principals-command.sh revision 1.7
1# $OpenBSD: principals-command.sh,v 1.7 2019/09/06 04:24:06 dtucker Exp $ 2# Placed in the Public Domain. 3 4tid="authorized principals command" 5 6rm -f $OBJ/user_ca_key* $OBJ/cert_user_key* 7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 8 9if [ -z "$SUDO" -a ! -w /var/run ]; then 10 fatal "need SUDO to create file in /var/run, test won't work without" 11fi 12 13case "`${SSH} -Q key-plain`" in 14 *ssh-rsa*) userkeytype=rsa ;; 15 *) userkeytype=ed25519 ;; 16esac 17 18SERIAL=$$ 19 20# Create a CA key and a user certificate. 21${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ 22 fatal "ssh-keygen of user_ca_key failed" 23${SSHKEYGEN} -q -N '' -t ${userkeytype} -f $OBJ/cert_user_key || \ 24 fatal "ssh-keygen of cert_user_key failed" 25${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "Joanne User" \ 26 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ 27 fatal "couldn't sign cert_user_key" 28 29CERT_BODY=`cat $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` 30CA_BODY=`cat $OBJ/user_ca_key.pub | awk '{ print $2 }'` 31CERT_FP=`${SSHKEYGEN} -lf $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` 32CA_FP=`${SSHKEYGEN} -lf $OBJ/user_ca_key.pub | awk '{ print $2 }'` 33 34# Establish a AuthorizedPrincipalsCommand in /var/run where it will have 35# acceptable directory permissions. 36PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}.$$" 37trap "$SUDO rm -f ${PRINCIPALS_COMMAND}" 0 38cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" 39#!/bin/sh 40test "x\$1" != "x${LOGNAME}" && exit 1 41test "x\$2" != "xssh-${userkeytype}-cert-v01@openssh.com" && exit 1 42test "x\$3" != "xssh-ed25519" && exit 1 43test "x\$4" != "xJoanne User" && exit 1 44test "x\$5" != "x${SERIAL}" && exit 1 45test "x\$6" != "x${CA_FP}" && exit 1 46test "x\$7" != "x${CERT_FP}" && exit 1 47test "x\$8" != "x${CERT_BODY}" && exit 1 48test "x\$9" != "x${CA_BODY}" && exit 1 49test -f "$OBJ/authorized_principals_${LOGNAME}" && 50 exec cat "$OBJ/authorized_principals_${LOGNAME}" 51_EOF 52test $? -eq 0 || fatal "couldn't prepare principals command" 53$SUDO chmod 0755 "$PRINCIPALS_COMMAND" 54 55# Test explicitly-specified principals 56for privsep in yes sandbox ; do 57 _prefix="privsep $privsep" 58 59 # Setup for AuthorizedPrincipalsCommand 60 rm -f $OBJ/authorized_keys_$USER 61 ( 62 cat $OBJ/sshd_proxy_bak 63 echo "UsePrivilegeSeparation $privsep" 64 echo "AuthorizedKeysFile none" 65 echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \ 66 "%u %t %T %i %s %F %f %k %K" 67 echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" 68 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" 69 ) > $OBJ/sshd_proxy 70 71 # XXX test missing command 72 # XXX test failing command 73 74 # Empty authorized_principals 75 verbose "$tid: ${_prefix} empty authorized_principals" 76 echo > $OBJ/authorized_principals_$USER 77 ${SSH} -i $OBJ/cert_user_key \ 78 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 79 if [ $? -eq 0 ]; then 80 fail "ssh cert connect succeeded unexpectedly" 81 fi 82 83 # Wrong authorized_principals 84 verbose "$tid: ${_prefix} wrong authorized_principals" 85 echo gregorsamsa > $OBJ/authorized_principals_$USER 86 ${SSH} -i $OBJ/cert_user_key \ 87 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 88 if [ $? -eq 0 ]; then 89 fail "ssh cert connect succeeded unexpectedly" 90 fi 91 92 # Correct authorized_principals 93 verbose "$tid: ${_prefix} correct authorized_principals" 94 echo mekmitasdigoat > $OBJ/authorized_principals_$USER 95 ${SSH} -i $OBJ/cert_user_key \ 96 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 97 if [ $? -ne 0 ]; then 98 fail "ssh cert connect failed" 99 fi 100 101 # authorized_principals with bad key option 102 verbose "$tid: ${_prefix} authorized_principals bad key opt" 103 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER 104 ${SSH} -i $OBJ/cert_user_key \ 105 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 106 if [ $? -eq 0 ]; then 107 fail "ssh cert connect succeeded unexpectedly" 108 fi 109 110 # authorized_principals with command=false 111 verbose "$tid: ${_prefix} authorized_principals command=false" 112 echo 'command="false" mekmitasdigoat' > \ 113 $OBJ/authorized_principals_$USER 114 ${SSH} -i $OBJ/cert_user_key \ 115 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 116 if [ $? -eq 0 ]; then 117 fail "ssh cert connect succeeded unexpectedly" 118 fi 119 120 121 # authorized_principals with command=true 122 verbose "$tid: ${_prefix} authorized_principals command=true" 123 echo 'command="true" mekmitasdigoat' > \ 124 $OBJ/authorized_principals_$USER 125 ${SSH} -i $OBJ/cert_user_key \ 126 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 127 if [ $? -ne 0 ]; then 128 fail "ssh cert connect failed" 129 fi 130 131 # Setup for principals= key option 132 rm -f $OBJ/authorized_principals_$USER 133 ( 134 cat $OBJ/sshd_proxy_bak 135 echo "UsePrivilegeSeparation $privsep" 136 ) > $OBJ/sshd_proxy 137 138 # Wrong principals list 139 verbose "$tid: ${_prefix} wrong principals key option" 140 ( 141 printf 'cert-authority,principals="gregorsamsa" ' 142 cat $OBJ/user_ca_key.pub 143 ) > $OBJ/authorized_keys_$USER 144 ${SSH} -i $OBJ/cert_user_key \ 145 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 146 if [ $? -eq 0 ]; then 147 fail "ssh cert connect succeeded unexpectedly" 148 fi 149 150 # Correct principals list 151 verbose "$tid: ${_prefix} correct principals key option" 152 ( 153 printf 'cert-authority,principals="mekmitasdigoat" ' 154 cat $OBJ/user_ca_key.pub 155 ) > $OBJ/authorized_keys_$USER 156 ${SSH} -i $OBJ/cert_user_key \ 157 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 158 if [ $? -ne 0 ]; then 159 fail "ssh cert connect failed" 160 fi 161done 162