principals-command.sh revision 1.3
1# $OpenBSD: principals-command.sh,v 1.3 2016/09/26 21:34:38 bluhm Exp $ 2# Placed in the Public Domain. 3 4tid="authorized principals command" 5 6rm -f $OBJ/user_ca_key* $OBJ/cert_user_key* 7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 8 9if [ -z "$SUDO" -a ! -w /var/run ]; then 10 fatal "need SUDO to create file in /var/run, test won't work without" 11fi 12 13SERIAL=$$ 14 15# Create a CA key and a user certificate. 16${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ 17 fatal "ssh-keygen of user_ca_key failed" 18${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/cert_user_key || \ 19 fatal "ssh-keygen of cert_user_key failed" 20${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "Joanne User" \ 21 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ 22 fatal "couldn't sign cert_user_key" 23 24CERT_BODY=`cat $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` 25CA_BODY=`cat $OBJ/user_ca_key.pub | awk '{ print $2 }'` 26CERT_FP=`${SSHKEYGEN} -lf $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` 27CA_FP=`${SSHKEYGEN} -lf $OBJ/user_ca_key.pub | awk '{ print $2 }'` 28 29# Establish a AuthorizedPrincipalsCommand in /var/run where it will have 30# acceptable directory permissions. 31PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}" 32cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" 33#!/bin/sh 34test "x\$1" != "x${LOGNAME}" && exit 1 35test "x\$2" != "xssh-rsa-cert-v01@openssh.com" && exit 1 36test "x\$3" != "xssh-ed25519" && exit 1 37test "x\$4" != "xJoanne User" && exit 1 38test "x\$5" != "x${SERIAL}" && exit 1 39test "x\$6" != "x${CA_FP}" && exit 1 40test "x\$7" != "x${CERT_FP}" && exit 1 41test "x\$8" != "x${CERT_BODY}" && exit 1 42test "x\$9" != "x${CA_BODY}" && exit 1 43test -f "$OBJ/authorized_principals_${LOGNAME}" && 44 exec cat "$OBJ/authorized_principals_${LOGNAME}" 45_EOF 46test $? -eq 0 || fatal "couldn't prepare principals command" 47$SUDO chmod 0755 "$PRINCIPALS_COMMAND" 48 49# Test explicitly-specified principals 50for privsep in yes no ; do 51 _prefix="privsep $privsep" 52 53 # Setup for AuthorizedPrincipalsCommand 54 rm -f $OBJ/authorized_keys_$USER 55 ( 56 cat $OBJ/sshd_proxy_bak 57 echo "UsePrivilegeSeparation $privsep" 58 echo "AuthorizedKeysFile none" 59 echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \ 60 "%u %t %T %i %s %F %f %k %K" 61 echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" 62 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" 63 ) > $OBJ/sshd_proxy 64 65 # XXX test missing command 66 # XXX test failing command 67 68 # Empty authorized_principals 69 verbose "$tid: ${_prefix} empty authorized_principals" 70 echo > $OBJ/authorized_principals_$USER 71 ${SSH} -2i $OBJ/cert_user_key \ 72 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 73 if [ $? -eq 0 ]; then 74 fail "ssh cert connect succeeded unexpectedly" 75 fi 76 77 # Wrong authorized_principals 78 verbose "$tid: ${_prefix} wrong authorized_principals" 79 echo gregorsamsa > $OBJ/authorized_principals_$USER 80 ${SSH} -2i $OBJ/cert_user_key \ 81 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 82 if [ $? -eq 0 ]; then 83 fail "ssh cert connect succeeded unexpectedly" 84 fi 85 86 # Correct authorized_principals 87 verbose "$tid: ${_prefix} correct authorized_principals" 88 echo mekmitasdigoat > $OBJ/authorized_principals_$USER 89 ${SSH} -2i $OBJ/cert_user_key \ 90 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 91 if [ $? -ne 0 ]; then 92 fail "ssh cert connect failed" 93 fi 94 95 # authorized_principals with bad key option 96 verbose "$tid: ${_prefix} authorized_principals bad key opt" 97 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER 98 ${SSH} -2i $OBJ/cert_user_key \ 99 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 100 if [ $? -eq 0 ]; then 101 fail "ssh cert connect succeeded unexpectedly" 102 fi 103 104 # authorized_principals with command=false 105 verbose "$tid: ${_prefix} authorized_principals command=false" 106 echo 'command="false" mekmitasdigoat' > \ 107 $OBJ/authorized_principals_$USER 108 ${SSH} -2i $OBJ/cert_user_key \ 109 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 110 if [ $? -eq 0 ]; then 111 fail "ssh cert connect succeeded unexpectedly" 112 fi 113 114 115 # authorized_principals with command=true 116 verbose "$tid: ${_prefix} authorized_principals command=true" 117 echo 'command="true" mekmitasdigoat' > \ 118 $OBJ/authorized_principals_$USER 119 ${SSH} -2i $OBJ/cert_user_key \ 120 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 121 if [ $? -ne 0 ]; then 122 fail "ssh cert connect failed" 123 fi 124 125 # Setup for principals= key option 126 rm -f $OBJ/authorized_principals_$USER 127 ( 128 cat $OBJ/sshd_proxy_bak 129 echo "UsePrivilegeSeparation $privsep" 130 ) > $OBJ/sshd_proxy 131 132 # Wrong principals list 133 verbose "$tid: ${_prefix} wrong principals key option" 134 ( 135 printf 'cert-authority,principals="gregorsamsa" ' 136 cat $OBJ/user_ca_key.pub 137 ) > $OBJ/authorized_keys_$USER 138 ${SSH} -2i $OBJ/cert_user_key \ 139 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 140 if [ $? -eq 0 ]; then 141 fail "ssh cert connect succeeded unexpectedly" 142 fi 143 144 # Correct principals list 145 verbose "$tid: ${_prefix} correct principals key option" 146 ( 147 printf 'cert-authority,principals="mekmitasdigoat" ' 148 cat $OBJ/user_ca_key.pub 149 ) > $OBJ/authorized_keys_$USER 150 ${SSH} -2i $OBJ/cert_user_key \ 151 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 152 if [ $? -ne 0 ]; then 153 fail "ssh cert connect failed" 154 fi 155done 156