principals-command.sh revision 1.6 
1#	$OpenBSD: principals-command.sh,v 1.6 2018/11/22 08:48:32 dtucker Exp $
2#	Placed in the Public Domain.
3
4tid="authorized principals command"
5
6rm -f $OBJ/user_ca_key* $OBJ/cert_user_key*
7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8
9if [ -z "$SUDO" -a ! -w /var/run ]; then
10	fatal "need SUDO to create file in /var/run, test won't work without"
11fi
12
13SERIAL=$$
14
15# Create a CA key and a user certificate.
16${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key || \
17	fatal "ssh-keygen of user_ca_key failed"
18${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/cert_user_key || \
19	fatal "ssh-keygen of cert_user_key failed"
20${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "Joanne User" \
21    -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
22	fatal "couldn't sign cert_user_key"
23
24CERT_BODY=`cat $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'`
25CA_BODY=`cat $OBJ/user_ca_key.pub | awk '{ print $2 }'`
26CERT_FP=`${SSHKEYGEN} -lf $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'`
27CA_FP=`${SSHKEYGEN} -lf $OBJ/user_ca_key.pub | awk '{ print $2 }'`
28
29# Establish a AuthorizedPrincipalsCommand in /var/run where it will have
30# acceptable directory permissions.
31PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}.$$"
32trap "$SUDO rm -f ${PRINCIPALS_COMMAND}" 0
33cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
34#!/bin/sh
35test "x\$1" != "x${LOGNAME}" && exit 1
36test "x\$2" != "xssh-rsa-cert-v01@openssh.com" && exit 1
37test "x\$3" != "xssh-ed25519" && exit 1
38test "x\$4" != "xJoanne User" && exit 1
39test "x\$5" != "x${SERIAL}" && exit 1
40test "x\$6" != "x${CA_FP}" && exit 1
41test "x\$7" != "x${CERT_FP}" && exit 1
42test "x\$8" != "x${CERT_BODY}" && exit 1
43test "x\$9" != "x${CA_BODY}" && exit 1
44test -f "$OBJ/authorized_principals_${LOGNAME}" &&
45	exec cat "$OBJ/authorized_principals_${LOGNAME}"
46_EOF
47test $? -eq 0 || fatal "couldn't prepare principals command"
48$SUDO chmod 0755 "$PRINCIPALS_COMMAND"
49
50# Test explicitly-specified principals
51for privsep in yes sandbox ; do
52	_prefix="privsep $privsep"
53
54	# Setup for AuthorizedPrincipalsCommand
55	rm -f $OBJ/authorized_keys_$USER
56	(
57		cat $OBJ/sshd_proxy_bak
58		echo "UsePrivilegeSeparation $privsep"
59		echo "AuthorizedKeysFile none"
60		echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
61		    "%u %t %T %i %s %F %f %k %K"
62		echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
63		echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
64	) > $OBJ/sshd_proxy
65
66	# XXX test missing command
67	# XXX test failing command
68
69	# Empty authorized_principals
70	verbose "$tid: ${_prefix} empty authorized_principals"
71	echo > $OBJ/authorized_principals_$USER
72	${SSH} -i $OBJ/cert_user_key \
73	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
74	if [ $? -eq 0 ]; then
75		fail "ssh cert connect succeeded unexpectedly"
76	fi
77
78	# Wrong authorized_principals
79	verbose "$tid: ${_prefix} wrong authorized_principals"
80	echo gregorsamsa > $OBJ/authorized_principals_$USER
81	${SSH} -i $OBJ/cert_user_key \
82	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
83	if [ $? -eq 0 ]; then
84		fail "ssh cert connect succeeded unexpectedly"
85	fi
86
87	# Correct authorized_principals
88	verbose "$tid: ${_prefix} correct authorized_principals"
89	echo mekmitasdigoat > $OBJ/authorized_principals_$USER
90	${SSH} -i $OBJ/cert_user_key \
91	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
92	if [ $? -ne 0 ]; then
93		fail "ssh cert connect failed"
94	fi
95
96	# authorized_principals with bad key option
97	verbose "$tid: ${_prefix} authorized_principals bad key opt"
98	echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
99	${SSH} -i $OBJ/cert_user_key \
100	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
101	if [ $? -eq 0 ]; then
102		fail "ssh cert connect succeeded unexpectedly"
103	fi
104
105	# authorized_principals with command=false
106	verbose "$tid: ${_prefix} authorized_principals command=false"
107	echo 'command="false" mekmitasdigoat' > \
108	    $OBJ/authorized_principals_$USER
109	${SSH} -i $OBJ/cert_user_key \
110	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
111	if [ $? -eq 0 ]; then
112		fail "ssh cert connect succeeded unexpectedly"
113	fi
114
115
116	# authorized_principals with command=true
117	verbose "$tid: ${_prefix} authorized_principals command=true"
118	echo 'command="true" mekmitasdigoat' > \
119	    $OBJ/authorized_principals_$USER
120	${SSH} -i $OBJ/cert_user_key \
121	    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
122	if [ $? -ne 0 ]; then
123		fail "ssh cert connect failed"
124	fi
125
126	# Setup for principals= key option
127	rm -f $OBJ/authorized_principals_$USER
128	(
129		cat $OBJ/sshd_proxy_bak
130		echo "UsePrivilegeSeparation $privsep"
131	) > $OBJ/sshd_proxy
132
133	# Wrong principals list
134	verbose "$tid: ${_prefix} wrong principals key option"
135	(
136		printf 'cert-authority,principals="gregorsamsa" '
137		cat $OBJ/user_ca_key.pub
138	) > $OBJ/authorized_keys_$USER
139	${SSH} -i $OBJ/cert_user_key \
140	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
141	if [ $? -eq 0 ]; then
142		fail "ssh cert connect succeeded unexpectedly"
143	fi
144
145	# Correct principals list
146	verbose "$tid: ${_prefix} correct principals key option"
147	(
148		printf 'cert-authority,principals="mekmitasdigoat" '
149		cat $OBJ/user_ca_key.pub
150	) > $OBJ/authorized_keys_$USER
151	${SSH} -i $OBJ/cert_user_key \
152	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
153	if [ $? -ne 0 ]; then
154		fail "ssh cert connect failed"
155	fi
156done
157