agent.sh revision 1.17 
1#	$OpenBSD: agent.sh,v 1.17 2019/12/21 02:33:07 djm Exp $
2#	Placed in the Public Domain.
3
4tid="simple agent test"
5
6SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1
7if [ $? -ne 2 ]; then
8	fail "ssh-add -l did not fail with exit code 2"
9fi
10
11trace "start agent, args ${EXTRA_AGENT_ARGS} -s"
12eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
13r=$?
14if [ $r -ne 0 ]; then
15	fatal "could not start ssh-agent: exit code $r"
16fi
17
18eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s | sed 's/SSH_/FW_SSH_/g'` > /dev/null
19r=$?
20if [ $r -ne 0 ]; then
21	fatal "could not start second ssh-agent: exit code $r"
22fi
23
24${SSHADD} -l > /dev/null 2>&1
25if [ $? -ne 1 ]; then
26	fail "ssh-add -l did not fail with exit code 1"
27fi
28
29rm -f $OBJ/user_ca_key $OBJ/user_ca_key.pub
30${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key \
31	|| fatal "ssh-keygen failed"
32
33trace "overwrite authorized keys"
34printf '' > $OBJ/authorized_keys_$USER
35
36for t in ${SSH_KEYTYPES}; do
37	# generate user key for agent
38	rm -f $OBJ/$t-agent $OBJ/$t-agent.pub*
39	${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\
40		 fatal "ssh-keygen for $t-agent failed"
41	# Make a certificate for each too.
42	${SSHKEYGEN} -qs $OBJ/user_ca_key -I "$t cert" \
43		-n estragon $OBJ/$t-agent.pub || fatal "ca sign failed"
44
45	# add to authorized keys
46	cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER
47	# add private key to agent
48	${SSHADD} $OBJ/$t-agent #> /dev/null 2>&1
49	if [ $? -ne 0 ]; then
50		fail "ssh-add failed exit code $?"
51	fi
52	# add private key to second agent
53	SSH_AUTH_SOCK=$FW_SSH_AUTH_SOCK ${SSHADD} $OBJ/$t-agent #> /dev/null 2>&1
54	if [ $? -ne 0 ]; then
55		fail "ssh-add failed exit code $?"
56	fi
57	# Remove private key to ensure that we aren't accidentally using it.
58	rm -f $OBJ/$t-agent
59done
60
61# Remove explicit identity directives from ssh_proxy
62mv $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
63grep -vi identityfile $OBJ/ssh_proxy_bak > $OBJ/ssh_proxy
64
65${SSHADD} -l > /dev/null 2>&1
66r=$?
67if [ $r -ne 0 ]; then
68	fail "ssh-add -l failed: exit code $r"
69fi
70# the same for full pubkey output
71${SSHADD} -L > /dev/null 2>&1
72r=$?
73if [ $r -ne 0 ]; then
74	fail "ssh-add -L failed: exit code $r"
75fi
76
77trace "simple connect via agent"
78${SSH} -F $OBJ/ssh_proxy somehost exit 52
79r=$?
80if [ $r -ne 52 ]; then
81	fail "ssh connect with failed (exit code $r)"
82fi
83
84for t in ${SSH_KEYTYPES}; do
85	trace "connect via agent using $t key"
86	if [ "$t" = "ssh-dss" ]; then
87		echo "PubkeyAcceptedKeyTypes +ssh-dss" >> $OBJ/ssh_proxy
88		echo "PubkeyAcceptedKeyTypes +ssh-dss" >> $OBJ/sshd_proxy
89	fi
90	${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub -oIdentitiesOnly=yes \
91		somehost exit 52
92	r=$?
93	if [ $r -ne 52 ]; then
94		fail "ssh connect with failed (exit code $r)"
95	fi
96done
97
98trace "agent forwarding"
99${SSH} -A -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
100r=$?
101if [ $r -ne 0 ]; then
102	fail "ssh-add -l via agent fwd failed (exit code $r)"
103fi
104${SSH} "-oForwardAgent=$SSH_AUTH_SOCK" -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
105r=$?
106if [ $r -ne 0 ]; then
107	fail "ssh-add -l via agent path fwd failed (exit code $r)"
108fi
109${SSH} -A -F $OBJ/ssh_proxy somehost \
110	"${SSH} -F $OBJ/ssh_proxy somehost exit 52"
111r=$?
112if [ $r -ne 52 ]; then
113	fail "agent fwd failed (exit code $r)"
114fi
115
116trace "agent forwarding different agent"
117${SSH} "-oForwardAgent=$FW_SSH_AUTH_SOCK" -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
118r=$?
119if [ $r -ne 0 ]; then
120	fail "ssh-add -l via agent path fwd of different agent failed (exit code $r)"
121fi
122${SSH} '-oForwardAgent=$FW_SSH_AUTH_SOCK' -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
123r=$?
124if [ $r -ne 0 ]; then
125	fail "ssh-add -l via agent path env fwd of different agent failed (exit code $r)"
126fi
127
128# Remove keys from forwarded agent, ssh-add on remote machine should now fail.
129SSH_AUTH_SOCK=$FW_SSH_AUTH_SOCK ${SSHADD} -D > /dev/null 2>&1
130r=$?
131if [ $r -ne 0 ]; then
132	fail "ssh-add -D failed: exit code $r"
133fi
134${SSH} '-oForwardAgent=$FW_SSH_AUTH_SOCK' -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
135r=$?
136if [ $r -ne 1 ]; then
137	fail "ssh-add -l with different agent did not fail with exit code 1 (exit code $r)"
138fi
139
140(printf 'cert-authority,principals="estragon" '; cat $OBJ/user_ca_key.pub) \
141	> $OBJ/authorized_keys_$USER
142for t in ${SSH_KEYTYPES}; do
143    if [ "$t" != "ssh-dss" ]; then
144	trace "connect via agent using $t key"
145	${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub \
146		-oCertificateFile=$OBJ/$t-agent-cert.pub \
147		-oIdentitiesOnly=yes somehost exit 52
148	r=$?
149	if [ $r -ne 52 ]; then
150		fail "ssh connect with failed (exit code $r)"
151	fi
152    fi
153done
154
155trace "delete all agent keys"
156${SSHADD} -D > /dev/null 2>&1
157r=$?
158if [ $r -ne 0 ]; then
159	fail "ssh-add -D failed: exit code $r"
160fi
161
162trace "kill agent"
163${SSHAGENT} -k > /dev/null
164SSH_AGENT_PID=$FW_SSH_AGENT_PID ${SSHAGENT} -k > /dev/null
165