agent-restrict.sh - OpenGrok cross reference for /freebsd/crypto/openssh/regress/agent-restrict.sh

Lines Matching +full:a +full:- +full:h
1 #	$OpenBSD: agent-restrict.sh,v 1.7 2025/03/28 21:45:55 dtucker Exp $
8 rm -f $SSH_AUTH_SOCK $OBJ/agent.log $OBJ/host_[abcdex]* $OBJ/user_[abcdex]*
9 rm -f $OBJ/sshd_proxy_host* $OBJ/ssh_output* $OBJ/expect_*
10 rm -f $OBJ/ssh_proxy[._]* $OBJ/command
13 for h in a b c d e x ca ; do
14 	$SSHKEYGEN -q -t ed25519 -C host_$h -N '' -f $OBJ/host_$h || \
15 		fatal "ssh-keygen hostkey failed"
16 	$SSHKEYGEN -q -t ed25519 -C user_$h -N '' -f $OBJ/user_$h || \
17 		fatal "ssh-keygen userkey failed"
21 for h in d e ; do
22 	id="host_$h"
23 	$SSHKEYGEN -q -s $OBJ/host_ca -I $id -n $id -h $OBJ/host_${h}.pub || \
24 		fatal "ssh-keygen certify failed"
28 egrep -vi '(identityfile|hostname|hostkeyalias|proxycommand)' \
36 for h in a b c d e ; do
38 Host host_$h
39 	Hostname host_$h
40 	HostkeyAlias host_$h
41 	IdentityFile $OBJ/user_$h
42 …ER=\"$SSH_SK_HELPER\" ${TEST_SSH_SSHD_ENV} ${OBJ}/sshd-log-wrapper.sh -i -f $OBJ/sshd_proxy_host_$h
46 Host host_$h
47 	Hostname host_$h
48 	HostkeyAlias host_$h
49 …ER=\"$SSH_SK_HELPER\" ${TEST_SSH_SSHD_ENV} ${OBJ}/sshd-log-wrapper.sh -i -f $OBJ/sshd_proxy_host_$h
60 rm -f $OBJ/known_hosts
61 for h in a b c x ; do
62 	(printf "host_$h " ; cat $OBJ/host_${h}.pub) >> $OBJ/known_hosts
64 (printf "@cert-authority host_* " ; cat $OBJ/host_ca.pub) >> $OBJ/known_hosts
67 egrep -vi '(hostkey|pidfile)' $OBJ/sshd_proxy \
69 for h in a b c d e; do
70 	cp $OBJ/sshd_proxy.bak $OBJ/sshd_proxy_host_$h
71 	cat << _EOF >> $OBJ/sshd_proxy_host_$h
74 Hostkey $OBJ/host_$h
77 for h in d e ; do
78 	echo "HostCertificate $OBJ/host_${h}-cert.pub" \
79 		>> $OBJ/sshd_proxy_host_$h
87 	keylist)		_command="$SSHADD -L | cut -d' ' -f-2 | sort" ;;
92 	for h in e d c b a; do
93 		(printf "%s" "restrict,agent-forwarding,command=\"$_command\" ";
94 		 cat $OBJ/user_$h.pub) >> $OBJ/authorized_keys_$USER
97 # Prepare a key for comparison with ExposeAuthInfo/$SSH_USER_AUTH.
101 	(printf "publickey " ; cut -d' ' -f-2 $_key) > $_file
106 	for u in a b c d e; do
111 # that host (expect_$h file).
118 	rm -f $OBJ/ssh_output
119 	${SSH} $_extra -F $OBJ/ssh_proxy $_host true > $OBJ/ssh_output
121 	test $_s -eq 0 || fail "host $_host $_case fail, exit status $_s"
135 	rm -f $OBJ/ssh_output
136 	${SSH} $_extra -F $OBJ/ssh_proxy_noid \
137 	    -oIdentityFile=$_keyfile $_host true > $OBJ/ssh_output
139 	test $_s -eq 0 || fail "host $_host $_key $_case fail, exit status $_s"
144 # ssh to a host, expecting it to fail.
150 	${SSH} $_extra -F $OBJ/ssh_proxy $_host true >/dev/null && \
153 # ssh to a host using an explicit key, expecting it to fail.
162 	${SSH} $_extra -F $OBJ/ssh_proxy_noid -oIdentityFile=$_keyfile \
166 # Move the private key files out of the way to force use of agent-hosted keys.
169 	for u in a b c d e x; do
176 	for u in a b c d e x; do
181 	${SSHADD} -D > /dev/null 2>&1 || fatal "clear agent failed"
188 for h in a b c d e ; do
189 	expect_succeed $h "w/o agent"
191 	test "$h" = "e" && wrongkey=user_a
192 	expect_succeed_key $h $wrongkey "\"wrong\" key w/o agent"
195 for h in a b c d e ; do
196 	expect_fail $h "w/o agent"
201 ${SSHAGENT} ${EXTRA_AGENT_ARGS} -d -a $SSH_AUTH_SOCK > $OBJ/agent.log 2>&1 &
204 sleep 4 # Give it a chance to start
206 ${SSHADD} -l > /dev/null 2>&1
207 if [ $? -ne 1 ]; then
208 	fail "ssh-add -l did not fail with exit code 1"
212 for u in a b c d e x; do
213 	$SSHADD -q $OBJ/user_$u || fatal "add key $u unrestricted"
216 for h in a b c d e ; do
217 	expect_succeed $h "with agent"
219 	test "$h" = "e" && wrongkey=user_a
220 	expect_succeed_key $h $wrongkey "\"wrong\" key with agent"
225 rm -f $OBJ/expect_list.pre
227 for u in a b c d e x; do
228 	cut -d " " -f-2 $OBJ/user_${u}.pub >> $OBJ/expect_list.pre
231 for h in a b c d e; do
232 	cp $OBJ/expect_list $OBJ/expect_$h
233 	expect_succeed $h "unrestricted keylist"
240 for h in a b c d e; do
241 	$SSHADD -h host_$h -H $OBJ/known_hosts -q $OBJ/user_$h \
245 $SSHADD -q $OBJ/user_x || fatal "add unrestricted key"
248 for h in a b c d e ; do
249 	expect_succeed $h "with agent"
253 for h in a b c d e ; do
255 	test "$h" = "e" && wrongkey=user_a
256 	expect_fail_key $h $wrongkey "wrong key with agent (basic restrict)"
261 # List from forwarded agent should contain only user_x - the unrestricted key.
262 cut -d " " -f-2 $OBJ/user_x.pub > $OBJ/expect_list
263 for h in a b c d e; do
264 	cp $OBJ/expect_list $OBJ/expect_$h
265 	expect_succeed $h "keylist (basic restrict)"
272 for h in a b c d e; do
273 	$SSHADD -h "${USER}@host_$h" -H $OBJ/known_hosts -q $OBJ/user_$h \
277 for h in a b c d e ; do
278 	expect_succeed $h "wildcard user"
285 for h in a b c d e; do
286 	$SSHADD -h "*@host_$h" -H $OBJ/known_hosts -q $OBJ/user_$h \
290 for h in a b c d e ; do
291 	expect_succeed $h "wildcard user"
298 for h in a b c d e; do
299 	$SSHADD -h "--BADUSER@host_$h" -H $OBJ/known_hosts -q $OBJ/user_$h \
303 for h in a b c d e ; do
304 	expect_fail $h "incorrect user"
313 $SSHADD -h host_e -H $OBJ/known_hosts -q $OBJ/user_d || fatal "add key"
320 # right for 5 hops on the command-line...
325 #set -x
328 if test ! -z "\$me" ; then 
329 	rm -f $OBJ/done
335 $SSHADD -L | egrep "^ssh" | cut -d" " -f-2 | sort
336 if test -z "\$next" ; then 
342 	${SSH} -F $OBJ/ssh_proxy_noid -oIdentityFile=$OBJ/user_a \
347 if test ! -z "\$me" ; then 
348 	if test ! -f $OBJ/done ; then
350 		test \$e -eq 0 && e=63
361 	_hops="a b c d e"
362 	test -z "$2" || _hops="$2"
366 	rm -f $OBJ/expect_keys
367 	for h in a b c d e; do
368 		cut -d" " -f-2 $OBJ/user_${h}.pub >> $OBJ/expect_keys
370 	rm -f $OBJ/expect_a
374 	for h in $_hops ; do 
375 		echo "HOSTNAME host_$h" >> $OBJ/expect_a
377 		(printf "publickey " ; cut -d" " -f-2 $OBJ/user_a.pub) >> $OBJ/expect_a
382 		if test "x$h" != "x$_lasthop" ; then
384 				cut -d" " -f-2 $OBJ/user_a.pub >> $OBJ/expect_a
390 	for h in $_revhops "" ; do 
391 		echo "COMPLETE \"$h\"" >> $OBJ/expect_a
401 $MULTIHOP_RUN "" a b c d e > $OBJ/ssh_output || fail "multihop no agent ssh failed"
406 $SSHADD -q $OBJ/user_[abcde]
408 $MULTIHOP_RUN "" a b c d e > $OBJ/ssh_output || fail "multihop no agent ssh failed"
415 $SSHADD -h host_a -h "host_a>host_b" -h "host_b>host_c" \
416 	-h "host_c>host_d" -h "host_d>host_e" \
417 	-H $OBJ/known_hosts -q $OBJ/user_a \
419 # Add the other keys, bound to a unused host.
420 $SSHADD -q -h host_x -H $OBJ/known_hosts $OBJ/user_[bcde] || fail "add keys"
422 $MULTIHOP_RUN "" a b c d e > $OBJ/ssh_output || fail "multihop ssh failed"
427 $SSHADD -h host_a -h "host_a>${USER}@host_b" -h "host_b>${USER}@host_c" \
428 	-h "host_c>${USER}@host_d"  -h "host_d>${USER}@host_e" \
429 	-H $OBJ/known_hosts -q $OBJ/user_a || fatal "add key user_a multihop"
431 $MULTIHOP_RUN "" a b c d e > $OBJ/ssh_output || fail "multihop w/ user ssh failed"
436 $SSHADD -h host_a -h "host_a>*@host_b" -h "host_b>*@host_c" \
437 	-h "host_c>*@host_d"  -h "host_d>*@host_e" \
438 	-H $OBJ/known_hosts -q $OBJ/user_a || fatal "add key user_a multihop"
440 $MULTIHOP_RUN "" a b c d e > $OBJ/ssh_output || fail "multihop w/ user ssh failed"
445 $SSHADD -h host_a -h "host_a>*@host_b" -h "host_b>*@host_c" \
446 	-h "host_c>--BADUSER@host_d"  -h "host_d>*@host_e" \
447 	-H $OBJ/known_hosts -q $OBJ/user_a || fatal "add key user_a multihop"
449 $MULTIHOP_RUN "" a b c d e > $OBJ/ssh_output && \
455 prepare_multihop_expected none "a b a a c d e"
456 $MULTIHOP_RUN "" a b a a c d e > $OBJ/ssh_output || \
457 	fail "multihop cycle no-agent fail"
462 $SSHADD -q $OBJ/user_[abcde] || fail "add keys"
463 prepare_multihop_expected all "a b a a c d e"
464 $MULTIHOP_RUN "" a b a a c d e > $OBJ/ssh_output || \
470 $SSHADD -q -h host_x -H $OBJ/known_hosts $OBJ/user_[bcde] || fail "add keys"
471 $SSHADD -h host_a -h "host_a>host_b" -h "host_b>host_c" \
472 	-h "host_c>host_d" -h "host_d>host_e" \
473 	-H $OBJ/known_hosts -q $OBJ/user_a \
475 prepare_multihop_expected filtered "a b a a c d e"
477 $MULTIHOP_RUN "" a b a a c d e > $OBJ/ssh_output && \
483 $SSHADD -q -h host_x -H $OBJ/known_hosts $OBJ/user_[bcde] || fail "add keys"
484 $SSHADD -h host_a -h "host_a>host_b" -h "host_b>host_c" \
485 	-h "host_c>host_d" -h "host_d>host_e" \
486 	-h "host_b>host_a" -h "host_a>host_a" -h "host_a>host_c" \
487 	-H $OBJ/known_hosts -q $OBJ/user_a \
489 prepare_multihop_expected filtered "a b a a c d e"
491 $MULTIHOP_RUN "" a b a a c d e > $OBJ/ssh_output || \