principals-command.sh revision 1.9 
1#	$OpenBSD: principals-command.sh,v 1.9 2019/11/26 23:43:10 djm Exp $
2#	Placed in the Public Domain.
3
4tid="authorized principals command"
5
6rm -f $OBJ/user_ca_key* $OBJ/cert_user_key*
7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8
9if [ -z "$SUDO" -a ! -w /var/run ]; then
10	fatal "need SUDO to create file in /var/run, test won't work without"
11fi
12
13case "`${SSH} -Q key-plain`" in
14	*ssh-rsa*)	userkeytype=rsa ;;
15	*)		userkeytype=ed25519 ;;
16esac
17
18SERIAL=$$
19
20# Create a CA key and a user certificate.
21${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key || \
22	fatal "ssh-keygen of user_ca_key failed"
23${SSHKEYGEN} -q -N '' -t ${userkeytype} -f $OBJ/cert_user_key || \
24	fatal "ssh-keygen of cert_user_key failed"
25${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "Joanne User" \
26    -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
27	fatal "couldn't sign cert_user_key"
28
29CERT_BODY=`cat $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'`
30CA_BODY=`cat $OBJ/user_ca_key.pub | awk '{ print $2 }'`
31CERT_FP=`${SSHKEYGEN} -lf $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'`
32CA_FP=`${SSHKEYGEN} -lf $OBJ/user_ca_key.pub | awk '{ print $2 }'`
33
34# Establish a AuthorizedPrincipalsCommand in /var/run where it will have
35# acceptable directory permissions.
36PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}.$$"
37trap "$SUDO rm -f ${PRINCIPALS_COMMAND}" 0
38cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
39#!/bin/sh
40test "x\$1" != "x${LOGNAME}" && exit 1
41test "x\$2" != "xssh-${userkeytype}-cert-v01@openssh.com" && exit 1
42test "x\$3" != "xssh-ed25519" && exit 1
43test "x\$4" != "xJoanne User" && exit 1
44test "x\$5" != "x${SERIAL}" && exit 1
45test "x\$6" != "x${CA_FP}" && exit 1
46test "x\$7" != "x${CERT_FP}" && exit 1
47test "x\$8" != "x${CERT_BODY}" && exit 1
48test "x\$9" != "x${CA_BODY}" && exit 1
49test -f "$OBJ/authorized_principals_${LOGNAME}" &&
50	exec cat "$OBJ/authorized_principals_${LOGNAME}"
51_EOF
52test $? -eq 0 || fatal "couldn't prepare principals command"
53$SUDO chmod 0755 "$PRINCIPALS_COMMAND"
54
55# Test explicitly-specified principals
56for privsep in yes sandbox ; do
57	_prefix="privsep $privsep"
58
59	# Setup for AuthorizedPrincipalsCommand
60	rm -f $OBJ/authorized_keys_$USER
61	(
62		cat $OBJ/sshd_proxy_bak
63		echo "UsePrivilegeSeparation $privsep"
64		echo "AuthorizedKeysFile none"
65		echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
66		    "%u %t %T %i %s %F %f %k %K"
67		echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
68		echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
69	) > $OBJ/sshd_proxy
70
71	# XXX test missing command
72	# XXX test failing command
73
74	# Empty authorized_principals
75	verbose "$tid: ${_prefix} empty authorized_principals"
76	echo > $OBJ/authorized_principals_$USER
77	${SSH} -i $OBJ/cert_user_key \
78	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
79	if [ $? -eq 0 ]; then
80		fail "ssh cert connect succeeded unexpectedly"
81	fi
82
83	# Wrong authorized_principals
84	verbose "$tid: ${_prefix} wrong authorized_principals"
85	echo gregorsamsa > $OBJ/authorized_principals_$USER
86	${SSH} -i $OBJ/cert_user_key \
87	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
88	if [ $? -eq 0 ]; then
89		fail "ssh cert connect succeeded unexpectedly"
90	fi
91
92	# Correct authorized_principals
93	verbose "$tid: ${_prefix} correct authorized_principals"
94	echo mekmitasdigoat > $OBJ/authorized_principals_$USER
95	${SSH} -i $OBJ/cert_user_key \
96	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
97	if [ $? -ne 0 ]; then
98		fail "ssh cert connect failed"
99	fi
100
101	# authorized_principals with bad key option
102	verbose "$tid: ${_prefix} authorized_principals bad key opt"
103	echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
104	${SSH} -i $OBJ/cert_user_key \
105	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
106	if [ $? -eq 0 ]; then
107		fail "ssh cert connect succeeded unexpectedly"
108	fi
109
110	# authorized_principals with command=false
111	verbose "$tid: ${_prefix} authorized_principals command=false"
112	echo 'command="false" mekmitasdigoat' > \
113	    $OBJ/authorized_principals_$USER
114	${SSH} -i $OBJ/cert_user_key \
115	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
116	if [ $? -eq 0 ]; then
117		fail "ssh cert connect succeeded unexpectedly"
118	fi
119
120
121	# authorized_principals with command=true
122	verbose "$tid: ${_prefix} authorized_principals command=true"
123	echo 'command="true" mekmitasdigoat' > \
124	    $OBJ/authorized_principals_$USER
125	${SSH} -i $OBJ/cert_user_key \
126	    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
127	if [ $? -ne 0 ]; then
128		fail "ssh cert connect failed"
129	fi
130
131	# Setup for principals= key option
132	rm -f $OBJ/authorized_principals_$USER
133	(
134		cat $OBJ/sshd_proxy_bak
135		echo "UsePrivilegeSeparation $privsep"
136	) > $OBJ/sshd_proxy
137
138	# Wrong principals list
139	verbose "$tid: ${_prefix} wrong principals key option"
140	(
141		printf 'cert-authority,principals="gregorsamsa" '
142		cat $OBJ/user_ca_key.pub
143	) > $OBJ/authorized_keys_$USER
144	${SSH} -i $OBJ/cert_user_key \
145	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
146	if [ $? -eq 0 ]; then
147		fail "ssh cert connect succeeded unexpectedly"
148	fi
149
150	# Correct principals list
151	verbose "$tid: ${_prefix} correct principals key option"
152	(
153		printf 'cert-authority,principals="mekmitasdigoat" '
154		cat $OBJ/user_ca_key.pub
155	) > $OBJ/authorized_keys_$USER
156	${SSH} -i $OBJ/cert_user_key \
157	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
158	if [ $? -ne 0 ]; then
159		fail "ssh cert connect failed"
160	fi
161done
162