principals-command.sh revision 1.6
1# $OpenBSD: principals-command.sh,v 1.6 2018/11/22 08:48:32 dtucker Exp $ 2# Placed in the Public Domain. 3 4tid="authorized principals command" 5 6rm -f $OBJ/user_ca_key* $OBJ/cert_user_key* 7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 8 9if [ -z "$SUDO" -a ! -w /var/run ]; then 10 fatal "need SUDO to create file in /var/run, test won't work without" 11fi 12 13SERIAL=$$ 14 15# Create a CA key and a user certificate. 16${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ 17 fatal "ssh-keygen of user_ca_key failed" 18${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/cert_user_key || \ 19 fatal "ssh-keygen of cert_user_key failed" 20${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "Joanne User" \ 21 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ 22 fatal "couldn't sign cert_user_key" 23 24CERT_BODY=`cat $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` 25CA_BODY=`cat $OBJ/user_ca_key.pub | awk '{ print $2 }'` 26CERT_FP=`${SSHKEYGEN} -lf $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` 27CA_FP=`${SSHKEYGEN} -lf $OBJ/user_ca_key.pub | awk '{ print $2 }'` 28 29# Establish a AuthorizedPrincipalsCommand in /var/run where it will have 30# acceptable directory permissions. 31PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}.$$" 32trap "$SUDO rm -f ${PRINCIPALS_COMMAND}" 0 33cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" 34#!/bin/sh 35test "x\$1" != "x${LOGNAME}" && exit 1 36test "x\$2" != "xssh-rsa-cert-v01@openssh.com" && exit 1 37test "x\$3" != "xssh-ed25519" && exit 1 38test "x\$4" != "xJoanne User" && exit 1 39test "x\$5" != "x${SERIAL}" && exit 1 40test "x\$6" != "x${CA_FP}" && exit 1 41test "x\$7" != "x${CERT_FP}" && exit 1 42test "x\$8" != "x${CERT_BODY}" && exit 1 43test "x\$9" != "x${CA_BODY}" && exit 1 44test -f "$OBJ/authorized_principals_${LOGNAME}" && 45 exec cat "$OBJ/authorized_principals_${LOGNAME}" 46_EOF 47test $? -eq 0 || fatal "couldn't prepare principals command" 48$SUDO chmod 0755 "$PRINCIPALS_COMMAND" 49 50# Test explicitly-specified principals 51for privsep in yes sandbox ; do 52 _prefix="privsep $privsep" 53 54 # Setup for AuthorizedPrincipalsCommand 55 rm -f $OBJ/authorized_keys_$USER 56 ( 57 cat $OBJ/sshd_proxy_bak 58 echo "UsePrivilegeSeparation $privsep" 59 echo "AuthorizedKeysFile none" 60 echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \ 61 "%u %t %T %i %s %F %f %k %K" 62 echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" 63 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" 64 ) > $OBJ/sshd_proxy 65 66 # XXX test missing command 67 # XXX test failing command 68 69 # Empty authorized_principals 70 verbose "$tid: ${_prefix} empty authorized_principals" 71 echo > $OBJ/authorized_principals_$USER 72 ${SSH} -i $OBJ/cert_user_key \ 73 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 74 if [ $? -eq 0 ]; then 75 fail "ssh cert connect succeeded unexpectedly" 76 fi 77 78 # Wrong authorized_principals 79 verbose "$tid: ${_prefix} wrong authorized_principals" 80 echo gregorsamsa > $OBJ/authorized_principals_$USER 81 ${SSH} -i $OBJ/cert_user_key \ 82 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 83 if [ $? -eq 0 ]; then 84 fail "ssh cert connect succeeded unexpectedly" 85 fi 86 87 # Correct authorized_principals 88 verbose "$tid: ${_prefix} correct authorized_principals" 89 echo mekmitasdigoat > $OBJ/authorized_principals_$USER 90 ${SSH} -i $OBJ/cert_user_key \ 91 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 92 if [ $? -ne 0 ]; then 93 fail "ssh cert connect failed" 94 fi 95 96 # authorized_principals with bad key option 97 verbose "$tid: ${_prefix} authorized_principals bad key opt" 98 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER 99 ${SSH} -i $OBJ/cert_user_key \ 100 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 101 if [ $? -eq 0 ]; then 102 fail "ssh cert connect succeeded unexpectedly" 103 fi 104 105 # authorized_principals with command=false 106 verbose "$tid: ${_prefix} authorized_principals command=false" 107 echo 'command="false" mekmitasdigoat' > \ 108 $OBJ/authorized_principals_$USER 109 ${SSH} -i $OBJ/cert_user_key \ 110 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 111 if [ $? -eq 0 ]; then 112 fail "ssh cert connect succeeded unexpectedly" 113 fi 114 115 116 # authorized_principals with command=true 117 verbose "$tid: ${_prefix} authorized_principals command=true" 118 echo 'command="true" mekmitasdigoat' > \ 119 $OBJ/authorized_principals_$USER 120 ${SSH} -i $OBJ/cert_user_key \ 121 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 122 if [ $? -ne 0 ]; then 123 fail "ssh cert connect failed" 124 fi 125 126 # Setup for principals= key option 127 rm -f $OBJ/authorized_principals_$USER 128 ( 129 cat $OBJ/sshd_proxy_bak 130 echo "UsePrivilegeSeparation $privsep" 131 ) > $OBJ/sshd_proxy 132 133 # Wrong principals list 134 verbose "$tid: ${_prefix} wrong principals key option" 135 ( 136 printf 'cert-authority,principals="gregorsamsa" ' 137 cat $OBJ/user_ca_key.pub 138 ) > $OBJ/authorized_keys_$USER 139 ${SSH} -i $OBJ/cert_user_key \ 140 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 141 if [ $? -eq 0 ]; then 142 fail "ssh cert connect succeeded unexpectedly" 143 fi 144 145 # Correct principals list 146 verbose "$tid: ${_prefix} correct principals key option" 147 ( 148 printf 'cert-authority,principals="mekmitasdigoat" ' 149 cat $OBJ/user_ca_key.pub 150 ) > $OBJ/authorized_keys_$USER 151 ${SSH} -i $OBJ/cert_user_key \ 152 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 153 if [ $? -ne 0 ]; then 154 fail "ssh cert connect failed" 155 fi 156done 157