1# $OpenBSD: agent.sh,v 1.21 2023/03/01 09:29:32 dtucker Exp $ 2# Placed in the Public Domain. 3 4tid="simple agent test" 5 6SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1 7if [ $? -ne 2 ]; then 8 fail "ssh-add -l did not fail with exit code 2" 9fi 10 11trace "start agent, args ${EXTRA_AGENT_ARGS} -s" 12eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` >`ssh_logfile ssh-agent` 13r=$? 14if [ $r -ne 0 ]; then 15 fatal "could not start ssh-agent: exit code $r" 16fi 17 18eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s | sed 's/SSH_/FW_SSH_/g'` > /dev/null 19r=$? 20if [ $r -ne 0 ]; then 21 fatal "could not start second ssh-agent: exit code $r" 22fi 23 24${SSHADD} -l > /dev/null 2>&1 25if [ $? -ne 1 ]; then 26 fail "ssh-add -l did not fail with exit code 1" 27fi 28 29rm -f $OBJ/user_ca_key $OBJ/user_ca_key.pub 30${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key \ 31 || fatal "ssh-keygen failed" 32 33trace "overwrite authorized keys" 34printf '' > $OBJ/authorized_keys_$USER 35 36for t in ${SSH_KEYTYPES}; do 37 # generate user key for agent 38 rm -f $OBJ/$t-agent $OBJ/$t-agent.pub* 39 ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\ 40 fatal "ssh-keygen for $t-agent failed" 41 # Make a certificate for each too. 42 ${SSHKEYGEN} -qs $OBJ/user_ca_key -I "$t cert" \ 43 -n estragon $OBJ/$t-agent.pub || fatal "ca sign failed" 44 45 # add to authorized keys 46 cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER 47 # add private key to agent 48 ${SSHADD} $OBJ/$t-agent > /dev/null 2>&1 49 if [ $? -ne 0 ]; then 50 fail "ssh-add failed exit code $?" 51 fi 52 # add private key to second agent 53 SSH_AUTH_SOCK=$FW_SSH_AUTH_SOCK ${SSHADD} $OBJ/$t-agent > /dev/null 2>&1 54 if [ $? -ne 0 ]; then 55 fail "ssh-add failed exit code $?" 56 fi 57 # Move private key to ensure that we aren't accidentally using it. 58 # Keep the corresponding public keys/certs around for later use. 59 mv -f $OBJ/$t-agent $OBJ/$t-agent-private 60 cp -f $OBJ/$t-agent.pub $OBJ/$t-agent-private.pub 61 cp -f $OBJ/$t-agent-cert.pub $OBJ/$t-agent-private-cert.pub 62done 63 64# Remove explicit identity directives from ssh_proxy 65mv $OBJ/ssh_proxy $OBJ/ssh_proxy_bak 66grep -vi identityfile $OBJ/ssh_proxy_bak > $OBJ/ssh_proxy 67 68${SSHADD} -l > /dev/null 2>&1 69r=$? 70if [ $r -ne 0 ]; then 71 fail "ssh-add -l failed: exit code $r" 72fi 73# the same for full pubkey output 74${SSHADD} -L > /dev/null 2>&1 75r=$? 76if [ $r -ne 0 ]; then 77 fail "ssh-add -L failed: exit code $r" 78fi 79 80trace "simple connect via agent" 81${SSH} -F $OBJ/ssh_proxy somehost exit 52 82r=$? 83if [ $r -ne 52 ]; then 84 fail "ssh connect with failed (exit code $r)" 85fi 86 87for t in ${SSH_KEYTYPES}; do 88 trace "connect via agent using $t key" 89 if [ "$t" = "ssh-dss" ]; then 90 echo "PubkeyAcceptedAlgorithms +ssh-dss" >> $OBJ/ssh_proxy 91 echo "PubkeyAcceptedAlgorithms +ssh-dss" >> $OBJ/sshd_proxy 92 fi 93 ${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub -oIdentitiesOnly=yes \ 94 somehost exit 52 95 r=$? 96 if [ $r -ne 52 ]; then 97 fail "ssh connect with failed (exit code $r)" 98 fi 99done 100 101trace "agent forwarding" 102${SSH} -A -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 103r=$? 104if [ $r -ne 0 ]; then 105 fail "ssh-add -l via agent fwd failed (exit code $r)" 106fi 107${SSH} "-oForwardAgent=$SSH_AUTH_SOCK" -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 108r=$? 109if [ $r -ne 0 ]; then 110 fail "ssh-add -l via agent path fwd failed (exit code $r)" 111fi 112${SSH} -A -F $OBJ/ssh_proxy somehost \ 113 "${SSH} -F $OBJ/ssh_proxy somehost exit 52" 114r=$? 115if [ $r -ne 52 ]; then 116 fail "agent fwd failed (exit code $r)" 117fi 118 119trace "agent forwarding different agent" 120${SSH} "-oForwardAgent=$FW_SSH_AUTH_SOCK" -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 121r=$? 122if [ $r -ne 0 ]; then 123 fail "ssh-add -l via agent path fwd of different agent failed (exit code $r)" 124fi 125${SSH} '-oForwardAgent=$FW_SSH_AUTH_SOCK' -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 126r=$? 127if [ $r -ne 0 ]; then 128 fail "ssh-add -l via agent path env fwd of different agent failed (exit code $r)" 129fi 130 131# Remove keys from forwarded agent, ssh-add on remote machine should now fail. 132SSH_AUTH_SOCK=$FW_SSH_AUTH_SOCK ${SSHADD} -D > /dev/null 2>&1 133r=$? 134if [ $r -ne 0 ]; then 135 fail "ssh-add -D failed: exit code $r" 136fi 137${SSH} '-oForwardAgent=$FW_SSH_AUTH_SOCK' -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 138r=$? 139if [ $r -ne 1 ]; then 140 fail "ssh-add -l with different agent did not fail with exit code 1 (exit code $r)" 141fi 142 143(printf 'cert-authority,principals="estragon" '; cat $OBJ/user_ca_key.pub) \ 144 > $OBJ/authorized_keys_$USER 145for t in ${SSH_KEYTYPES}; do 146 if [ "$t" != "ssh-dss" ]; then 147 trace "connect via agent using $t key" 148 ${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub \ 149 -oCertificateFile=$OBJ/$t-agent-cert.pub \ 150 -oIdentitiesOnly=yes somehost exit 52 151 r=$? 152 if [ $r -ne 52 ]; then 153 fail "ssh connect with failed (exit code $r)" 154 fi 155 fi 156done 157 158## Deletion tests. 159 160trace "delete all agent keys" 161${SSHADD} -D > /dev/null 2>&1 162r=$? 163if [ $r -ne 0 ]; then 164 fail "ssh-add -D failed: exit code $r" 165fi 166# make sure they're gone 167${SSHADD} -l > /dev/null 2>&1 168r=$? 169if [ $r -ne 1 ]; then 170 fail "ssh-add -l returned unexpected exit code: $r" 171fi 172trace "readd keys" 173# re-add keys/certs to agent 174for t in ${SSH_KEYTYPES}; do 175 ${SSHADD} $OBJ/$t-agent-private >/dev/null 2>&1 || \ 176 fail "ssh-add failed exit code $?" 177done 178# make sure they are there 179${SSHADD} -l > /dev/null 2>&1 180r=$? 181if [ $r -ne 0 ]; then 182 fail "ssh-add -l failed: exit code $r" 183fi 184 185check_key_absent() { 186 ${SSHADD} -L | grep "^$1 " >/dev/null 187 if [ $? -eq 0 ]; then 188 fail "$1 key unexpectedly present" 189 fi 190} 191check_key_present() { 192 ${SSHADD} -L | grep "^$1 " >/dev/null 193 if [ $? -ne 0 ]; then 194 fail "$1 key missing from agent" 195 fi 196} 197 198# delete the ed25519 key 199trace "delete single key by file" 200${SSHADD} -qdk $OBJ/ssh-ed25519-agent || fail "ssh-add -d ed25519 failed" 201check_key_absent ssh-ed25519 202check_key_present ssh-ed25519-cert-v01@openssh.com 203# Put key/cert back. 204${SSHADD} $OBJ/ssh-ed25519-agent-private >/dev/null 2>&1 || \ 205 fail "ssh-add failed exit code $?" 206check_key_present ssh-ed25519 207# Delete both key and certificate. 208trace "delete key/cert by file" 209${SSHADD} -qd $OBJ/ssh-ed25519-agent || fail "ssh-add -d ed25519 failed" 210check_key_absent ssh-ed25519 211check_key_absent ssh-ed25519-cert-v01@openssh.com 212# Put key/cert back. 213${SSHADD} $OBJ/ssh-ed25519-agent-private >/dev/null 2>&1 || \ 214 fail "ssh-add failed exit code $?" 215check_key_present ssh-ed25519 216# Delete certificate via stdin 217${SSHADD} -qd - < $OBJ/ssh-ed25519-agent-cert.pub || fail "ssh-add -d - failed" 218check_key_present ssh-ed25519 219check_key_absent ssh-ed25519-cert-v01@openssh.com 220# Delete key via stdin 221${SSHADD} -qd - < $OBJ/ssh-ed25519-agent.pub || fail "ssh-add -d - failed" 222check_key_absent ssh-ed25519 223check_key_absent ssh-ed25519-cert-v01@openssh.com 224 225trace "kill agent" 226${SSHAGENT} -k > /dev/null 227SSH_AGENT_PID=$FW_SSH_AGENT_PID ${SSHAGENT} -k > /dev/null 228