xref: /freebsd/crypto/openssh/regress/principals-command.sh (revision 1323ec571215a77ddd21294f0871979d5ad6b992) 
1#	$OpenBSD: principals-command.sh,v 1.14 2021/09/30 05:26:26 dtucker Exp $
2#	Placed in the Public Domain.
3
4tid="authorized principals command"
5
6rm -f $OBJ/user_ca_key* $OBJ/cert_user_key*
7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8
9if [ -z "$SUDO" -a ! -w /var/run ]; then
10	skip "need SUDO to create file in /var/run, test won't work without"
11fi
12
13case "$SSH_KEYTYPES" in
14	*ssh-rsa*)	userkeytype=rsa ;;
15	*)		userkeytype=ed25519 ;;
16esac
17
18SERIAL=$$
19
20# Create a CA key and a user certificate.
21${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key || \
22	fatal "ssh-keygen of user_ca_key failed"
23${SSHKEYGEN} -q -N '' -t ${userkeytype} -f $OBJ/cert_user_key || \
24	fatal "ssh-keygen of cert_user_key failed"
25${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "Joanne User" \
26    -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
27	fatal "couldn't sign cert_user_key"
28
29CERT_BODY=`cat $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'`
30CA_BODY=`cat $OBJ/user_ca_key.pub | awk '{ print $2 }'`
31CERT_FP=`${SSHKEYGEN} -lf $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'`
32CA_FP=`${SSHKEYGEN} -lf $OBJ/user_ca_key.pub | awk '{ print $2 }'`
33
34# Establish a AuthorizedPrincipalsCommand in /var/run where it will have
35# acceptable directory permissions.
36PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}.$$"
37trap "$SUDO rm -f ${PRINCIPALS_COMMAND}" 0
38cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
39#!/bin/sh
40test "x\$1" != "x${LOGNAME}" && exit 1
41test "x\$2" != "xssh-${userkeytype}-cert-v01@openssh.com" && exit 1
42test "x\$3" != "xssh-ed25519" && exit 1
43test "x\$4" != "xJoanne User" && exit 1
44test "x\$5" != "x${SERIAL}" && exit 1
45test "x\$6" != "x${CA_FP}" && exit 1
46test "x\$7" != "x${CERT_FP}" && exit 1
47test "x\$8" != "x${CERT_BODY}" && exit 1
48test "x\$9" != "x${CA_BODY}" && exit 1
49test -f "$OBJ/authorized_principals_${LOGNAME}" &&
50	exec cat "$OBJ/authorized_principals_${LOGNAME}"
51_EOF
52test $? -eq 0 || fatal "couldn't prepare principals command"
53$SUDO chmod 0755 "$PRINCIPALS_COMMAND"
54
55if ! $OBJ/check-perm -m keys-command $PRINCIPALS_COMMAND ; then
56	echo "skipping: $PRINCIPALS_COMMAND is unsuitable as " \
57	    "AuthorizedPrincipalsCommand"
58	$SUDO rm -f $PRINCIPALS_COMMAND
59	exit 0
60fi
61
62if [ ! -x $PRINCIPALS_COMMAND ]; then
63	skip "$PRINCIPALS_COMMAND not executable " \
64	    "(/var/run mounted noexec?)"
65fi
66
67# Test explicitly-specified principals
68# Setup for AuthorizedPrincipalsCommand
69rm -f $OBJ/authorized_keys_$USER
70(
71	cat $OBJ/sshd_proxy_bak
72	echo "AuthorizedKeysFile none"
73	echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
74	    "%u %t %T %i %s %F %f %k %K"
75	echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
76	echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
77) > $OBJ/sshd_proxy
78
79# XXX test missing command
80# XXX test failing command
81
82# Empty authorized_principals
83verbose "$tid: empty authorized_principals"
84echo > $OBJ/authorized_principals_$USER
85${SSH} -i $OBJ/cert_user_key \
86    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
87if [ $? -eq 0 ]; then
88	fail "ssh cert connect succeeded unexpectedly"
89fi
90
91# Wrong authorized_principals
92verbose "$tid: wrong authorized_principals"
93echo gregorsamsa > $OBJ/authorized_principals_$USER
94${SSH} -i $OBJ/cert_user_key \
95    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
96if [ $? -eq 0 ]; then
97	fail "ssh cert connect succeeded unexpectedly"
98fi
99
100# Correct authorized_principals
101verbose "$tid: correct authorized_principals"
102echo mekmitasdigoat > $OBJ/authorized_principals_$USER
103${SSH} -i $OBJ/cert_user_key \
104    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
105if [ $? -ne 0 ]; then
106	fail "ssh cert connect failed"
107fi
108
109# authorized_principals with bad key option
110verbose "$tid: authorized_principals bad key opt"
111echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
112${SSH} -i $OBJ/cert_user_key \
113    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
114if [ $? -eq 0 ]; then
115	fail "ssh cert connect succeeded unexpectedly"
116fi
117
118# authorized_principals with command=false
119verbose "$tid: authorized_principals command=false"
120echo 'command="false" mekmitasdigoat' > \
121    $OBJ/authorized_principals_$USER
122${SSH} -i $OBJ/cert_user_key \
123    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
124if [ $? -eq 0 ]; then
125	fail "ssh cert connect succeeded unexpectedly"
126fi
127
128
129# authorized_principals with command=true
130verbose "$tid: authorized_principals command=true"
131echo 'command="true" mekmitasdigoat' > \
132    $OBJ/authorized_principals_$USER
133${SSH} -i $OBJ/cert_user_key \
134    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
135if [ $? -ne 0 ]; then
136	fail "ssh cert connect failed"
137fi
138
139# Setup for principals= key option
140# TODO: remove?
141rm -f $OBJ/authorized_principals_$USER
142(
143	cat $OBJ/sshd_proxy_bak
144) > $OBJ/sshd_proxy
145
146# Wrong principals list
147verbose "$tid: wrong principals key option"
148(
149	printf 'cert-authority,principals="gregorsamsa" '
150	cat $OBJ/user_ca_key.pub
151) > $OBJ/authorized_keys_$USER
152${SSH} -i $OBJ/cert_user_key \
153    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
154if [ $? -eq 0 ]; then
155	fail "ssh cert connect succeeded unexpectedly"
156fi
157
158# Correct principals list
159verbose "$tid: correct principals key option"
160(
161	printf 'cert-authority,principals="mekmitasdigoat" '
162	cat $OBJ/user_ca_key.pub
163) > $OBJ/authorized_keys_$USER
164${SSH} -i $OBJ/cert_user_key \
165    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
166if [ $? -ne 0 ]; then
167	fail "ssh cert connect failed"
168fi
169