cert-userkey.sh revision 1.2
1# $OpenBSD: cert-userkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $ 2# Placed in the Public Domain. 3 4tid="certified user keys" 5 6rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* 7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 8 9# Create a CA key and add it to authorized_keys 10${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ 11 fail "ssh-keygen of user_ca_key failed" 12( 13 echo -n 'cert-authority ' 14 cat $OBJ/user_ca_key.pub 15) > $OBJ/authorized_keys_$USER 16 17# Generate and sign user keys 18for ktype in rsa dsa ; do 19 verbose "$tid: sign user ${ktype} cert" 20 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 21 -f $OBJ/cert_user_key_${ktype} || \ 22 fail "ssh-keygen of cert_user_key_${ktype} failed" 23 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \ 24 "regress user key for $USER" \ 25 -n $USER $OBJ/cert_user_key_${ktype} || 26 fail "couldn't sign cert_user_key_${ktype}" 27done 28 29# Basic connect tests 30for privsep in yes no ; do 31 for ktype in rsa dsa ; do 32 verbose "$tid: user ${ktype} cert connect privsep $privsep" 33 ( 34 cat $OBJ/sshd_proxy_bak 35 echo "UsePrivilegeSeparation $privsep" 36 ) > $OBJ/sshd_proxy 37 38 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ 39 somehost true 40 if [ $? -ne 0 ]; then 41 fail "ssh cert connect failed" 42 fi 43 done 44done 45 46verbose "$tid: ensure CA key does not authenticate user" 47${SSH} -2i $OBJ/user_ca_key -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 48if [ $? -eq 0 ]; then 49 fail "ssh cert connect with CA key succeeded unexpectedly" 50fi 51 52test_one() { 53 ident=$1 54 result=$2 55 sign_opts=$3 56 57 verbose "$tid: test user cert connect $ident expect $result" 58 59 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ 60 $sign_opts \ 61 $OBJ/cert_user_key_rsa || 62 fail "couldn't sign cert_user_key_rsa" 63 64 ${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \ 65 somehost true >/dev/null 2>&1 66 rc=$? 67 if [ "x$result" = "xsuccess" ] ; then 68 if [ $rc -ne 0 ]; then 69 fail "ssh cert connect $ident failed unexpectedly" 70 fi 71 else 72 if [ $rc -eq 0 ]; then 73 fail "ssh cert connect $ident succeeded unexpectedly" 74 fi 75 fi 76 cleanup 77} 78 79test_one "host-certificate" failure "-h" 80test_one "empty principals" success "" 81test_one "wrong principals" failure "-n foo" 82test_one "cert not yet valid" failure "-V20200101:20300101" 83test_one "cert expired" failure "-V19800101:19900101" 84test_one "cert valid interval" success "-V-1w:+2w" 85test_one "wrong source-address" failure "-Osource-address=10.0.0.0/8" 86test_one "force-command" failure "-Oforce-command=false" 87 88# Wrong certificate 89for ktype in rsa dsa ; do 90 # Self-sign 91 ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ 92 "regress user key for $USER" \ 93 -n $USER $OBJ/cert_user_key_${ktype} || 94 fail "couldn't sign cert_user_key_${ktype}" 95 verbose "$tid: user ${ktype} connect wrong cert" 96 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ 97 somehost true >/dev/null 2>&1 98 if [ $? -eq 0 ]; then 99 fail "ssh cert connect $ident succeeded unexpectedly" 100 fi 101done 102 103rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* 104