1285033Sdes# $OpenBSD: principals-command.sh,v 1.1 2015/05/21 06:44:25 djm Exp $ 2285033Sdes# Placed in the Public Domain. 3285033Sdes 4285033Sdestid="authorized principals command" 5285033Sdes 6285033Sdesrm -f $OBJ/user_ca_key* $OBJ/cert_user_key* 7285033Sdescp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 8285033Sdes 9285033Sdesif test -z "$SUDO" ; then 10285033Sdes echo "skipped (SUDO not set)" 11285033Sdes echo "need SUDO to create file in /var/run, test won't work without" 12285033Sdes exit 0 13285033Sdesfi 14285033Sdes 15285033Sdes# Establish a AuthorizedPrincipalsCommand in /var/run where it will have 16285033Sdes# acceptable directory permissions. 17294464SdesPRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}" 18294464Sdescat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'" 19285033Sdes#!/bin/sh 20285033Sdestest "x\$1" != "x${LOGNAME}" && exit 1 21285033Sdestest -f "$OBJ/authorized_principals_${LOGNAME}" && 22285033Sdes exec cat "$OBJ/authorized_principals_${LOGNAME}" 23285033Sdes_EOF 24285033Sdestest $? -eq 0 || fatal "couldn't prepare principals command" 25294464Sdes$SUDO chmod 0755 "$PRINCIPALS_CMD" 26285033Sdes 27296633Sdesif ! $OBJ/check-perm -m keys-command $PRINCIPALS_CMD ; then 28296633Sdes echo "skipping: $PRINCIPALS_CMD is unsuitable as " \ 29296633Sdes "AuthorizedPrincipalsCommand" 30296633Sdes $SUDO rm -f $PRINCIPALS_CMD 31296633Sdes exit 0 32296633Sdesfi 33296633Sdes 34285033Sdes# Create a CA key and a user certificate. 35285033Sdes${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ 36285033Sdes fatal "ssh-keygen of user_ca_key failed" 37285033Sdes${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key || \ 38285033Sdes fatal "ssh-keygen of cert_user_key failed" 39285033Sdes${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ 40285033Sdes -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ 41285033Sdes fatal "couldn't sign cert_user_key" 42285033Sdes 43294464Sdesif [ -x $PRINCIPALS_CMD ]; then 44294464Sdes # Test explicitly-specified principals 45294464Sdes for privsep in yes no ; do 46294464Sdes _prefix="privsep $privsep" 47285033Sdes 48294464Sdes # Setup for AuthorizedPrincipalsCommand 49294464Sdes rm -f $OBJ/authorized_keys_$USER 50294464Sdes ( 51294464Sdes cat $OBJ/sshd_proxy_bak 52294464Sdes echo "UsePrivilegeSeparation $privsep" 53294464Sdes echo "AuthorizedKeysFile none" 54294464Sdes echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u" 55294464Sdes echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" 56294464Sdes echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" 57294464Sdes ) > $OBJ/sshd_proxy 58285033Sdes 59294464Sdes # XXX test missing command 60294464Sdes # XXX test failing command 61285033Sdes 62294464Sdes # Empty authorized_principals 63294464Sdes verbose "$tid: ${_prefix} empty authorized_principals" 64294464Sdes echo > $OBJ/authorized_principals_$USER 65294464Sdes ${SSH} -2i $OBJ/cert_user_key \ 66294464Sdes -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 67294464Sdes if [ $? -eq 0 ]; then 68294464Sdes fail "ssh cert connect succeeded unexpectedly" 69294464Sdes fi 70285033Sdes 71294464Sdes # Wrong authorized_principals 72294464Sdes verbose "$tid: ${_prefix} wrong authorized_principals" 73294464Sdes echo gregorsamsa > $OBJ/authorized_principals_$USER 74294464Sdes ${SSH} -2i $OBJ/cert_user_key \ 75294464Sdes -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 76294464Sdes if [ $? -eq 0 ]; then 77294464Sdes fail "ssh cert connect succeeded unexpectedly" 78294464Sdes fi 79285033Sdes 80294464Sdes # Correct authorized_principals 81294464Sdes verbose "$tid: ${_prefix} correct authorized_principals" 82294464Sdes echo mekmitasdigoat > $OBJ/authorized_principals_$USER 83294464Sdes ${SSH} -2i $OBJ/cert_user_key \ 84294464Sdes -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 85294464Sdes if [ $? -ne 0 ]; then 86294464Sdes fail "ssh cert connect failed" 87294464Sdes fi 88285033Sdes 89294464Sdes # authorized_principals with bad key option 90294464Sdes verbose "$tid: ${_prefix} authorized_principals bad key opt" 91294464Sdes echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER 92294464Sdes ${SSH} -2i $OBJ/cert_user_key \ 93294464Sdes -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 94294464Sdes if [ $? -eq 0 ]; then 95294464Sdes fail "ssh cert connect succeeded unexpectedly" 96294464Sdes fi 97285033Sdes 98294464Sdes # authorized_principals with command=false 99294464Sdes verbose "$tid: ${_prefix} authorized_principals command=false" 100294464Sdes echo 'command="false" mekmitasdigoat' > \ 101294464Sdes $OBJ/authorized_principals_$USER 102294464Sdes ${SSH} -2i $OBJ/cert_user_key \ 103294464Sdes -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 104294464Sdes if [ $? -eq 0 ]; then 105294464Sdes fail "ssh cert connect succeeded unexpectedly" 106294464Sdes fi 107285033Sdes 108294464Sdes # authorized_principals with command=true 109294464Sdes verbose "$tid: ${_prefix} authorized_principals command=true" 110294464Sdes echo 'command="true" mekmitasdigoat' > \ 111294464Sdes $OBJ/authorized_principals_$USER 112294464Sdes ${SSH} -2i $OBJ/cert_user_key \ 113294464Sdes -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 114294464Sdes if [ $? -ne 0 ]; then 115294464Sdes fail "ssh cert connect failed" 116294464Sdes fi 117285033Sdes 118294464Sdes # Setup for principals= key option 119294464Sdes rm -f $OBJ/authorized_principals_$USER 120294464Sdes ( 121294464Sdes cat $OBJ/sshd_proxy_bak 122294464Sdes echo "UsePrivilegeSeparation $privsep" 123294464Sdes ) > $OBJ/sshd_proxy 124285033Sdes 125294464Sdes # Wrong principals list 126294464Sdes verbose "$tid: ${_prefix} wrong principals key option" 127294464Sdes ( 128294464Sdes printf 'cert-authority,principals="gregorsamsa" ' 129294464Sdes cat $OBJ/user_ca_key.pub 130294464Sdes ) > $OBJ/authorized_keys_$USER 131294464Sdes ${SSH} -2i $OBJ/cert_user_key \ 132294464Sdes -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 133294464Sdes if [ $? -eq 0 ]; then 134294464Sdes fail "ssh cert connect succeeded unexpectedly" 135294464Sdes fi 136285033Sdes 137294464Sdes # Correct principals list 138294464Sdes verbose "$tid: ${_prefix} correct principals key option" 139294464Sdes ( 140294464Sdes printf 'cert-authority,principals="mekmitasdigoat" ' 141294464Sdes cat $OBJ/user_ca_key.pub 142294464Sdes ) > $OBJ/authorized_keys_$USER 143294464Sdes ${SSH} -2i $OBJ/cert_user_key \ 144294464Sdes -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 145294464Sdes if [ $? -ne 0 ]; then 146294464Sdes fail "ssh cert connect failed" 147294464Sdes fi 148294464Sdes done 149294464Sdeselse 150294464Sdes echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \ 151294464Sdes "(/var/run mounted noexec?)" 152294464Sdesfi 153