principals-command.sh revision 1.2 
1#	$OpenBSD: principals-command.sh,v 1.2 2016/09/21 01:35:12 djm Exp $
2#	Placed in the Public Domain.
3
4tid="authorized principals command"
5
6rm -f $OBJ/user_ca_key* $OBJ/cert_user_key*
7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8
9if [ -z "$SUDO" ]; then
10	fatal "need SUDO to create file in /var/run, test won't work without"
11fi
12
13SERIAL=$$
14
15# Create a CA key and a user certificate.
16${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key || \
17	fatal "ssh-keygen of user_ca_key failed"
18${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/cert_user_key || \
19	fatal "ssh-keygen of cert_user_key failed"
20${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "Joanne User" \
21    -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
22	fatal "couldn't sign cert_user_key"
23
24CERT_BODY=`cat $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'`
25CA_BODY=`cat $OBJ/user_ca_key.pub | awk '{ print $2 }'`
26CERT_FP=`${SSHKEYGEN} -lf $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'`
27CA_FP=`${SSHKEYGEN} -lf $OBJ/user_ca_key.pub | awk '{ print $2 }'`
28
29# Establish a AuthorizedPrincipalsCommand in /var/run where it will have
30# acceptable directory permissions.
31PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}"
32cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
33#!/bin/sh
34test "x\$1" != "x${LOGNAME}" && exit 1
35test "x\$2" != "xssh-rsa-cert-v01@openssh.com" && exit 1
36test "x\$3" != "xssh-ed25519" && exit 1
37test "x\$4" != "xJoanne User" && exit 1
38test "x\$5" != "x${SERIAL}" && exit 1
39test "x\$6" != "x${CA_FP}" && exit 1
40test "x\$7" != "x${CERT_FP}" && exit 1
41test "x\$8" != "x${CERT_BODY}" && exit 1
42test "x\$9" != "x${CA_BODY}" && exit 1
43test -f "$OBJ/authorized_principals_${LOGNAME}" &&
44	exec cat "$OBJ/authorized_principals_${LOGNAME}"
45_EOF
46test $? -eq 0 || fatal "couldn't prepare principals command"
47$SUDO chmod 0755 "$PRINCIPALS_COMMAND"
48
49# Test explicitly-specified principals
50for privsep in yes no ; do
51	_prefix="privsep $privsep"
52
53	# Setup for AuthorizedPrincipalsCommand
54	rm -f $OBJ/authorized_keys_$USER
55	(
56		cat $OBJ/sshd_proxy_bak
57		echo "UsePrivilegeSeparation $privsep"
58		echo "AuthorizedKeysFile none"
59		echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
60		    "%u %t %T %i %s %F %f %k %K"
61		echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
62		echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
63	) > $OBJ/sshd_proxy
64
65	# XXX test missing command
66	# XXX test failing command
67
68	# Empty authorized_principals
69	verbose "$tid: ${_prefix} empty authorized_principals"
70	echo > $OBJ/authorized_principals_$USER
71	${SSH} -2i $OBJ/cert_user_key \
72	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
73	if [ $? -eq 0 ]; then
74		fail "ssh cert connect succeeded unexpectedly"
75	fi
76
77	# Wrong authorized_principals
78	verbose "$tid: ${_prefix} wrong authorized_principals"
79	echo gregorsamsa > $OBJ/authorized_principals_$USER
80	${SSH} -2i $OBJ/cert_user_key \
81	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
82	if [ $? -eq 0 ]; then
83		fail "ssh cert connect succeeded unexpectedly"
84	fi
85
86	# Correct authorized_principals
87	verbose "$tid: ${_prefix} correct authorized_principals"
88	echo mekmitasdigoat > $OBJ/authorized_principals_$USER
89	${SSH} -2i $OBJ/cert_user_key \
90	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
91	if [ $? -ne 0 ]; then
92		fail "ssh cert connect failed"
93	fi
94
95	# authorized_principals with bad key option
96	verbose "$tid: ${_prefix} authorized_principals bad key opt"
97	echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
98	${SSH} -2i $OBJ/cert_user_key \
99	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
100	if [ $? -eq 0 ]; then
101		fail "ssh cert connect succeeded unexpectedly"
102	fi
103
104	# authorized_principals with command=false
105	verbose "$tid: ${_prefix} authorized_principals command=false"
106	echo 'command="false" mekmitasdigoat' > \
107	    $OBJ/authorized_principals_$USER
108	${SSH} -2i $OBJ/cert_user_key \
109	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
110	if [ $? -eq 0 ]; then
111		fail "ssh cert connect succeeded unexpectedly"
112	fi
113
114
115	# authorized_principals with command=true
116	verbose "$tid: ${_prefix} authorized_principals command=true"
117	echo 'command="true" mekmitasdigoat' > \
118	    $OBJ/authorized_principals_$USER
119	${SSH} -2i $OBJ/cert_user_key \
120	    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
121	if [ $? -ne 0 ]; then
122		fail "ssh cert connect failed"
123	fi
124
125	# Setup for principals= key option
126	rm -f $OBJ/authorized_principals_$USER
127	(
128		cat $OBJ/sshd_proxy_bak
129		echo "UsePrivilegeSeparation $privsep"
130	) > $OBJ/sshd_proxy
131
132	# Wrong principals list
133	verbose "$tid: ${_prefix} wrong principals key option"
134	(
135		printf 'cert-authority,principals="gregorsamsa" '
136		cat $OBJ/user_ca_key.pub
137	) > $OBJ/authorized_keys_$USER
138	${SSH} -2i $OBJ/cert_user_key \
139	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
140	if [ $? -eq 0 ]; then
141		fail "ssh cert connect succeeded unexpectedly"
142	fi
143
144	# Correct principals list
145	verbose "$tid: ${_prefix} correct principals key option"
146	(
147		printf 'cert-authority,principals="mekmitasdigoat" '
148		cat $OBJ/user_ca_key.pub
149	) > $OBJ/authorized_keys_$USER
150	${SSH} -2i $OBJ/cert_user_key \
151	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
152	if [ $? -ne 0 ]; then
153		fail "ssh cert connect failed"
154	fi
155done
156