1*ce3adf43SDag-Erling Smørgrav# $OpenBSD: cert-userkey.sh,v 1.11 2013/05/17 00:37:40 dtucker Exp $ 2*ce3adf43SDag-Erling Smørgrav# Placed in the Public Domain. 3*ce3adf43SDag-Erling Smørgrav 4*ce3adf43SDag-Erling Smørgravtid="certified user keys" 5*ce3adf43SDag-Erling Smørgrav 6*ce3adf43SDag-Erling Smørgrav# used to disable ECC based tests on platforms without ECC 7*ce3adf43SDag-Erling Smørgravecdsa="" 8*ce3adf43SDag-Erling Smørgravif test "x$TEST_SSH_ECC" = "xyes"; then 9*ce3adf43SDag-Erling Smørgrav ecdsa=ecdsa 10*ce3adf43SDag-Erling Smørgravfi 11*ce3adf43SDag-Erling Smørgrav 12*ce3adf43SDag-Erling Smørgravrm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* 13*ce3adf43SDag-Erling Smørgravcp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 14*ce3adf43SDag-Erling Smørgrav 15*ce3adf43SDag-Erling Smørgrav# Create a CA key 16*ce3adf43SDag-Erling Smørgrav${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ 17*ce3adf43SDag-Erling Smørgrav fail "ssh-keygen of user_ca_key failed" 18*ce3adf43SDag-Erling Smørgrav 19*ce3adf43SDag-Erling Smørgrav# Generate and sign user keys 20*ce3adf43SDag-Erling Smørgravfor ktype in rsa dsa $ecdsa ; do 21*ce3adf43SDag-Erling Smørgrav verbose "$tid: sign user ${ktype} cert" 22*ce3adf43SDag-Erling Smørgrav ${SSHKEYGEN} -q -N '' -t ${ktype} \ 23*ce3adf43SDag-Erling Smørgrav -f $OBJ/cert_user_key_${ktype} || \ 24*ce3adf43SDag-Erling Smørgrav fail "ssh-keygen of cert_user_key_${ktype} failed" 25*ce3adf43SDag-Erling Smørgrav ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ 26*ce3adf43SDag-Erling Smørgrav -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || 27*ce3adf43SDag-Erling Smørgrav fail "couldn't sign cert_user_key_${ktype}" 28*ce3adf43SDag-Erling Smørgrav # v00 ecdsa certs do not exist 29*ce3adf43SDag-Erling Smørgrav test "${ktype}" = "ecdsa" && continue 30*ce3adf43SDag-Erling Smørgrav cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 31*ce3adf43SDag-Erling Smørgrav cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub 32*ce3adf43SDag-Erling Smørgrav ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ 33*ce3adf43SDag-Erling Smørgrav "regress user key for $USER" \ 34*ce3adf43SDag-Erling Smørgrav -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 || 35*ce3adf43SDag-Erling Smørgrav fail "couldn't sign cert_user_key_${ktype}_v00" 36*ce3adf43SDag-Erling Smørgravdone 37*ce3adf43SDag-Erling Smørgrav 38*ce3adf43SDag-Erling Smørgrav# Test explicitly-specified principals 39*ce3adf43SDag-Erling Smørgravfor ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do 40*ce3adf43SDag-Erling Smørgrav for privsep in yes no ; do 41*ce3adf43SDag-Erling Smørgrav _prefix="${ktype} privsep $privsep" 42*ce3adf43SDag-Erling Smørgrav 43*ce3adf43SDag-Erling Smørgrav # Setup for AuthorizedPrincipalsFile 44*ce3adf43SDag-Erling Smørgrav rm -f $OBJ/authorized_keys_$USER 45*ce3adf43SDag-Erling Smørgrav ( 46*ce3adf43SDag-Erling Smørgrav cat $OBJ/sshd_proxy_bak 47*ce3adf43SDag-Erling Smørgrav echo "UsePrivilegeSeparation $privsep" 48*ce3adf43SDag-Erling Smørgrav echo "AuthorizedPrincipalsFile " \ 49*ce3adf43SDag-Erling Smørgrav "$OBJ/authorized_principals_%u" 50*ce3adf43SDag-Erling Smørgrav echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" 51*ce3adf43SDag-Erling Smørgrav ) > $OBJ/sshd_proxy 52*ce3adf43SDag-Erling Smørgrav 53*ce3adf43SDag-Erling Smørgrav # Missing authorized_principals 54*ce3adf43SDag-Erling Smørgrav verbose "$tid: ${_prefix} missing authorized_principals" 55*ce3adf43SDag-Erling Smørgrav rm -f $OBJ/authorized_principals_$USER 56*ce3adf43SDag-Erling Smørgrav ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 57*ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 58*ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ]; then 59*ce3adf43SDag-Erling Smørgrav fail "ssh cert connect succeeded unexpectedly" 60*ce3adf43SDag-Erling Smørgrav fi 61*ce3adf43SDag-Erling Smørgrav 62*ce3adf43SDag-Erling Smørgrav # Empty authorized_principals 63*ce3adf43SDag-Erling Smørgrav verbose "$tid: ${_prefix} empty authorized_principals" 64*ce3adf43SDag-Erling Smørgrav echo > $OBJ/authorized_principals_$USER 65*ce3adf43SDag-Erling Smørgrav ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 66*ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 67*ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ]; then 68*ce3adf43SDag-Erling Smørgrav fail "ssh cert connect succeeded unexpectedly" 69*ce3adf43SDag-Erling Smørgrav fi 70*ce3adf43SDag-Erling Smørgrav 71*ce3adf43SDag-Erling Smørgrav # Wrong authorized_principals 72*ce3adf43SDag-Erling Smørgrav verbose "$tid: ${_prefix} wrong authorized_principals" 73*ce3adf43SDag-Erling Smørgrav echo gregorsamsa > $OBJ/authorized_principals_$USER 74*ce3adf43SDag-Erling Smørgrav ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 75*ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 76*ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ]; then 77*ce3adf43SDag-Erling Smørgrav fail "ssh cert connect succeeded unexpectedly" 78*ce3adf43SDag-Erling Smørgrav fi 79*ce3adf43SDag-Erling Smørgrav 80*ce3adf43SDag-Erling Smørgrav # Correct authorized_principals 81*ce3adf43SDag-Erling Smørgrav verbose "$tid: ${_prefix} correct authorized_principals" 82*ce3adf43SDag-Erling Smørgrav echo mekmitasdigoat > $OBJ/authorized_principals_$USER 83*ce3adf43SDag-Erling Smørgrav ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 84*ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 85*ce3adf43SDag-Erling Smørgrav if [ $? -ne 0 ]; then 86*ce3adf43SDag-Erling Smørgrav fail "ssh cert connect failed" 87*ce3adf43SDag-Erling Smørgrav fi 88*ce3adf43SDag-Erling Smørgrav 89*ce3adf43SDag-Erling Smørgrav # authorized_principals with bad key option 90*ce3adf43SDag-Erling Smørgrav verbose "$tid: ${_prefix} authorized_principals bad key opt" 91*ce3adf43SDag-Erling Smørgrav echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER 92*ce3adf43SDag-Erling Smørgrav ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 93*ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 94*ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ]; then 95*ce3adf43SDag-Erling Smørgrav fail "ssh cert connect succeeded unexpectedly" 96*ce3adf43SDag-Erling Smørgrav fi 97*ce3adf43SDag-Erling Smørgrav 98*ce3adf43SDag-Erling Smørgrav # authorized_principals with command=false 99*ce3adf43SDag-Erling Smørgrav verbose "$tid: ${_prefix} authorized_principals command=false" 100*ce3adf43SDag-Erling Smørgrav echo 'command="false" mekmitasdigoat' > \ 101*ce3adf43SDag-Erling Smørgrav $OBJ/authorized_principals_$USER 102*ce3adf43SDag-Erling Smørgrav ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 103*ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 104*ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ]; then 105*ce3adf43SDag-Erling Smørgrav fail "ssh cert connect succeeded unexpectedly" 106*ce3adf43SDag-Erling Smørgrav fi 107*ce3adf43SDag-Erling Smørgrav 108*ce3adf43SDag-Erling Smørgrav 109*ce3adf43SDag-Erling Smørgrav # authorized_principals with command=true 110*ce3adf43SDag-Erling Smørgrav verbose "$tid: ${_prefix} authorized_principals command=true" 111*ce3adf43SDag-Erling Smørgrav echo 'command="true" mekmitasdigoat' > \ 112*ce3adf43SDag-Erling Smørgrav $OBJ/authorized_principals_$USER 113*ce3adf43SDag-Erling Smørgrav ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 114*ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 115*ce3adf43SDag-Erling Smørgrav if [ $? -ne 0 ]; then 116*ce3adf43SDag-Erling Smørgrav fail "ssh cert connect failed" 117*ce3adf43SDag-Erling Smørgrav fi 118*ce3adf43SDag-Erling Smørgrav 119*ce3adf43SDag-Erling Smørgrav # Setup for principals= key option 120*ce3adf43SDag-Erling Smørgrav rm -f $OBJ/authorized_principals_$USER 121*ce3adf43SDag-Erling Smørgrav ( 122*ce3adf43SDag-Erling Smørgrav cat $OBJ/sshd_proxy_bak 123*ce3adf43SDag-Erling Smørgrav echo "UsePrivilegeSeparation $privsep" 124*ce3adf43SDag-Erling Smørgrav ) > $OBJ/sshd_proxy 125*ce3adf43SDag-Erling Smørgrav 126*ce3adf43SDag-Erling Smørgrav # Wrong principals list 127*ce3adf43SDag-Erling Smørgrav verbose "$tid: ${_prefix} wrong principals key option" 128*ce3adf43SDag-Erling Smørgrav ( 129*ce3adf43SDag-Erling Smørgrav printf 'cert-authority,principals="gregorsamsa" ' 130*ce3adf43SDag-Erling Smørgrav cat $OBJ/user_ca_key.pub 131*ce3adf43SDag-Erling Smørgrav ) > $OBJ/authorized_keys_$USER 132*ce3adf43SDag-Erling Smørgrav ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 133*ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 134*ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ]; then 135*ce3adf43SDag-Erling Smørgrav fail "ssh cert connect succeeded unexpectedly" 136*ce3adf43SDag-Erling Smørgrav fi 137*ce3adf43SDag-Erling Smørgrav 138*ce3adf43SDag-Erling Smørgrav # Correct principals list 139*ce3adf43SDag-Erling Smørgrav verbose "$tid: ${_prefix} correct principals key option" 140*ce3adf43SDag-Erling Smørgrav ( 141*ce3adf43SDag-Erling Smørgrav printf 'cert-authority,principals="mekmitasdigoat" ' 142*ce3adf43SDag-Erling Smørgrav cat $OBJ/user_ca_key.pub 143*ce3adf43SDag-Erling Smørgrav ) > $OBJ/authorized_keys_$USER 144*ce3adf43SDag-Erling Smørgrav ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 145*ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 146*ce3adf43SDag-Erling Smørgrav if [ $? -ne 0 ]; then 147*ce3adf43SDag-Erling Smørgrav fail "ssh cert connect failed" 148*ce3adf43SDag-Erling Smørgrav fi 149*ce3adf43SDag-Erling Smørgrav done 150*ce3adf43SDag-Erling Smørgravdone 151*ce3adf43SDag-Erling Smørgrav 152*ce3adf43SDag-Erling Smørgravbasic_tests() { 153*ce3adf43SDag-Erling Smørgrav auth=$1 154*ce3adf43SDag-Erling Smørgrav if test "x$auth" = "xauthorized_keys" ; then 155*ce3adf43SDag-Erling Smørgrav # Add CA to authorized_keys 156*ce3adf43SDag-Erling Smørgrav ( 157*ce3adf43SDag-Erling Smørgrav printf 'cert-authority ' 158*ce3adf43SDag-Erling Smørgrav cat $OBJ/user_ca_key.pub 159*ce3adf43SDag-Erling Smørgrav ) > $OBJ/authorized_keys_$USER 160*ce3adf43SDag-Erling Smørgrav else 161*ce3adf43SDag-Erling Smørgrav echo > $OBJ/authorized_keys_$USER 162*ce3adf43SDag-Erling Smørgrav extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" 163*ce3adf43SDag-Erling Smørgrav fi 164*ce3adf43SDag-Erling Smørgrav 165*ce3adf43SDag-Erling Smørgrav for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do 166*ce3adf43SDag-Erling Smørgrav for privsep in yes no ; do 167*ce3adf43SDag-Erling Smørgrav _prefix="${ktype} privsep $privsep $auth" 168*ce3adf43SDag-Erling Smørgrav # Simple connect 169*ce3adf43SDag-Erling Smørgrav verbose "$tid: ${_prefix} connect" 170*ce3adf43SDag-Erling Smørgrav ( 171*ce3adf43SDag-Erling Smørgrav cat $OBJ/sshd_proxy_bak 172*ce3adf43SDag-Erling Smørgrav echo "UsePrivilegeSeparation $privsep" 173*ce3adf43SDag-Erling Smørgrav echo "$extra_sshd" 174*ce3adf43SDag-Erling Smørgrav ) > $OBJ/sshd_proxy 175*ce3adf43SDag-Erling Smørgrav 176*ce3adf43SDag-Erling Smørgrav ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 177*ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true 178*ce3adf43SDag-Erling Smørgrav if [ $? -ne 0 ]; then 179*ce3adf43SDag-Erling Smørgrav fail "ssh cert connect failed" 180*ce3adf43SDag-Erling Smørgrav fi 181*ce3adf43SDag-Erling Smørgrav 182*ce3adf43SDag-Erling Smørgrav # Revoked keys 183*ce3adf43SDag-Erling Smørgrav verbose "$tid: ${_prefix} revoked key" 184*ce3adf43SDag-Erling Smørgrav ( 185*ce3adf43SDag-Erling Smørgrav cat $OBJ/sshd_proxy_bak 186*ce3adf43SDag-Erling Smørgrav echo "UsePrivilegeSeparation $privsep" 187*ce3adf43SDag-Erling Smørgrav echo "RevokedKeys $OBJ/cert_user_key_revoked" 188*ce3adf43SDag-Erling Smørgrav echo "$extra_sshd" 189*ce3adf43SDag-Erling Smørgrav ) > $OBJ/sshd_proxy 190*ce3adf43SDag-Erling Smørgrav cp $OBJ/cert_user_key_${ktype}.pub \ 191*ce3adf43SDag-Erling Smørgrav $OBJ/cert_user_key_revoked 192*ce3adf43SDag-Erling Smørgrav ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 193*ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 194*ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ]; then 195*ce3adf43SDag-Erling Smørgrav fail "ssh cert connect succeeded unexpecedly" 196*ce3adf43SDag-Erling Smørgrav fi 197*ce3adf43SDag-Erling Smørgrav verbose "$tid: ${_prefix} revoked via KRL" 198*ce3adf43SDag-Erling Smørgrav rm $OBJ/cert_user_key_revoked 199*ce3adf43SDag-Erling Smørgrav ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \ 200*ce3adf43SDag-Erling Smørgrav $OBJ/cert_user_key_${ktype}.pub 201*ce3adf43SDag-Erling Smørgrav ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 202*ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 203*ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ]; then 204*ce3adf43SDag-Erling Smørgrav fail "ssh cert connect succeeded unexpecedly" 205*ce3adf43SDag-Erling Smørgrav fi 206*ce3adf43SDag-Erling Smørgrav verbose "$tid: ${_prefix} empty KRL" 207*ce3adf43SDag-Erling Smørgrav ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked 208*ce3adf43SDag-Erling Smørgrav ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 209*ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 210*ce3adf43SDag-Erling Smørgrav if [ $? -ne 0 ]; then 211*ce3adf43SDag-Erling Smørgrav fail "ssh cert connect failed" 212*ce3adf43SDag-Erling Smørgrav fi 213*ce3adf43SDag-Erling Smørgrav done 214*ce3adf43SDag-Erling Smørgrav 215*ce3adf43SDag-Erling Smørgrav # Revoked CA 216*ce3adf43SDag-Erling Smørgrav verbose "$tid: ${ktype} $auth revoked CA key" 217*ce3adf43SDag-Erling Smørgrav ( 218*ce3adf43SDag-Erling Smørgrav cat $OBJ/sshd_proxy_bak 219*ce3adf43SDag-Erling Smørgrav echo "RevokedKeys $OBJ/user_ca_key.pub" 220*ce3adf43SDag-Erling Smørgrav echo "$extra_sshd" 221*ce3adf43SDag-Erling Smørgrav ) > $OBJ/sshd_proxy 222*ce3adf43SDag-Erling Smørgrav ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ 223*ce3adf43SDag-Erling Smørgrav somehost true >/dev/null 2>&1 224*ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ]; then 225*ce3adf43SDag-Erling Smørgrav fail "ssh cert connect succeeded unexpecedly" 226*ce3adf43SDag-Erling Smørgrav fi 227*ce3adf43SDag-Erling Smørgrav done 228*ce3adf43SDag-Erling Smørgrav 229*ce3adf43SDag-Erling Smørgrav verbose "$tid: $auth CA does not authenticate" 230*ce3adf43SDag-Erling Smørgrav ( 231*ce3adf43SDag-Erling Smørgrav cat $OBJ/sshd_proxy_bak 232*ce3adf43SDag-Erling Smørgrav echo "$extra_sshd" 233*ce3adf43SDag-Erling Smørgrav ) > $OBJ/sshd_proxy 234*ce3adf43SDag-Erling Smørgrav verbose "$tid: ensure CA key does not authenticate user" 235*ce3adf43SDag-Erling Smørgrav ${SSH} -2i $OBJ/user_ca_key \ 236*ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 237*ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ]; then 238*ce3adf43SDag-Erling Smørgrav fail "ssh cert connect with CA key succeeded unexpectedly" 239*ce3adf43SDag-Erling Smørgrav fi 240*ce3adf43SDag-Erling Smørgrav} 241*ce3adf43SDag-Erling Smørgrav 242*ce3adf43SDag-Erling Smørgravbasic_tests authorized_keys 243*ce3adf43SDag-Erling Smørgravbasic_tests TrustedUserCAKeys 244*ce3adf43SDag-Erling Smørgrav 245*ce3adf43SDag-Erling Smørgravtest_one() { 246*ce3adf43SDag-Erling Smørgrav ident=$1 247*ce3adf43SDag-Erling Smørgrav result=$2 248*ce3adf43SDag-Erling Smørgrav sign_opts=$3 249*ce3adf43SDag-Erling Smørgrav auth_choice=$4 250*ce3adf43SDag-Erling Smørgrav auth_opt=$5 251*ce3adf43SDag-Erling Smørgrav 252*ce3adf43SDag-Erling Smørgrav if test "x$auth_choice" = "x" ; then 253*ce3adf43SDag-Erling Smørgrav auth_choice="authorized_keys TrustedUserCAKeys" 254*ce3adf43SDag-Erling Smørgrav fi 255*ce3adf43SDag-Erling Smørgrav 256*ce3adf43SDag-Erling Smørgrav for auth in $auth_choice ; do 257*ce3adf43SDag-Erling Smørgrav for ktype in rsa rsa_v00 ; do 258*ce3adf43SDag-Erling Smørgrav case $ktype in 259*ce3adf43SDag-Erling Smørgrav *_v00) keyv="-t v00" ;; 260*ce3adf43SDag-Erling Smørgrav *) keyv="" ;; 261*ce3adf43SDag-Erling Smørgrav esac 262*ce3adf43SDag-Erling Smørgrav 263*ce3adf43SDag-Erling Smørgrav cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 264*ce3adf43SDag-Erling Smørgrav if test "x$auth" = "xauthorized_keys" ; then 265*ce3adf43SDag-Erling Smørgrav # Add CA to authorized_keys 266*ce3adf43SDag-Erling Smørgrav ( 267*ce3adf43SDag-Erling Smørgrav printf "cert-authority${auth_opt} " 268*ce3adf43SDag-Erling Smørgrav cat $OBJ/user_ca_key.pub 269*ce3adf43SDag-Erling Smørgrav ) > $OBJ/authorized_keys_$USER 270*ce3adf43SDag-Erling Smørgrav else 271*ce3adf43SDag-Erling Smørgrav echo > $OBJ/authorized_keys_$USER 272*ce3adf43SDag-Erling Smørgrav echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \ 273*ce3adf43SDag-Erling Smørgrav >> $OBJ/sshd_proxy 274*ce3adf43SDag-Erling Smørgrav if test "x$auth_opt" != "x" ; then 275*ce3adf43SDag-Erling Smørgrav echo $auth_opt >> $OBJ/sshd_proxy 276*ce3adf43SDag-Erling Smørgrav fi 277*ce3adf43SDag-Erling Smørgrav fi 278*ce3adf43SDag-Erling Smørgrav 279*ce3adf43SDag-Erling Smørgrav verbose "$tid: $ident auth $auth expect $result $ktype" 280*ce3adf43SDag-Erling Smørgrav ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ 281*ce3adf43SDag-Erling Smørgrav -I "regress user key for $USER" \ 282*ce3adf43SDag-Erling Smørgrav $sign_opts $keyv \ 283*ce3adf43SDag-Erling Smørgrav $OBJ/cert_user_key_${ktype} || 284*ce3adf43SDag-Erling Smørgrav fail "couldn't sign cert_user_key_${ktype}" 285*ce3adf43SDag-Erling Smørgrav 286*ce3adf43SDag-Erling Smørgrav ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 287*ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 288*ce3adf43SDag-Erling Smørgrav rc=$? 289*ce3adf43SDag-Erling Smørgrav if [ "x$result" = "xsuccess" ] ; then 290*ce3adf43SDag-Erling Smørgrav if [ $rc -ne 0 ]; then 291*ce3adf43SDag-Erling Smørgrav fail "$ident failed unexpectedly" 292*ce3adf43SDag-Erling Smørgrav fi 293*ce3adf43SDag-Erling Smørgrav else 294*ce3adf43SDag-Erling Smørgrav if [ $rc -eq 0 ]; then 295*ce3adf43SDag-Erling Smørgrav fail "$ident succeeded unexpectedly" 296*ce3adf43SDag-Erling Smørgrav fi 297*ce3adf43SDag-Erling Smørgrav fi 298*ce3adf43SDag-Erling Smørgrav done 299*ce3adf43SDag-Erling Smørgrav done 300*ce3adf43SDag-Erling Smørgrav} 301*ce3adf43SDag-Erling Smørgrav 302*ce3adf43SDag-Erling Smørgravtest_one "correct principal" success "-n ${USER}" 303*ce3adf43SDag-Erling Smørgravtest_one "host-certificate" failure "-n ${USER} -h" 304*ce3adf43SDag-Erling Smørgravtest_one "wrong principals" failure "-n foo" 305*ce3adf43SDag-Erling Smørgravtest_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101" 306*ce3adf43SDag-Erling Smørgravtest_one "cert expired" failure "-n ${USER} -V19800101:19900101" 307*ce3adf43SDag-Erling Smørgravtest_one "cert valid interval" success "-n ${USER} -V-1w:+2w" 308*ce3adf43SDag-Erling Smørgravtest_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8" 309*ce3adf43SDag-Erling Smørgravtest_one "force-command" failure "-n ${USER} -Oforce-command=false" 310*ce3adf43SDag-Erling Smørgrav 311*ce3adf43SDag-Erling Smørgrav# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals 312*ce3adf43SDag-Erling Smørgravtest_one "empty principals" success "" authorized_keys 313*ce3adf43SDag-Erling Smørgravtest_one "empty principals" failure "" TrustedUserCAKeys 314*ce3adf43SDag-Erling Smørgrav 315*ce3adf43SDag-Erling Smørgrav# Check explicitly-specified principals: an empty principals list in the cert 316*ce3adf43SDag-Erling Smørgrav# should always be refused. 317*ce3adf43SDag-Erling Smørgrav 318*ce3adf43SDag-Erling Smørgrav# AuthorizedPrincipalsFile 319*ce3adf43SDag-Erling Smørgravrm -f $OBJ/authorized_keys_$USER 320*ce3adf43SDag-Erling Smørgravecho mekmitasdigoat > $OBJ/authorized_principals_$USER 321*ce3adf43SDag-Erling Smørgravtest_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \ 322*ce3adf43SDag-Erling Smørgrav TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u" 323*ce3adf43SDag-Erling Smørgravtest_one "AuthorizedPrincipalsFile no principals" failure "" \ 324*ce3adf43SDag-Erling Smørgrav TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u" 325*ce3adf43SDag-Erling Smørgrav 326*ce3adf43SDag-Erling Smørgrav# principals= key option 327*ce3adf43SDag-Erling Smørgravrm -f $OBJ/authorized_principals_$USER 328*ce3adf43SDag-Erling Smørgravtest_one "principals key option principals" success "-n mekmitasdigoat" \ 329*ce3adf43SDag-Erling Smørgrav authorized_keys ',principals="mekmitasdigoat"' 330*ce3adf43SDag-Erling Smørgravtest_one "principals key option no principals" failure "" \ 331*ce3adf43SDag-Erling Smørgrav authorized_keys ',principals="mekmitasdigoat"' 332*ce3adf43SDag-Erling Smørgrav 333*ce3adf43SDag-Erling Smørgrav# Wrong certificate 334*ce3adf43SDag-Erling Smørgravcat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 335*ce3adf43SDag-Erling Smørgravfor ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do 336*ce3adf43SDag-Erling Smørgrav case $ktype in 337*ce3adf43SDag-Erling Smørgrav *_v00) args="-t v00" ;; 338*ce3adf43SDag-Erling Smørgrav *) args="" ;; 339*ce3adf43SDag-Erling Smørgrav esac 340*ce3adf43SDag-Erling Smørgrav # Self-sign 341*ce3adf43SDag-Erling Smørgrav ${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \ 342*ce3adf43SDag-Erling Smørgrav "regress user key for $USER" \ 343*ce3adf43SDag-Erling Smørgrav -n $USER $OBJ/cert_user_key_${ktype} || 344*ce3adf43SDag-Erling Smørgrav fail "couldn't sign cert_user_key_${ktype}" 345*ce3adf43SDag-Erling Smørgrav verbose "$tid: user ${ktype} connect wrong cert" 346*ce3adf43SDag-Erling Smørgrav ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ 347*ce3adf43SDag-Erling Smørgrav somehost true >/dev/null 2>&1 348*ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ]; then 349*ce3adf43SDag-Erling Smørgrav fail "ssh cert connect $ident succeeded unexpectedly" 350*ce3adf43SDag-Erling Smørgrav fi 351*ce3adf43SDag-Erling Smørgravdone 352*ce3adf43SDag-Erling Smørgrav 353*ce3adf43SDag-Erling Smørgravrm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* 354*ce3adf43SDag-Erling Smørgravrm -f $OBJ/authorized_principals_$USER 355*ce3adf43SDag-Erling Smørgrav 356