1285031Sdes#	$OpenBSD: multipubkey.sh,v 1.1 2014/12/22 08:06:03 djm Exp $
2285031Sdes#	Placed in the Public Domain.
3285031Sdes
4285031Sdestid="multiple pubkey"
5285031Sdes
6285031Sdesrm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/user_key*
7285031Sdesrm -f $OBJ/authorized_principals_$USER $OBJ/cert_user_key*
8285031Sdes
9285031Sdesmv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
10285031Sdesmv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig
11285031Sdes
12285031Sdes# Create a CA key
13285031Sdes${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key ||\
14285031Sdes	fatal "ssh-keygen failed"
15285031Sdes
16285031Sdes# Make some keys and a certificate.
17285031Sdes${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 || \
18285031Sdes	fatal "ssh-keygen failed"
19285031Sdes${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key2 || \
20285031Sdes	fatal "ssh-keygen failed"
21285031Sdes${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
22285031Sdes	-z $$ -n ${USER},mekmitasdigoat $OBJ/user_key1 ||
23285031Sdes		fail "couldn't sign user_key1"
24285031Sdes# Copy the private key alongside the cert to allow better control of when
25285031Sdes# it is offered.
26285031Sdesmv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1.pub
27285031Sdescp -p $OBJ/user_key1 $OBJ/cert_user_key1
28285031Sdes
29285031Sdesgrep -v IdentityFile $OBJ/ssh_proxy.orig > $OBJ/ssh_proxy
30285031Sdes
31285031Sdesopts="-oProtocol=2 -F $OBJ/ssh_proxy -oIdentitiesOnly=yes"
32285031Sdesopts="$opts -i $OBJ/cert_user_key1 -i $OBJ/user_key1 -i $OBJ/user_key2"
33285031Sdes
34285031Sdesfor privsep in no yes; do
35285031Sdes	(
36285031Sdes		grep -v "Protocol"  $OBJ/sshd_proxy.orig
37285031Sdes		echo "Protocol 2"
38285031Sdes		echo "UsePrivilegeSeparation $privsep"
39285031Sdes		echo "AuthenticationMethods publickey,publickey"
40285031Sdes		echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
41285031Sdes		echo "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
42285031Sdes 	) > $OBJ/sshd_proxy
43285031Sdes
44285031Sdes	# Single key should fail.
45285031Sdes	rm -f $OBJ/authorized_principals_$USER
46285031Sdes	cat $OBJ/user_key1.pub > $OBJ/authorized_keys_$USER
47285031Sdes	${SSH} $opts proxy true && fail "ssh succeeded with key"
48285031Sdes
49285031Sdes	# Single key with same-public cert should fail.
50285031Sdes	echo mekmitasdigoat > $OBJ/authorized_principals_$USER
51285031Sdes	cat $OBJ/user_key1.pub > $OBJ/authorized_keys_$USER
52285031Sdes	${SSH} $opts proxy true && fail "ssh succeeded with key+cert"
53285031Sdes
54285031Sdes	# Multiple plain keys should succeed.
55285031Sdes	rm -f $OBJ/authorized_principals_$USER
56285031Sdes	cat $OBJ/user_key1.pub $OBJ/user_key2.pub > \
57285031Sdes	    $OBJ/authorized_keys_$USER
58285031Sdes	${SSH} $opts proxy true || fail "ssh failed with multiple keys"
59285031Sdes	# Cert and different key should succeed
60285031Sdes
61285031Sdes	# Key and different-public cert should succeed.
62285031Sdes	echo mekmitasdigoat > $OBJ/authorized_principals_$USER
63285031Sdes	cat $OBJ/user_key2.pub > $OBJ/authorized_keys_$USER
64285031Sdes	${SSH} $opts proxy true || fail "ssh failed with key/cert"
65285031Sdesdone
66285031Sdes
67