cert-userkey.sh revision 1.6
1# $OpenBSD: cert-userkey.sh,v 1.6 2010/06/29 23:59:54 djm Exp $ 2# Placed in the Public Domain. 3 4tid="certified user keys" 5 6rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* 7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 8 9# Create a CA key 10${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ 11 fail "ssh-keygen of user_ca_key failed" 12 13# Generate and sign user keys 14for ktype in rsa dsa ; do 15 verbose "$tid: sign user ${ktype} cert" 16 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 17 -f $OBJ/cert_user_key_${ktype} || \ 18 fail "ssh-keygen of cert_user_key_${ktype} failed" 19 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \ 20 "regress user key for $USER" \ 21 -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || 22 fail "couldn't sign cert_user_key_${ktype}" 23 cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 24 cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub 25 ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ 26 "regress user key for $USER" \ 27 -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 || 28 fail "couldn't sign cert_user_key_${ktype}_v00" 29done 30 31# Test explicitly-specified principals 32for ktype in rsa dsa rsa_v00 dsa_v00 ; do 33 for privsep in yes no ; do 34 _prefix="${ktype} privsep $privsep" 35 36 # Setup for AuthorizedPrincipalsFile 37 rm -f $OBJ/authorized_keys_$USER 38 ( 39 cat $OBJ/sshd_proxy_bak 40 echo "UsePrivilegeSeparation $privsep" 41 echo "AuthorizedPrincipalsFile " \ 42 "$OBJ/authorized_principals_%u" 43 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" 44 ) > $OBJ/sshd_proxy 45 46 # Missing authorized_principals 47 verbose "$tid: ${_prefix} missing authorized_principals" 48 rm -f $OBJ/authorized_principals_$USER 49 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 50 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 51 if [ $? -eq 0 ]; then 52 fail "ssh cert connect succeeded unexpectedly" 53 fi 54 55 # Empty authorized_principals 56 verbose "$tid: ${_prefix} empty authorized_principals" 57 echo > $OBJ/authorized_principals_$USER 58 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 59 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 60 if [ $? -eq 0 ]; then 61 fail "ssh cert connect succeeded unexpectedly" 62 fi 63 64 # Wrong authorized_principals 65 verbose "$tid: ${_prefix} wrong authorized_principals" 66 echo gregorsamsa > $OBJ/authorized_principals_$USER 67 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 68 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 69 if [ $? -eq 0 ]; then 70 fail "ssh cert connect succeeded unexpectedly" 71 fi 72 73 # Correct authorized_principals 74 verbose "$tid: ${_prefix} correct authorized_principals" 75 echo mekmitasdigoat > $OBJ/authorized_principals_$USER 76 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 77 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 78 if [ $? -ne 0 ]; then 79 fail "ssh cert connect failed" 80 fi 81 82 # authorized_principals with bad key option 83 verbose "$tid: ${_prefix} authorized_principals bad key opt" 84 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER 85 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 86 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 87 if [ $? -eq 0 ]; then 88 fail "ssh cert connect succeeded unexpectedly" 89 fi 90 91 # authorized_principals with command=false 92 verbose "$tid: ${_prefix} authorized_principals command=false" 93 echo 'command="false" mekmitasdigoat' > \ 94 $OBJ/authorized_principals_$USER 95 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 96 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 97 if [ $? -eq 0 ]; then 98 fail "ssh cert connect succeeded unexpectedly" 99 fi 100 101 102 # authorized_principals with command=true 103 verbose "$tid: ${_prefix} authorized_principals command=true" 104 echo 'command="true" mekmitasdigoat' > \ 105 $OBJ/authorized_principals_$USER 106 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 107 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 108 if [ $? -ne 0 ]; then 109 fail "ssh cert connect failed" 110 fi 111 112 # Setup for principals= key option 113 rm -f $OBJ/authorized_principals_$USER 114 ( 115 cat $OBJ/sshd_proxy_bak 116 echo "UsePrivilegeSeparation $privsep" 117 ) > $OBJ/sshd_proxy 118 119 # Wrong principals list 120 verbose "$tid: ${_prefix} wrong principals key option" 121 ( 122 echo -n 'cert-authority,principals="gregorsamsa" ' 123 cat $OBJ/user_ca_key.pub 124 ) > $OBJ/authorized_keys_$USER 125 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 126 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 127 if [ $? -eq 0 ]; then 128 fail "ssh cert connect succeeded unexpectedly" 129 fi 130 131 # Correct principals list 132 verbose "$tid: ${_prefix} correct principals key option" 133 ( 134 echo -n 'cert-authority,principals="mekmitasdigoat" ' 135 cat $OBJ/user_ca_key.pub 136 ) > $OBJ/authorized_keys_$USER 137 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 138 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 139 if [ $? -ne 0 ]; then 140 fail "ssh cert connect failed" 141 fi 142 done 143done 144 145basic_tests() { 146 auth=$1 147 if test "x$auth" = "xauthorized_keys" ; then 148 # Add CA to authorized_keys 149 ( 150 echo -n 'cert-authority ' 151 cat $OBJ/user_ca_key.pub 152 ) > $OBJ/authorized_keys_$USER 153 else 154 echo > $OBJ/authorized_keys_$USER 155 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" 156 fi 157 158 for ktype in rsa dsa rsa_v00 dsa_v00 ; do 159 for privsep in yes no ; do 160 _prefix="${ktype} privsep $privsep $auth" 161 # Simple connect 162 verbose "$tid: ${_prefix} connect" 163 ( 164 cat $OBJ/sshd_proxy_bak 165 echo "UsePrivilegeSeparation $privsep" 166 echo "$extra_sshd" 167 ) > $OBJ/sshd_proxy 168 169 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 170 -F $OBJ/ssh_proxy somehost true 171 if [ $? -ne 0 ]; then 172 fail "ssh cert connect failed" 173 fi 174 175 # Revoked keys 176 verbose "$tid: ${_prefix} revoked key" 177 ( 178 cat $OBJ/sshd_proxy_bak 179 echo "UsePrivilegeSeparation $privsep" 180 echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub" 181 echo "$extra_sshd" 182 ) > $OBJ/sshd_proxy 183 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 184 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 185 if [ $? -eq 0 ]; then 186 fail "ssh cert connect succeeded unexpecedly" 187 fi 188 done 189 190 # Revoked CA 191 verbose "$tid: ${ktype} $auth revoked CA key" 192 ( 193 cat $OBJ/sshd_proxy_bak 194 echo "RevokedKeys $OBJ/user_ca_key.pub" 195 echo "$extra_sshd" 196 ) > $OBJ/sshd_proxy 197 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ 198 somehost true >/dev/null 2>&1 199 if [ $? -eq 0 ]; then 200 fail "ssh cert connect succeeded unexpecedly" 201 fi 202 done 203 204 verbose "$tid: $auth CA does not authenticate" 205 ( 206 cat $OBJ/sshd_proxy_bak 207 echo "$extra_sshd" 208 ) > $OBJ/sshd_proxy 209 verbose "$tid: ensure CA key does not authenticate user" 210 ${SSH} -2i $OBJ/user_ca_key \ 211 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 212 if [ $? -eq 0 ]; then 213 fail "ssh cert connect with CA key succeeded unexpectedly" 214 fi 215} 216 217basic_tests authorized_keys 218basic_tests TrustedUserCAKeys 219 220test_one() { 221 ident=$1 222 result=$2 223 sign_opts=$3 224 auth_choice=$4 225 auth_opt=$5 226 227 if test "x$auth_choice" = "x" ; then 228 auth_choice="authorized_keys TrustedUserCAKeys" 229 fi 230 231 for auth in $auth_choice ; do 232 for ktype in rsa rsa_v00 ; do 233 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 234 if test "x$auth" = "xauthorized_keys" ; then 235 # Add CA to authorized_keys 236 ( 237 echo -n "cert-authority${auth_opt} " 238 cat $OBJ/user_ca_key.pub 239 ) > $OBJ/authorized_keys_$USER 240 else 241 echo > $OBJ/authorized_keys_$USER 242 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \ 243 >> $OBJ/sshd_proxy 244 if test "x$auth_opt" != "x" ; then 245 echo $auth_opt >> $OBJ/sshd_proxy 246 fi 247 fi 248 249 verbose "$tid: $ident auth $auth expect $result $ktype" 250 ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ 251 -I "regress user key for $USER" \ 252 $sign_opts \ 253 $OBJ/cert_user_key_${ktype} || 254 fail "couldn't sign cert_user_key_${ktype}" 255 256 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 257 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 258 rc=$? 259 if [ "x$result" = "xsuccess" ] ; then 260 if [ $rc -ne 0 ]; then 261 fail "$ident failed unexpectedly" 262 fi 263 else 264 if [ $rc -eq 0 ]; then 265 fail "$ident succeeded unexpectedly" 266 fi 267 fi 268 done 269 done 270} 271 272test_one "correct principal" success "-n ${USER}" 273test_one "host-certificate" failure "-n ${USER} -h" 274test_one "wrong principals" failure "-n foo" 275test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101" 276test_one "cert expired" failure "-n ${USER} -V19800101:19900101" 277test_one "cert valid interval" success "-n ${USER} -V-1w:+2w" 278test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8" 279test_one "force-command" failure "-n ${USER} -Oforce-command=false" 280 281# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals 282test_one "empty principals" success "" authorized_keys 283test_one "empty principals" failure "" TrustedUserCAKeys 284 285# Check explicitly-specified principals: an empty principals list in the cert 286# should always be refused. 287 288# AuthorizedPrincipalsFile 289rm -f $OBJ/authorized_keys_$USER 290echo mekmitasdigoat > $OBJ/authorized_principals_$USER 291test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \ 292 TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u" 293test_one "AuthorizedPrincipalsFile no principals" failure "" \ 294 TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u" 295 296# principals= key option 297rm -f $OBJ/authorized_principals_$USER 298test_one "principals key option principals" success "-n mekmitasdigoat" \ 299 authorized_keys ',principals="mekmitasdigoat"' 300test_one "principals key option no principals" failure "" \ 301 authorized_keys ',principals="mekmitasdigoat"' 302 303# Wrong certificate 304cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 305for ktype in rsa dsa rsa_v00 dsa_v00 ; do 306 case $ktype in 307 *_v00) args="-t v00" ;; 308 *) args="" ;; 309 esac 310 # Self-sign 311 ${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \ 312 "regress user key for $USER" \ 313 -n $USER $OBJ/cert_user_key_${ktype} || 314 fail "couldn't sign cert_user_key_${ktype}" 315 verbose "$tid: user ${ktype} connect wrong cert" 316 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ 317 somehost true >/dev/null 2>&1 318 if [ $? -eq 0 ]; then 319 fail "ssh cert connect $ident succeeded unexpectedly" 320 fi 321done 322 323rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* 324rm -f $OBJ/authorized_principals_$USER 325 326