principals-command.sh revision 1.13
1# $OpenBSD: principals-command.sh,v 1.13 2021/09/30 05:20:08 dtucker Exp $ 2# Placed in the Public Domain. 3 4tid="authorized principals command" 5 6rm -f $OBJ/user_ca_key* $OBJ/cert_user_key* 7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 8 9if [ -z "$SUDO" -a ! -w /var/run ]; then 10 skip "need SUDO to create file in /var/run, test won't work without" 11fi 12 13case "$SSH_KEYTYPES" in 14 *ssh-rsa*) userkeytype=rsa ;; 15 *) userkeytype=ed25519 ;; 16esac 17 18SERIAL=$$ 19 20# Create a CA key and a user certificate. 21${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ 22 fatal "ssh-keygen of user_ca_key failed" 23${SSHKEYGEN} -q -N '' -t ${userkeytype} -f $OBJ/cert_user_key || \ 24 fatal "ssh-keygen of cert_user_key failed" 25${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "Joanne User" \ 26 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ 27 fatal "couldn't sign cert_user_key" 28 29CERT_BODY=`cat $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` 30CA_BODY=`cat $OBJ/user_ca_key.pub | awk '{ print $2 }'` 31CERT_FP=`${SSHKEYGEN} -lf $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` 32CA_FP=`${SSHKEYGEN} -lf $OBJ/user_ca_key.pub | awk '{ print $2 }'` 33 34# Establish a AuthorizedPrincipalsCommand in /var/run where it will have 35# acceptable directory permissions. 36PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}.$$" 37trap "$SUDO rm -f ${PRINCIPALS_COMMAND}" 0 38cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" 39#!/bin/sh 40test "x\$1" != "x${LOGNAME}" && exit 1 41test "x\$2" != "xssh-${userkeytype}-cert-v01@openssh.com" && exit 1 42test "x\$3" != "xssh-ed25519" && exit 1 43test "x\$4" != "xJoanne User" && exit 1 44test "x\$5" != "x${SERIAL}" && exit 1 45test "x\$6" != "x${CA_FP}" && exit 1 46test "x\$7" != "x${CERT_FP}" && exit 1 47test "x\$8" != "x${CERT_BODY}" && exit 1 48test "x\$9" != "x${CA_BODY}" && exit 1 49test -f "$OBJ/authorized_principals_${LOGNAME}" && 50 exec cat "$OBJ/authorized_principals_${LOGNAME}" 51_EOF 52test $? -eq 0 || fatal "couldn't prepare principals command" 53$SUDO chmod 0755 "$PRINCIPALS_COMMAND" 54 55# Test explicitly-specified principals 56 # Setup for AuthorizedPrincipalsCommand 57 rm -f $OBJ/authorized_keys_$USER 58 ( 59 cat $OBJ/sshd_proxy_bak 60 echo "AuthorizedKeysFile none" 61 echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \ 62 "%u %t %T %i %s %F %f %k %K" 63 echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" 64 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" 65 ) > $OBJ/sshd_proxy 66 67 # XXX test missing command 68 # XXX test failing command 69 70 # Empty authorized_principals 71 verbose "$tid: empty authorized_principals" 72 echo > $OBJ/authorized_principals_$USER 73 ${SSH} -i $OBJ/cert_user_key \ 74 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 75 if [ $? -eq 0 ]; then 76 fail "ssh cert connect succeeded unexpectedly" 77 fi 78 79 # Wrong authorized_principals 80 verbose "$tid: wrong authorized_principals" 81 echo gregorsamsa > $OBJ/authorized_principals_$USER 82 ${SSH} -i $OBJ/cert_user_key \ 83 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 84 if [ $? -eq 0 ]; then 85 fail "ssh cert connect succeeded unexpectedly" 86 fi 87 88 # Correct authorized_principals 89 verbose "$tid: correct authorized_principals" 90 echo mekmitasdigoat > $OBJ/authorized_principals_$USER 91 ${SSH} -i $OBJ/cert_user_key \ 92 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 93 if [ $? -ne 0 ]; then 94 fail "ssh cert connect failed" 95 fi 96 97 # authorized_principals with bad key option 98 verbose "$tid: authorized_principals bad key opt" 99 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER 100 ${SSH} -i $OBJ/cert_user_key \ 101 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 102 if [ $? -eq 0 ]; then 103 fail "ssh cert connect succeeded unexpectedly" 104 fi 105 106 # authorized_principals with command=false 107 verbose "$tid: authorized_principals command=false" 108 echo 'command="false" mekmitasdigoat' > \ 109 $OBJ/authorized_principals_$USER 110 ${SSH} -i $OBJ/cert_user_key \ 111 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 112 if [ $? -eq 0 ]; then 113 fail "ssh cert connect succeeded unexpectedly" 114 fi 115 116 117 # authorized_principals with command=true 118 verbose "$tid: authorized_principals command=true" 119 echo 'command="true" mekmitasdigoat' > \ 120 $OBJ/authorized_principals_$USER 121 ${SSH} -i $OBJ/cert_user_key \ 122 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 123 if [ $? -ne 0 ]; then 124 fail "ssh cert connect failed" 125 fi 126 127 # Setup for principals= key option 128 # TODO: remove? 129 rm -f $OBJ/authorized_principals_$USER 130 ( 131 cat $OBJ/sshd_proxy_bak 132 ) > $OBJ/sshd_proxy 133 134 # Wrong principals list 135 verbose "$tid: wrong principals key option" 136 ( 137 printf 'cert-authority,principals="gregorsamsa" ' 138 cat $OBJ/user_ca_key.pub 139 ) > $OBJ/authorized_keys_$USER 140 ${SSH} -i $OBJ/cert_user_key \ 141 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 142 if [ $? -eq 0 ]; then 143 fail "ssh cert connect succeeded unexpectedly" 144 fi 145 146 # Correct principals list 147 verbose "$tid: correct principals key option" 148 ( 149 printf 'cert-authority,principals="mekmitasdigoat" ' 150 cat $OBJ/user_ca_key.pub 151 ) > $OBJ/authorized_keys_$USER 152 ${SSH} -i $OBJ/cert_user_key \ 153 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 154 if [ $? -ne 0 ]; then 155 fail "ssh cert connect failed" 156 fi 157