cert-userkey.sh revision 1.4
1# $OpenBSD: cert-userkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $ 2# Placed in the Public Domain. 3 4tid="certified user keys" 5 6rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* 7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 8 9# Create a CA key 10${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ 11 fail "ssh-keygen of user_ca_key failed" 12 13# Generate and sign user keys 14for ktype in rsa dsa ; do 15 verbose "$tid: sign user ${ktype} cert" 16 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 17 -f $OBJ/cert_user_key_${ktype} || \ 18 fail "ssh-keygen of cert_user_key_${ktype} failed" 19 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \ 20 "regress user key for $USER" \ 21 -n $USER $OBJ/cert_user_key_${ktype} || 22 fail "couldn't sign cert_user_key_${ktype}" 23 cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 24 cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub 25 ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ 26 "regress user key for $USER" \ 27 -n $USER $OBJ/cert_user_key_${ktype}_v00 || 28 fail "couldn't sign cert_user_key_${ktype}_v00" 29done 30 31basic_tests() { 32 auth=$1 33 if test "x$auth" = "xauthorized_keys" ; then 34 # Add CA to authorized_keys 35 ( 36 echo -n 'cert-authority ' 37 cat $OBJ/user_ca_key.pub 38 ) > $OBJ/authorized_keys_$USER 39 else 40 echo > $OBJ/authorized_keys_$USER 41 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" 42 fi 43 44 for ktype in rsa dsa rsa_v00 dsa_v00 ; do 45 for privsep in yes no ; do 46 _prefix="${ktype} privsep $privsep $auth" 47 # Simple connect 48 verbose "$tid: ${_prefix} connect" 49 ( 50 cat $OBJ/sshd_proxy_bak 51 echo "UsePrivilegeSeparation $privsep" 52 echo "$extra_sshd" 53 ) > $OBJ/sshd_proxy 54 55 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 56 -F $OBJ/ssh_proxy somehost true 57 if [ $? -ne 0 ]; then 58 fail "ssh cert connect failed" 59 fi 60 61 # Revoked keys 62 verbose "$tid: ${_prefix} revoked key" 63 ( 64 cat $OBJ/sshd_proxy_bak 65 echo "UsePrivilegeSeparation $privsep" 66 echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub" 67 echo "$extra_sshd" 68 ) > $OBJ/sshd_proxy 69 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 70 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 71 if [ $? -eq 0 ]; then 72 fail "ssh cert connect succeeded unexpecedly" 73 fi 74 done 75 76 # Revoked CA 77 verbose "$tid: ${ktype} $auth revoked CA key" 78 ( 79 cat $OBJ/sshd_proxy_bak 80 echo "RevokedKeys $OBJ/user_ca_key.pub" 81 echo "$extra_sshd" 82 ) > $OBJ/sshd_proxy 83 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ 84 somehost true >/dev/null 2>&1 85 if [ $? -eq 0 ]; then 86 fail "ssh cert connect succeeded unexpecedly" 87 fi 88 done 89 90 verbose "$tid: $auth CA does not authenticate" 91 ( 92 cat $OBJ/sshd_proxy_bak 93 echo "$extra_sshd" 94 ) > $OBJ/sshd_proxy 95 verbose "$tid: ensure CA key does not authenticate user" 96 ${SSH} -2i $OBJ/user_ca_key \ 97 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 98 if [ $? -eq 0 ]; then 99 fail "ssh cert connect with CA key succeeded unexpectedly" 100 fi 101} 102 103basic_tests authorized_keys 104basic_tests TrustedUserCAKeys 105 106test_one() { 107 ident=$1 108 result=$2 109 sign_opts=$3 110 auth_choice=$4 111 112 if test "x$auth_choice" = "x" ; then 113 auth_choice="authorized_keys TrustedUserCAKeys" 114 fi 115 116 for auth in $auth_choice ; do 117 for ktype in rsa rsa_v00 ; do 118 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 119 if test "x$auth" = "xauthorized_keys" ; then 120 # Add CA to authorized_keys 121 ( 122 echo -n 'cert-authority ' 123 cat $OBJ/user_ca_key.pub 124 ) > $OBJ/authorized_keys_$USER 125 else 126 echo > $OBJ/authorized_keys_$USER 127 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \ 128 >> $OBJ/sshd_proxy 129 130 fi 131 132 verbose "$tid: $ident auth $auth expect $result $ktype" 133 ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ 134 -I "regress user key for $USER" \ 135 $sign_opts \ 136 $OBJ/cert_user_key_${ktype} || 137 fail "couldn't sign cert_user_key_${ktype}" 138 139 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 140 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 141 rc=$? 142 if [ "x$result" = "xsuccess" ] ; then 143 if [ $rc -ne 0 ]; then 144 fail "$ident failed unexpectedly" 145 fi 146 else 147 if [ $rc -eq 0 ]; then 148 fail "$ident succeeded unexpectedly" 149 fi 150 fi 151 done 152 done 153} 154 155test_one "correct principal" success "-n ${USER}" 156test_one "host-certificate" failure "-n ${USER} -h" 157test_one "wrong principals" failure "-n foo" 158test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101" 159test_one "cert expired" failure "-n ${USER} -V19800101:19900101" 160test_one "cert valid interval" success "-n ${USER} -V-1w:+2w" 161test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8" 162test_one "force-command" failure "-n ${USER} -Oforce-command=false" 163 164# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals 165test_one "empty principals" success "" authorized_keys 166test_one "empty principals" failure "" TrustedUserCAKeys 167 168# Wrong certificate 169for ktype in rsa dsa rsa_v00 dsa_v00 ; do 170 case $ktype in 171 *_v00) args="-t v00" ;; 172 *) args="" ;; 173 esac 174 # Self-sign 175 ${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \ 176 "regress user key for $USER" \ 177 -n $USER $OBJ/cert_user_key_${ktype} || 178 fail "couldn't sign cert_user_key_${ktype}" 179 verbose "$tid: user ${ktype} connect wrong cert" 180 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ 181 somehost true >/dev/null 2>&1 182 if [ $? -eq 0 ]; then 183 fail "ssh cert connect $ident succeeded unexpectedly" 184 fi 185done 186 187rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* 188 189