_principals command=false"
116		echo 'command="false" mekmitasdigoat' > \
117		    $OBJ/authorized_principals_$USER
118		${SSH} -2i $OBJ/cert_user_key \
119		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
120		if [ $? -eq 0 ]; then
121			fail "ssh cert connect succeeded unexpectedly"
122		fi
123
124		# authorized_principals with command=true
125		verbose "$tid: ${_prefix} authorized_principals command=true"
126		echo 'command="true" mekmitasdigoat' > \
127		    $OBJ/authorized_principals_$USER
128		${SSH} -2i $OBJ/cert_user_key \
129		    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
130		if [ $? -ne 0 ]; then
131			fail "ssh cert connect failed"
132		fi
133
134		# Setup for principals= key option
135		rm -f $OBJ/authorized_principals_$USER
136		(
137			cat $OBJ/sshd_proxy_bak
138			echo "UsePrivilegeSeparation $privsep"
139		) > $OBJ/sshd_proxy
140
141		# Wrong principals list
142		verbose "$tid: ${_prefix} wrong principals key option"
143		(
144			printf 'cert-authority,principals="gregorsamsa" '
145			cat $OBJ/user_ca_key.pub
146		) > $OBJ/authorized_keys_$USER
147		${SSH} -2i $OBJ/cert_user_key \
148		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
149		if [ $? -eq 0 ]; then
150			fail "ssh cert connect succeeded unexpectedly"
151		fi
152
153		# Correct principals list
154		verbose "$tid: ${_prefix} correct principals key option"
155		(
156			printf 'cert-authority,principals="mekmitasdigoat" '
157			cat $OBJ/user_ca_key.pub
158		) > $OBJ/authorized_keys_$USER
159		${SSH} -2i $OBJ/cert_user_key \
160		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
161		if [ $? -ne 0 ]; then
162			fail "ssh cert connect failed"
163		fi
164	done
165else
166	echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
167	    "(/var/run mounted noexec?)"
168fi
169