1*1323ec57SEd Maste# $OpenBSD: cert-userkey.sh,v 1.28 2021/09/30 05:26:26 dtucker Exp $ 2ce3adf43SDag-Erling Smørgrav# Placed in the Public Domain. 3ce3adf43SDag-Erling Smørgrav 4ce3adf43SDag-Erling Smørgravtid="certified user keys" 5ce3adf43SDag-Erling Smørgrav 6ce3adf43SDag-Erling Smørgravrm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* 7ce3adf43SDag-Erling Smørgravcp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 8eccfee6eSDag-Erling Smørgravcp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak 9ce3adf43SDag-Erling Smørgrav 1019261079SEd MastePLAIN_TYPES=`$SSH -Q key-plain | maybe_filter_sk | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` 1147dd1d1bSDag-Erling SmørgravEXTRA_TYPES="" 1219261079SEd Mastersa="" 13f7167e0eSDag-Erling Smørgrav 14076ad2f8SDag-Erling Smørgravif echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then 1519261079SEd Maste rsa=rsa 16076ad2f8SDag-Erling Smørgrav PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" 17076ad2f8SDag-Erling Smørgravfi 18076ad2f8SDag-Erling Smørgrav 19eccfee6eSDag-Erling Smørgravkname() { 2019261079SEd Maste case $1 in 2119261079SEd Maste rsa-sha2-*) n="$1" ;; 2219261079SEd Maste sk-ecdsa-*) n="sk-ecdsa" ;; 2319261079SEd Maste sk-ssh-ed25519*) n="sk-ssh-ed25519" ;; 24076ad2f8SDag-Erling Smørgrav # subshell because some seds will add a newline 25076ad2f8SDag-Erling Smørgrav *) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;; 26076ad2f8SDag-Erling Smørgrav esac 2719261079SEd Maste if [ -z "$rsa" ]; then 2819261079SEd Maste echo "$n*,ssh-ed25519*" 2919261079SEd Maste else 30eccfee6eSDag-Erling Smørgrav echo "$n*,ssh-rsa*,ssh-ed25519*" 3119261079SEd Maste fi 32f7167e0eSDag-Erling Smørgrav} 33f7167e0eSDag-Erling Smørgrav 34ce3adf43SDag-Erling Smørgrav# Create a CA key 3519261079SEd Masteif [ ! -z "$rsa" ]; then 3619261079SEd Maste catype=rsa 3719261079SEd Masteelse 3819261079SEd Maste catype=ed25519 3919261079SEd Mastefi 4019261079SEd Maste${SSHKEYGEN} -q -N '' -t $catype -f $OBJ/user_ca_key ||\ 41ce3adf43SDag-Erling Smørgrav fail "ssh-keygen of user_ca_key failed" 42ce3adf43SDag-Erling Smørgrav 43ce3adf43SDag-Erling Smørgrav# Generate and sign user keys 44076ad2f8SDag-Erling Smørgravfor ktype in $PLAIN_TYPES $EXTRA_TYPES ; do 45ce3adf43SDag-Erling Smørgrav verbose "$tid: sign user ${ktype} cert" 46ce3adf43SDag-Erling Smørgrav ${SSHKEYGEN} -q -N '' -t ${ktype} \ 47ce3adf43SDag-Erling Smørgrav -f $OBJ/cert_user_key_${ktype} || \ 48076ad2f8SDag-Erling Smørgrav fatal "ssh-keygen of cert_user_key_${ktype} failed" 49076ad2f8SDag-Erling Smørgrav # Generate RSA/SHA2 certs for rsa-sha2* keys. 50076ad2f8SDag-Erling Smørgrav case $ktype in 51076ad2f8SDag-Erling Smørgrav rsa-sha2-*) tflag="-t $ktype" ;; 52076ad2f8SDag-Erling Smørgrav *) tflag="" ;; 53076ad2f8SDag-Erling Smørgrav esac 54076ad2f8SDag-Erling Smørgrav ${SSHKEYGEN} -q -s $OBJ/user_ca_key -z $$ \ 55076ad2f8SDag-Erling Smørgrav -I "regress user key for $USER" \ 56076ad2f8SDag-Erling Smørgrav -n ${USER},mekmitasdigoat $tflag $OBJ/cert_user_key_${ktype} || \ 57076ad2f8SDag-Erling Smørgrav fatal "couldn't sign cert_user_key_${ktype}" 58ce3adf43SDag-Erling Smørgravdone 59ce3adf43SDag-Erling Smørgrav 60ce3adf43SDag-Erling Smørgrav# Test explicitly-specified principals 61076ad2f8SDag-Erling Smørgravfor ktype in $EXTRA_TYPES $PLAIN_TYPES ; do 62eccfee6eSDag-Erling Smørgrav t=$(kname $ktype) 63*1323ec57SEd Maste _prefix="${ktype}" 64ce3adf43SDag-Erling Smørgrav 65ce3adf43SDag-Erling Smørgrav # Setup for AuthorizedPrincipalsFile 66ce3adf43SDag-Erling Smørgrav rm -f $OBJ/authorized_keys_$USER 67ce3adf43SDag-Erling Smørgrav ( 68ce3adf43SDag-Erling Smørgrav cat $OBJ/sshd_proxy_bak 69ce3adf43SDag-Erling Smørgrav echo "AuthorizedPrincipalsFile " \ 70ce3adf43SDag-Erling Smørgrav "$OBJ/authorized_principals_%u" 71ce3adf43SDag-Erling Smørgrav echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" 7219261079SEd Maste echo "PubkeyAcceptedAlgorithms ${t}" 73ce3adf43SDag-Erling Smørgrav ) > $OBJ/sshd_proxy 74eccfee6eSDag-Erling Smørgrav ( 75eccfee6eSDag-Erling Smørgrav cat $OBJ/ssh_proxy_bak 7619261079SEd Maste echo "PubkeyAcceptedAlgorithms ${t}" 77eccfee6eSDag-Erling Smørgrav ) > $OBJ/ssh_proxy 78ce3adf43SDag-Erling Smørgrav 79ce3adf43SDag-Erling Smørgrav # Missing authorized_principals 80ce3adf43SDag-Erling Smørgrav verbose "$tid: ${_prefix} missing authorized_principals" 81ce3adf43SDag-Erling Smørgrav rm -f $OBJ/authorized_principals_$USER 824f52dfbbSDag-Erling Smørgrav ${SSH} -i $OBJ/cert_user_key_${ktype} \ 83ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 84ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ]; then 85ce3adf43SDag-Erling Smørgrav fail "ssh cert connect succeeded unexpectedly" 86ce3adf43SDag-Erling Smørgrav fi 87ce3adf43SDag-Erling Smørgrav 88ce3adf43SDag-Erling Smørgrav # Empty authorized_principals 89ce3adf43SDag-Erling Smørgrav verbose "$tid: ${_prefix} empty authorized_principals" 90ce3adf43SDag-Erling Smørgrav echo > $OBJ/authorized_principals_$USER 914f52dfbbSDag-Erling Smørgrav ${SSH} -i $OBJ/cert_user_key_${ktype} \ 92ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 93ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ]; then 94ce3adf43SDag-Erling Smørgrav fail "ssh cert connect succeeded unexpectedly" 95ce3adf43SDag-Erling Smørgrav fi 96ce3adf43SDag-Erling Smørgrav 97ce3adf43SDag-Erling Smørgrav # Wrong authorized_principals 98ce3adf43SDag-Erling Smørgrav verbose "$tid: ${_prefix} wrong authorized_principals" 99ce3adf43SDag-Erling Smørgrav echo gregorsamsa > $OBJ/authorized_principals_$USER 1004f52dfbbSDag-Erling Smørgrav ${SSH} -i $OBJ/cert_user_key_${ktype} \ 101ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 102ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ]; then 103ce3adf43SDag-Erling Smørgrav fail "ssh cert connect succeeded unexpectedly" 104ce3adf43SDag-Erling Smørgrav fi 105ce3adf43SDag-Erling Smørgrav 106ce3adf43SDag-Erling Smørgrav # Correct authorized_principals 107ce3adf43SDag-Erling Smørgrav verbose "$tid: ${_prefix} correct authorized_principals" 108ce3adf43SDag-Erling Smørgrav echo mekmitasdigoat > $OBJ/authorized_principals_$USER 1094f52dfbbSDag-Erling Smørgrav ${SSH} -i $OBJ/cert_user_key_${ktype} \ 110ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 111ce3adf43SDag-Erling Smørgrav if [ $? -ne 0 ]; then 112ce3adf43SDag-Erling Smørgrav fail "ssh cert connect failed" 113ce3adf43SDag-Erling Smørgrav fi 114ce3adf43SDag-Erling Smørgrav 115ce3adf43SDag-Erling Smørgrav # authorized_principals with bad key option 116ce3adf43SDag-Erling Smørgrav verbose "$tid: ${_prefix} authorized_principals bad key opt" 117ce3adf43SDag-Erling Smørgrav echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER 1184f52dfbbSDag-Erling Smørgrav ${SSH} -i $OBJ/cert_user_key_${ktype} \ 119ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 120ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ]; then 121ce3adf43SDag-Erling Smørgrav fail "ssh cert connect succeeded unexpectedly" 122ce3adf43SDag-Erling Smørgrav fi 123ce3adf43SDag-Erling Smørgrav 124ce3adf43SDag-Erling Smørgrav # authorized_principals with command=false 125ce3adf43SDag-Erling Smørgrav verbose "$tid: ${_prefix} authorized_principals command=false" 126ce3adf43SDag-Erling Smørgrav echo 'command="false" mekmitasdigoat' > \ 127ce3adf43SDag-Erling Smørgrav $OBJ/authorized_principals_$USER 1284f52dfbbSDag-Erling Smørgrav ${SSH} -i $OBJ/cert_user_key_${ktype} \ 129ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 130ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ]; then 131ce3adf43SDag-Erling Smørgrav fail "ssh cert connect succeeded unexpectedly" 132ce3adf43SDag-Erling Smørgrav fi 133ce3adf43SDag-Erling Smørgrav 134ce3adf43SDag-Erling Smørgrav 135ce3adf43SDag-Erling Smørgrav # authorized_principals with command=true 136ce3adf43SDag-Erling Smørgrav verbose "$tid: ${_prefix} authorized_principals command=true" 137ce3adf43SDag-Erling Smørgrav echo 'command="true" mekmitasdigoat' > \ 138ce3adf43SDag-Erling Smørgrav $OBJ/authorized_principals_$USER 1394f52dfbbSDag-Erling Smørgrav ${SSH} -i $OBJ/cert_user_key_${ktype} \ 140ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 141ce3adf43SDag-Erling Smørgrav if [ $? -ne 0 ]; then 142ce3adf43SDag-Erling Smørgrav fail "ssh cert connect failed" 143ce3adf43SDag-Erling Smørgrav fi 144ce3adf43SDag-Erling Smørgrav 145ce3adf43SDag-Erling Smørgrav # Setup for principals= key option 146ce3adf43SDag-Erling Smørgrav rm -f $OBJ/authorized_principals_$USER 147ce3adf43SDag-Erling Smørgrav ( 148ce3adf43SDag-Erling Smørgrav cat $OBJ/sshd_proxy_bak 14919261079SEd Maste echo "PubkeyAcceptedAlgorithms ${t}" 150ce3adf43SDag-Erling Smørgrav ) > $OBJ/sshd_proxy 151eccfee6eSDag-Erling Smørgrav ( 152eccfee6eSDag-Erling Smørgrav cat $OBJ/ssh_proxy_bak 15319261079SEd Maste echo "PubkeyAcceptedAlgorithms ${t}" 154eccfee6eSDag-Erling Smørgrav ) > $OBJ/ssh_proxy 155ce3adf43SDag-Erling Smørgrav 156ce3adf43SDag-Erling Smørgrav # Wrong principals list 157ce3adf43SDag-Erling Smørgrav verbose "$tid: ${_prefix} wrong principals key option" 158ce3adf43SDag-Erling Smørgrav ( 159ce3adf43SDag-Erling Smørgrav printf 'cert-authority,principals="gregorsamsa" ' 160ce3adf43SDag-Erling Smørgrav cat $OBJ/user_ca_key.pub 161ce3adf43SDag-Erling Smørgrav ) > $OBJ/authorized_keys_$USER 1624f52dfbbSDag-Erling Smørgrav ${SSH} -i $OBJ/cert_user_key_${ktype} \ 163ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 164ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ]; then 165ce3adf43SDag-Erling Smørgrav fail "ssh cert connect succeeded unexpectedly" 166ce3adf43SDag-Erling Smørgrav fi 167ce3adf43SDag-Erling Smørgrav 168ce3adf43SDag-Erling Smørgrav # Correct principals list 169ce3adf43SDag-Erling Smørgrav verbose "$tid: ${_prefix} correct principals key option" 170ce3adf43SDag-Erling Smørgrav ( 171ce3adf43SDag-Erling Smørgrav printf 'cert-authority,principals="mekmitasdigoat" ' 172ce3adf43SDag-Erling Smørgrav cat $OBJ/user_ca_key.pub 173ce3adf43SDag-Erling Smørgrav ) > $OBJ/authorized_keys_$USER 1744f52dfbbSDag-Erling Smørgrav ${SSH} -i $OBJ/cert_user_key_${ktype} \ 175ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 176ce3adf43SDag-Erling Smørgrav if [ $? -ne 0 ]; then 177ce3adf43SDag-Erling Smørgrav fail "ssh cert connect failed" 178ce3adf43SDag-Erling Smørgrav fi 179ce3adf43SDag-Erling Smørgravdone 180ce3adf43SDag-Erling Smørgrav 181ce3adf43SDag-Erling Smørgravbasic_tests() { 182ce3adf43SDag-Erling Smørgrav auth=$1 183ce3adf43SDag-Erling Smørgrav if test "x$auth" = "xauthorized_keys" ; then 184ce3adf43SDag-Erling Smørgrav # Add CA to authorized_keys 185ce3adf43SDag-Erling Smørgrav ( 186ce3adf43SDag-Erling Smørgrav printf 'cert-authority ' 187ce3adf43SDag-Erling Smørgrav cat $OBJ/user_ca_key.pub 188ce3adf43SDag-Erling Smørgrav ) > $OBJ/authorized_keys_$USER 189ce3adf43SDag-Erling Smørgrav else 190ce3adf43SDag-Erling Smørgrav echo > $OBJ/authorized_keys_$USER 191ce3adf43SDag-Erling Smørgrav extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" 192ce3adf43SDag-Erling Smørgrav fi 193ce3adf43SDag-Erling Smørgrav 194eccfee6eSDag-Erling Smørgrav for ktype in $PLAIN_TYPES ; do 195eccfee6eSDag-Erling Smørgrav t=$(kname $ktype) 196*1323ec57SEd Maste _prefix="${ktype} $auth" 197ce3adf43SDag-Erling Smørgrav # Simple connect 198ce3adf43SDag-Erling Smørgrav verbose "$tid: ${_prefix} connect" 199ce3adf43SDag-Erling Smørgrav ( 200ce3adf43SDag-Erling Smørgrav cat $OBJ/sshd_proxy_bak 20119261079SEd Maste echo "PubkeyAcceptedAlgorithms ${t}" 202ce3adf43SDag-Erling Smørgrav echo "$extra_sshd" 203ce3adf43SDag-Erling Smørgrav ) > $OBJ/sshd_proxy 204eccfee6eSDag-Erling Smørgrav ( 205eccfee6eSDag-Erling Smørgrav cat $OBJ/ssh_proxy_bak 20619261079SEd Maste echo "PubkeyAcceptedAlgorithms ${t}" 207eccfee6eSDag-Erling Smørgrav ) > $OBJ/ssh_proxy 208ce3adf43SDag-Erling Smørgrav 2094f52dfbbSDag-Erling Smørgrav ${SSH} -i $OBJ/cert_user_key_${ktype} \ 210ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true 211ce3adf43SDag-Erling Smørgrav if [ $? -ne 0 ]; then 212ce3adf43SDag-Erling Smørgrav fail "ssh cert connect failed" 213ce3adf43SDag-Erling Smørgrav fi 214ce3adf43SDag-Erling Smørgrav 215ce3adf43SDag-Erling Smørgrav # Revoked keys 216ce3adf43SDag-Erling Smørgrav verbose "$tid: ${_prefix} revoked key" 217ce3adf43SDag-Erling Smørgrav ( 218ce3adf43SDag-Erling Smørgrav cat $OBJ/sshd_proxy_bak 219ce3adf43SDag-Erling Smørgrav echo "RevokedKeys $OBJ/cert_user_key_revoked" 22019261079SEd Maste echo "PubkeyAcceptedAlgorithms ${t}" 221ce3adf43SDag-Erling Smørgrav echo "$extra_sshd" 222ce3adf43SDag-Erling Smørgrav ) > $OBJ/sshd_proxy 223ce3adf43SDag-Erling Smørgrav cp $OBJ/cert_user_key_${ktype}.pub \ 224ce3adf43SDag-Erling Smørgrav $OBJ/cert_user_key_revoked 2254f52dfbbSDag-Erling Smørgrav ${SSH} -i $OBJ/cert_user_key_${ktype} \ 226ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 227ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ]; then 228ce3adf43SDag-Erling Smørgrav fail "ssh cert connect succeeded unexpecedly" 229ce3adf43SDag-Erling Smørgrav fi 230ce3adf43SDag-Erling Smørgrav verbose "$tid: ${_prefix} revoked via KRL" 231ce3adf43SDag-Erling Smørgrav rm $OBJ/cert_user_key_revoked 232ce3adf43SDag-Erling Smørgrav ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \ 233ce3adf43SDag-Erling Smørgrav $OBJ/cert_user_key_${ktype}.pub 2344f52dfbbSDag-Erling Smørgrav ${SSH} -i $OBJ/cert_user_key_${ktype} \ 235ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 236ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ]; then 237ce3adf43SDag-Erling Smørgrav fail "ssh cert connect succeeded unexpecedly" 238ce3adf43SDag-Erling Smørgrav fi 239ce3adf43SDag-Erling Smørgrav verbose "$tid: ${_prefix} empty KRL" 240ce3adf43SDag-Erling Smørgrav ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked 2414f52dfbbSDag-Erling Smørgrav ${SSH} -i $OBJ/cert_user_key_${ktype} \ 242ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 243ce3adf43SDag-Erling Smørgrav if [ $? -ne 0 ]; then 244ce3adf43SDag-Erling Smørgrav fail "ssh cert connect failed" 245ce3adf43SDag-Erling Smørgrav fi 246ce3adf43SDag-Erling Smørgrav done 247ce3adf43SDag-Erling Smørgrav 248ce3adf43SDag-Erling Smørgrav # Revoked CA 249ce3adf43SDag-Erling Smørgrav verbose "$tid: ${ktype} $auth revoked CA key" 250ce3adf43SDag-Erling Smørgrav ( 251ce3adf43SDag-Erling Smørgrav cat $OBJ/sshd_proxy_bak 252ce3adf43SDag-Erling Smørgrav echo "RevokedKeys $OBJ/user_ca_key.pub" 25319261079SEd Maste echo "PubkeyAcceptedAlgorithms ${t}" 254ce3adf43SDag-Erling Smørgrav echo "$extra_sshd" 255ce3adf43SDag-Erling Smørgrav ) > $OBJ/sshd_proxy 2564f52dfbbSDag-Erling Smørgrav ${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ 257ce3adf43SDag-Erling Smørgrav somehost true >/dev/null 2>&1 258ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ]; then 259ce3adf43SDag-Erling Smørgrav fail "ssh cert connect succeeded unexpecedly" 260ce3adf43SDag-Erling Smørgrav fi 261ce3adf43SDag-Erling Smørgrav 262ce3adf43SDag-Erling Smørgrav verbose "$tid: $auth CA does not authenticate" 263ce3adf43SDag-Erling Smørgrav ( 264ce3adf43SDag-Erling Smørgrav cat $OBJ/sshd_proxy_bak 26519261079SEd Maste echo "PubkeyAcceptedAlgorithms ${t}" 266ce3adf43SDag-Erling Smørgrav echo "$extra_sshd" 267ce3adf43SDag-Erling Smørgrav ) > $OBJ/sshd_proxy 268ce3adf43SDag-Erling Smørgrav verbose "$tid: ensure CA key does not authenticate user" 2694f52dfbbSDag-Erling Smørgrav ${SSH} -i $OBJ/user_ca_key \ 270ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 271ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ]; then 272ce3adf43SDag-Erling Smørgrav fail "ssh cert connect with CA key succeeded unexpectedly" 273ce3adf43SDag-Erling Smørgrav fi 274ce3adf43SDag-Erling Smørgrav} 275ce3adf43SDag-Erling Smørgrav 276ce3adf43SDag-Erling Smørgravbasic_tests authorized_keys 277ce3adf43SDag-Erling Smørgravbasic_tests TrustedUserCAKeys 278ce3adf43SDag-Erling Smørgrav 279ce3adf43SDag-Erling Smørgravtest_one() { 280ce3adf43SDag-Erling Smørgrav ident=$1 281ce3adf43SDag-Erling Smørgrav result=$2 282ce3adf43SDag-Erling Smørgrav sign_opts=$3 283ce3adf43SDag-Erling Smørgrav auth_choice=$4 284ce3adf43SDag-Erling Smørgrav auth_opt=$5 285ce3adf43SDag-Erling Smørgrav 286ce3adf43SDag-Erling Smørgrav if test "x$auth_choice" = "x" ; then 287ce3adf43SDag-Erling Smørgrav auth_choice="authorized_keys TrustedUserCAKeys" 288ce3adf43SDag-Erling Smørgrav fi 289ce3adf43SDag-Erling Smørgrav 290ce3adf43SDag-Erling Smørgrav for auth in $auth_choice ; do 29119261079SEd Maste for ktype in $rsa ed25519 ; do 292ce3adf43SDag-Erling Smørgrav cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 293ce3adf43SDag-Erling Smørgrav if test "x$auth" = "xauthorized_keys" ; then 294ce3adf43SDag-Erling Smørgrav # Add CA to authorized_keys 295ce3adf43SDag-Erling Smørgrav ( 296ce3adf43SDag-Erling Smørgrav printf "cert-authority${auth_opt} " 297ce3adf43SDag-Erling Smørgrav cat $OBJ/user_ca_key.pub 298ce3adf43SDag-Erling Smørgrav ) > $OBJ/authorized_keys_$USER 299ce3adf43SDag-Erling Smørgrav else 300ce3adf43SDag-Erling Smørgrav echo > $OBJ/authorized_keys_$USER 301ce3adf43SDag-Erling Smørgrav echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \ 302ce3adf43SDag-Erling Smørgrav >> $OBJ/sshd_proxy 30319261079SEd Maste echo "PubkeyAcceptedAlgorithms ${t}*" \ 304eccfee6eSDag-Erling Smørgrav >> $OBJ/sshd_proxy 305ce3adf43SDag-Erling Smørgrav if test "x$auth_opt" != "x" ; then 306ce3adf43SDag-Erling Smørgrav echo $auth_opt >> $OBJ/sshd_proxy 307ce3adf43SDag-Erling Smørgrav fi 308ce3adf43SDag-Erling Smørgrav fi 309ce3adf43SDag-Erling Smørgrav 310ce3adf43SDag-Erling Smørgrav verbose "$tid: $ident auth $auth expect $result $ktype" 311ce3adf43SDag-Erling Smørgrav ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ 312ce3adf43SDag-Erling Smørgrav -I "regress user key for $USER" \ 313eccfee6eSDag-Erling Smørgrav $sign_opts $OBJ/cert_user_key_${ktype} || 314ce3adf43SDag-Erling Smørgrav fail "couldn't sign cert_user_key_${ktype}" 315ce3adf43SDag-Erling Smørgrav 3164f52dfbbSDag-Erling Smørgrav ${SSH} -i $OBJ/cert_user_key_${ktype} \ 317ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 318ce3adf43SDag-Erling Smørgrav rc=$? 319ce3adf43SDag-Erling Smørgrav if [ "x$result" = "xsuccess" ] ; then 320ce3adf43SDag-Erling Smørgrav if [ $rc -ne 0 ]; then 321ce3adf43SDag-Erling Smørgrav fail "$ident failed unexpectedly" 322ce3adf43SDag-Erling Smørgrav fi 323ce3adf43SDag-Erling Smørgrav else 324ce3adf43SDag-Erling Smørgrav if [ $rc -eq 0 ]; then 325ce3adf43SDag-Erling Smørgrav fail "$ident succeeded unexpectedly" 326ce3adf43SDag-Erling Smørgrav fi 327ce3adf43SDag-Erling Smørgrav fi 328ce3adf43SDag-Erling Smørgrav done 329ce3adf43SDag-Erling Smørgrav done 330ce3adf43SDag-Erling Smørgrav} 331ce3adf43SDag-Erling Smørgrav 332ce3adf43SDag-Erling Smørgravtest_one "correct principal" success "-n ${USER}" 333ce3adf43SDag-Erling Smørgravtest_one "host-certificate" failure "-n ${USER} -h" 334ce3adf43SDag-Erling Smørgravtest_one "wrong principals" failure "-n foo" 33519261079SEd Mastetest_one "cert not yet valid" failure "-n ${USER} -V20300101:20320101" 336ce3adf43SDag-Erling Smørgravtest_one "cert expired" failure "-n ${USER} -V19800101:19900101" 337ce3adf43SDag-Erling Smørgravtest_one "cert valid interval" success "-n ${USER} -V-1w:+2w" 338ce3adf43SDag-Erling Smørgravtest_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8" 339ce3adf43SDag-Erling Smørgravtest_one "force-command" failure "-n ${USER} -Oforce-command=false" 340ce3adf43SDag-Erling Smørgrav 341ce3adf43SDag-Erling Smørgrav# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals 342ce3adf43SDag-Erling Smørgravtest_one "empty principals" success "" authorized_keys 343ce3adf43SDag-Erling Smørgravtest_one "empty principals" failure "" TrustedUserCAKeys 344ce3adf43SDag-Erling Smørgrav 345ce3adf43SDag-Erling Smørgrav# Check explicitly-specified principals: an empty principals list in the cert 346ce3adf43SDag-Erling Smørgrav# should always be refused. 347ce3adf43SDag-Erling Smørgrav 348ce3adf43SDag-Erling Smørgrav# AuthorizedPrincipalsFile 349ce3adf43SDag-Erling Smørgravrm -f $OBJ/authorized_keys_$USER 350ce3adf43SDag-Erling Smørgravecho mekmitasdigoat > $OBJ/authorized_principals_$USER 351ce3adf43SDag-Erling Smørgravtest_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \ 352ce3adf43SDag-Erling Smørgrav TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u" 353ce3adf43SDag-Erling Smørgravtest_one "AuthorizedPrincipalsFile no principals" failure "" \ 354ce3adf43SDag-Erling Smørgrav TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u" 355ce3adf43SDag-Erling Smørgrav 356ce3adf43SDag-Erling Smørgrav# principals= key option 357ce3adf43SDag-Erling Smørgravrm -f $OBJ/authorized_principals_$USER 358ce3adf43SDag-Erling Smørgravtest_one "principals key option principals" success "-n mekmitasdigoat" \ 359ce3adf43SDag-Erling Smørgrav authorized_keys ',principals="mekmitasdigoat"' 360ce3adf43SDag-Erling Smørgravtest_one "principals key option no principals" failure "" \ 361ce3adf43SDag-Erling Smørgrav authorized_keys ',principals="mekmitasdigoat"' 362ce3adf43SDag-Erling Smørgrav 363ca86bcf2SDag-Erling Smørgrav# command= options vs. force-command in key 364ca86bcf2SDag-Erling Smørgravtest_one "force-command match true" success \ 365ca86bcf2SDag-Erling Smørgrav "-n ${USER} -Oforce-command=true" \ 366ca86bcf2SDag-Erling Smørgrav authorized_keys ',command="true"' 367ca86bcf2SDag-Erling Smørgravtest_one "force-command match true" failure \ 368ca86bcf2SDag-Erling Smørgrav "-n ${USER} -Oforce-command=false" \ 369ca86bcf2SDag-Erling Smørgrav authorized_keys ',command="false"' 370ca86bcf2SDag-Erling Smørgravtest_one "force-command mismatch 1" failure \ 371ca86bcf2SDag-Erling Smørgrav "-n ${USER} -Oforce-command=false" \ 372ca86bcf2SDag-Erling Smørgrav authorized_keys ',command="true"' 373ca86bcf2SDag-Erling Smørgravtest_one "force-command mismatch 2" failure \ 374ca86bcf2SDag-Erling Smørgrav "-n ${USER} -Oforce-command=true" \ 375ca86bcf2SDag-Erling Smørgrav authorized_keys ',command="false"' 376ca86bcf2SDag-Erling Smørgrav 377ce3adf43SDag-Erling Smørgrav# Wrong certificate 378ce3adf43SDag-Erling Smørgravcat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 379eccfee6eSDag-Erling Smørgravfor ktype in $PLAIN_TYPES ; do 380eccfee6eSDag-Erling Smørgrav t=$(kname $ktype) 381ce3adf43SDag-Erling Smørgrav # Self-sign 382eccfee6eSDag-Erling Smørgrav ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ 383ce3adf43SDag-Erling Smørgrav "regress user key for $USER" \ 384ce3adf43SDag-Erling Smørgrav -n $USER $OBJ/cert_user_key_${ktype} || 385076ad2f8SDag-Erling Smørgrav fatal "couldn't sign cert_user_key_${ktype}" 386ce3adf43SDag-Erling Smørgrav verbose "$tid: user ${ktype} connect wrong cert" 3874f52dfbbSDag-Erling Smørgrav ${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ 388ce3adf43SDag-Erling Smørgrav somehost true >/dev/null 2>&1 389ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ]; then 390ce3adf43SDag-Erling Smørgrav fail "ssh cert connect $ident succeeded unexpectedly" 391ce3adf43SDag-Erling Smørgrav fi 392ce3adf43SDag-Erling Smørgravdone 393ce3adf43SDag-Erling Smørgrav 394ce3adf43SDag-Erling Smørgravrm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* 395ce3adf43SDag-Erling Smørgravrm -f $OBJ/authorized_principals_$USER 396ce3adf43SDag-Erling Smørgrav 397