1# $OpenBSD: cert-file.sh,v 1.7 2018/04/10 00:14:10 djm Exp $ 2# Placed in the Public Domain. 3 4tid="ssh with certificates" 5 6rm -f $OBJ/user_ca_key* $OBJ/user_key* 7rm -f $OBJ/cert_user_key* 8 9# Create a CA key 10${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key1 ||\ 11 fatal "ssh-keygen failed" 12${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key2 ||\ 13 fatal "ssh-keygen failed" 14 15# Make some keys and certificates. 16${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 || \ 17 fatal "ssh-keygen failed" 18${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key2 || \ 19 fatal "ssh-keygen failed" 20${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key3 || \ 21 fatal "ssh-keygen failed" 22${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key4 || \ 23 fatal "ssh-keygen failed" 24${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key5 || \ 25 fatal "ssh-keygen failed" 26 27# Move the certificate to a different address to better control 28# when it is offered. 29${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ 30 -z $$ -n ${USER} $OBJ/user_key1 || 31 fatal "couldn't sign user_key1 with user_ca_key1" 32mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_1.pub 33${SSHKEYGEN} -q -s $OBJ/user_ca_key2 -I "regress user key for $USER" \ 34 -z $$ -n ${USER} $OBJ/user_key1 || 35 fatal "couldn't sign user_key1 with user_ca_key2" 36mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_2.pub 37${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ 38 -z $$ -n ${USER} $OBJ/user_key3 || 39 fatal "couldn't sign user_key3 with user_ca_key1" 40rm $OBJ/user_key3.pub # to test use of private key w/o public half. 41${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ 42 -z $$ -n ${USER} $OBJ/user_key4 || 43 fatal "couldn't sign user_key4 with user_ca_key1" 44rm $OBJ/user_key4 $OBJ/user_key4.pub # to test no matching pub/private key case. 45 46trace 'try with identity files' 47opts="-F $OBJ/ssh_proxy -oIdentitiesOnly=yes" 48opts2="$opts -i $OBJ/user_key1 -i $OBJ/user_key2" 49echo "cert-authority $(cat $OBJ/user_ca_key1.pub)" > $OBJ/authorized_keys_$USER 50 51# Make a clean config that doesn't have any pre-added identities. 52cat $OBJ/ssh_proxy | grep -v IdentityFile > $OBJ/no_identity_config 53 54# XXX: verify that certificate used was what we expect. Needs exposure of 55# keys via environment variable or similar. 56 57 # Key with no .pub should work - finding the equivalent *-cert.pub. 58verbose "identity cert with no plain public file" 59${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ 60 -i $OBJ/user_key3 somehost exit 52 61[ $? -ne 52 ] && fail "ssh failed" 62 63# CertificateFile matching private key with no .pub file should work. 64verbose "CertificateFile with no plain public file" 65${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ 66 -oCertificateFile=$OBJ/user_key3-cert.pub \ 67 -i $OBJ/user_key3 somehost exit 52 68[ $? -ne 52 ] && fail "ssh failed" 69 70# Just keys should fail 71verbose "plain keys" 72${SSH} $opts2 somehost exit 52 73r=$? 74if [ $r -eq 52 ]; then 75 fail "ssh succeeded with no certs" 76fi 77 78# Keys with untrusted cert should fail. 79verbose "untrusted cert" 80opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" 81${SSH} $opts3 somehost exit 52 82r=$? 83if [ $r -eq 52 ]; then 84 fail "ssh succeeded with bad cert" 85fi 86 87# Good cert with bad key should fail. 88verbose "good cert, bad key" 89opts3="$opts -i $OBJ/user_key2" 90opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" 91${SSH} $opts3 somehost exit 52 92r=$? 93if [ $r -eq 52 ]; then 94 fail "ssh succeeded with no matching key" 95fi 96 97# Keys with one trusted cert, should succeed. 98verbose "single trusted" 99opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" 100${SSH} $opts3 somehost exit 52 101r=$? 102if [ $r -ne 52 ]; then 103 fail "ssh failed with trusted cert and key" 104fi 105 106# Multiple certs and keys, with one trusted cert, should succeed. 107verbose "multiple trusted" 108opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" 109opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" 110${SSH} $opts3 somehost exit 52 111r=$? 112if [ $r -ne 52 ]; then 113 fail "ssh failed with multiple certs" 114fi 115 116#next, using an agent in combination with the keys 117SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1 118if [ $? -ne 2 ]; then 119 fatal "ssh-add -l did not fail with exit code 2" 120fi 121 122trace "start agent" 123eval `${SSHAGENT} -s` > /dev/null 124r=$? 125if [ $r -ne 0 ]; then 126 fatal "could not start ssh-agent: exit code $r" 127fi 128 129# add private keys to agent 130${SSHADD} -k $OBJ/user_key2 > /dev/null 2>&1 131if [ $? -ne 0 ]; then 132 fatal "ssh-add did not succeed with exit code 0" 133fi 134${SSHADD} -k $OBJ/user_key1 > /dev/null 2>&1 135if [ $? -ne 0 ]; then 136 fatal "ssh-add did not succeed with exit code 0" 137fi 138 139# try ssh with the agent and certificates 140opts="-F $OBJ/ssh_proxy" 141# with no certificates, should fail 142${SSH} $opts somehost exit 52 143if [ $? -eq 52 ]; then 144 fail "ssh connect with agent in succeeded with no cert" 145fi 146 147#with an untrusted certificate, should fail 148opts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub" 149${SSH} $opts somehost exit 52 150if [ $? -eq 52 ]; then 151 fail "ssh connect with agent in succeeded with bad cert" 152fi 153 154#with an additional trusted certificate, should succeed 155opts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub" 156${SSH} $opts somehost exit 52 157if [ $? -ne 52 ]; then 158 fail "ssh connect with agent in failed with good cert" 159fi 160 161trace "kill agent" 162${SSHAGENT} -k > /dev/null 163 164#cleanup 165rm -f $OBJ/user_ca_key* $OBJ/user_key* 166rm -f $OBJ/cert_user_key* 167