principals-command.sh revision 1.14
1# $OpenBSD: principals-command.sh,v 1.14 2021/09/30 05:26:26 dtucker Exp $ 2# Placed in the Public Domain. 3 4tid="authorized principals command" 5 6rm -f $OBJ/user_ca_key* $OBJ/cert_user_key* 7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 8 9if [ -z "$SUDO" -a ! -w /var/run ]; then 10 skip "need SUDO to create file in /var/run, test won't work without" 11fi 12 13case "$SSH_KEYTYPES" in 14 *ssh-rsa*) userkeytype=rsa ;; 15 *) userkeytype=ed25519 ;; 16esac 17 18SERIAL=$$ 19 20# Create a CA key and a user certificate. 21${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ 22 fatal "ssh-keygen of user_ca_key failed" 23${SSHKEYGEN} -q -N '' -t ${userkeytype} -f $OBJ/cert_user_key || \ 24 fatal "ssh-keygen of cert_user_key failed" 25${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "Joanne User" \ 26 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ 27 fatal "couldn't sign cert_user_key" 28 29CERT_BODY=`cat $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` 30CA_BODY=`cat $OBJ/user_ca_key.pub | awk '{ print $2 }'` 31CERT_FP=`${SSHKEYGEN} -lf $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` 32CA_FP=`${SSHKEYGEN} -lf $OBJ/user_ca_key.pub | awk '{ print $2 }'` 33 34# Establish a AuthorizedPrincipalsCommand in /var/run where it will have 35# acceptable directory permissions. 36PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}.$$" 37trap "$SUDO rm -f ${PRINCIPALS_COMMAND}" 0 38cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" 39#!/bin/sh 40test "x\$1" != "x${LOGNAME}" && exit 1 41test "x\$2" != "xssh-${userkeytype}-cert-v01@openssh.com" && exit 1 42test "x\$3" != "xssh-ed25519" && exit 1 43test "x\$4" != "xJoanne User" && exit 1 44test "x\$5" != "x${SERIAL}" && exit 1 45test "x\$6" != "x${CA_FP}" && exit 1 46test "x\$7" != "x${CERT_FP}" && exit 1 47test "x\$8" != "x${CERT_BODY}" && exit 1 48test "x\$9" != "x${CA_BODY}" && exit 1 49test -f "$OBJ/authorized_principals_${LOGNAME}" && 50 exec cat "$OBJ/authorized_principals_${LOGNAME}" 51_EOF 52test $? -eq 0 || fatal "couldn't prepare principals command" 53$SUDO chmod 0755 "$PRINCIPALS_COMMAND" 54 55# Test explicitly-specified principals 56# Setup for AuthorizedPrincipalsCommand 57rm -f $OBJ/authorized_keys_$USER 58( 59 cat $OBJ/sshd_proxy_bak 60 echo "AuthorizedKeysFile none" 61 echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \ 62 "%u %t %T %i %s %F %f %k %K" 63 echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" 64 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" 65) > $OBJ/sshd_proxy 66 67# XXX test missing command 68# XXX test failing command 69 70# Empty authorized_principals 71verbose "$tid: empty authorized_principals" 72echo > $OBJ/authorized_principals_$USER 73${SSH} -i $OBJ/cert_user_key \ 74 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 75if [ $? -eq 0 ]; then 76 fail "ssh cert connect succeeded unexpectedly" 77fi 78 79# Wrong authorized_principals 80verbose "$tid: wrong authorized_principals" 81echo gregorsamsa > $OBJ/authorized_principals_$USER 82${SSH} -i $OBJ/cert_user_key \ 83 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 84if [ $? -eq 0 ]; then 85 fail "ssh cert connect succeeded unexpectedly" 86fi 87 88# Correct authorized_principals 89verbose "$tid: correct authorized_principals" 90echo mekmitasdigoat > $OBJ/authorized_principals_$USER 91${SSH} -i $OBJ/cert_user_key \ 92 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 93if [ $? -ne 0 ]; then 94 fail "ssh cert connect failed" 95fi 96 97# authorized_principals with bad key option 98verbose "$tid: authorized_principals bad key opt" 99echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER 100${SSH} -i $OBJ/cert_user_key \ 101 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 102if [ $? -eq 0 ]; then 103 fail "ssh cert connect succeeded unexpectedly" 104fi 105 106# authorized_principals with command=false 107verbose "$tid: authorized_principals command=false" 108echo 'command="false" mekmitasdigoat' > \ 109 $OBJ/authorized_principals_$USER 110${SSH} -i $OBJ/cert_user_key \ 111 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 112if [ $? -eq 0 ]; then 113 fail "ssh cert connect succeeded unexpectedly" 114fi 115 116 117# authorized_principals with command=true 118verbose "$tid: authorized_principals command=true" 119echo 'command="true" mekmitasdigoat' > \ 120 $OBJ/authorized_principals_$USER 121${SSH} -i $OBJ/cert_user_key \ 122 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 123if [ $? -ne 0 ]; then 124 fail "ssh cert connect failed" 125fi 126 127# Setup for principals= key option 128# TODO: remove? 129rm -f $OBJ/authorized_principals_$USER 130( 131 cat $OBJ/sshd_proxy_bak 132) > $OBJ/sshd_proxy 133 134# Wrong principals list 135verbose "$tid: wrong principals key option" 136( 137 printf 'cert-authority,principals="gregorsamsa" ' 138 cat $OBJ/user_ca_key.pub 139) > $OBJ/authorized_keys_$USER 140${SSH} -i $OBJ/cert_user_key \ 141 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 142if [ $? -eq 0 ]; then 143 fail "ssh cert connect succeeded unexpectedly" 144fi 145 146# Correct principals list 147verbose "$tid: correct principals key option" 148( 149 printf 'cert-authority,principals="mekmitasdigoat" ' 150 cat $OBJ/user_ca_key.pub 151) > $OBJ/authorized_keys_$USER 152${SSH} -i $OBJ/cert_user_key \ 153 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 154if [ $? -ne 0 ]; then 155 fail "ssh cert connect failed" 156fi 157