1*557f75e5SDag-Erling Smørgrav# $OpenBSD: principals-command.sh,v 1.1 2015/05/21 06:44:25 djm Exp $ 2*557f75e5SDag-Erling Smørgrav# Placed in the Public Domain. 3*557f75e5SDag-Erling Smørgrav 4*557f75e5SDag-Erling Smørgravtid="authorized principals command" 5*557f75e5SDag-Erling Smørgrav 6*557f75e5SDag-Erling Smørgravrm -f $OBJ/user_ca_key* $OBJ/cert_user_key* 7*557f75e5SDag-Erling Smørgravcp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 8*557f75e5SDag-Erling Smørgrav 9*557f75e5SDag-Erling Smørgravif test -z "$SUDO" ; then 10*557f75e5SDag-Erling Smørgrav echo "skipped (SUDO not set)" 11*557f75e5SDag-Erling Smørgrav echo "need SUDO to create file in /var/run, test won't work without" 12*557f75e5SDag-Erling Smørgrav exit 0 13*557f75e5SDag-Erling Smørgravfi 14*557f75e5SDag-Erling Smørgrav 15*557f75e5SDag-Erling Smørgrav# Establish a AuthorizedPrincipalsCommand in /var/run where it will have 16*557f75e5SDag-Erling Smørgrav# acceptable directory permissions. 17*557f75e5SDag-Erling SmørgravPRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}" 18*557f75e5SDag-Erling Smørgravcat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" 19*557f75e5SDag-Erling Smørgrav#!/bin/sh 20*557f75e5SDag-Erling Smørgravtest "x\$1" != "x${LOGNAME}" && exit 1 21*557f75e5SDag-Erling Smørgravtest -f "$OBJ/authorized_principals_${LOGNAME}" && 22*557f75e5SDag-Erling Smørgrav exec cat "$OBJ/authorized_principals_${LOGNAME}" 23*557f75e5SDag-Erling Smørgrav_EOF 24*557f75e5SDag-Erling Smørgravtest $? -eq 0 || fatal "couldn't prepare principals command" 25*557f75e5SDag-Erling Smørgrav$SUDO chmod 0755 "$PRINCIPALS_COMMAND" 26*557f75e5SDag-Erling Smørgrav 27*557f75e5SDag-Erling Smørgrav# Create a CA key and a user certificate. 28*557f75e5SDag-Erling Smørgrav${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ 29*557f75e5SDag-Erling Smørgrav fatal "ssh-keygen of user_ca_key failed" 30*557f75e5SDag-Erling Smørgrav${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key || \ 31*557f75e5SDag-Erling Smørgrav fatal "ssh-keygen of cert_user_key failed" 32*557f75e5SDag-Erling Smørgrav${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ 33*557f75e5SDag-Erling Smørgrav -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ 34*557f75e5SDag-Erling Smørgrav fatal "couldn't sign cert_user_key" 35*557f75e5SDag-Erling Smørgrav 36*557f75e5SDag-Erling Smørgrav# Test explicitly-specified principals 37*557f75e5SDag-Erling Smørgravfor privsep in yes no ; do 38*557f75e5SDag-Erling Smørgrav _prefix="privsep $privsep" 39*557f75e5SDag-Erling Smørgrav 40*557f75e5SDag-Erling Smørgrav # Setup for AuthorizedPrincipalsCommand 41*557f75e5SDag-Erling Smørgrav rm -f $OBJ/authorized_keys_$USER 42*557f75e5SDag-Erling Smørgrav ( 43*557f75e5SDag-Erling Smørgrav cat $OBJ/sshd_proxy_bak 44*557f75e5SDag-Erling Smørgrav echo "UsePrivilegeSeparation $privsep" 45*557f75e5SDag-Erling Smørgrav echo "AuthorizedKeysFile none" 46*557f75e5SDag-Erling Smørgrav echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u" 47*557f75e5SDag-Erling Smørgrav echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" 48*557f75e5SDag-Erling Smørgrav echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" 49*557f75e5SDag-Erling Smørgrav ) > $OBJ/sshd_proxy 50*557f75e5SDag-Erling Smørgrav 51*557f75e5SDag-Erling Smørgrav # XXX test missing command 52*557f75e5SDag-Erling Smørgrav # XXX test failing command 53*557f75e5SDag-Erling Smørgrav 54*557f75e5SDag-Erling Smørgrav # Empty authorized_principals 55*557f75e5SDag-Erling Smørgrav verbose "$tid: ${_prefix} empty authorized_principals" 56*557f75e5SDag-Erling Smørgrav echo > $OBJ/authorized_principals_$USER 57*557f75e5SDag-Erling Smørgrav ${SSH} -2i $OBJ/cert_user_key \ 58*557f75e5SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 59*557f75e5SDag-Erling Smørgrav if [ $? -eq 0 ]; then 60*557f75e5SDag-Erling Smørgrav fail "ssh cert connect succeeded unexpectedly" 61*557f75e5SDag-Erling Smørgrav fi 62*557f75e5SDag-Erling Smørgrav 63*557f75e5SDag-Erling Smørgrav # Wrong authorized_principals 64*557f75e5SDag-Erling Smørgrav verbose "$tid: ${_prefix} wrong authorized_principals" 65*557f75e5SDag-Erling Smørgrav echo gregorsamsa > $OBJ/authorized_principals_$USER 66*557f75e5SDag-Erling Smørgrav ${SSH} -2i $OBJ/cert_user_key \ 67*557f75e5SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 68*557f75e5SDag-Erling Smørgrav if [ $? -eq 0 ]; then 69*557f75e5SDag-Erling Smørgrav fail "ssh cert connect succeeded unexpectedly" 70*557f75e5SDag-Erling Smørgrav fi 71*557f75e5SDag-Erling Smørgrav 72*557f75e5SDag-Erling Smørgrav # Correct authorized_principals 73*557f75e5SDag-Erling Smørgrav verbose "$tid: ${_prefix} correct authorized_principals" 74*557f75e5SDag-Erling Smørgrav echo mekmitasdigoat > $OBJ/authorized_principals_$USER 75*557f75e5SDag-Erling Smørgrav ${SSH} -2i $OBJ/cert_user_key \ 76*557f75e5SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 77*557f75e5SDag-Erling Smørgrav if [ $? -ne 0 ]; then 78*557f75e5SDag-Erling Smørgrav fail "ssh cert connect failed" 79*557f75e5SDag-Erling Smørgrav fi 80*557f75e5SDag-Erling Smørgrav 81*557f75e5SDag-Erling Smørgrav # authorized_principals with bad key option 82*557f75e5SDag-Erling Smørgrav verbose "$tid: ${_prefix} authorized_principals bad key opt" 83*557f75e5SDag-Erling Smørgrav echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER 84*557f75e5SDag-Erling Smørgrav ${SSH} -2i $OBJ/cert_user_key \ 85*557f75e5SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 86*557f75e5SDag-Erling Smørgrav if [ $? -eq 0 ]; then 87*557f75e5SDag-Erling Smørgrav fail "ssh cert connect succeeded unexpectedly" 88*557f75e5SDag-Erling Smørgrav fi 89*557f75e5SDag-Erling Smørgrav 90*557f75e5SDag-Erling Smørgrav # authorized_principals with command=false 91*557f75e5SDag-Erling Smørgrav verbose "$tid: ${_prefix} authorized_principals command=false" 92*557f75e5SDag-Erling Smørgrav echo 'command="false" mekmitasdigoat' > \ 93*557f75e5SDag-Erling Smørgrav $OBJ/authorized_principals_$USER 94*557f75e5SDag-Erling Smørgrav ${SSH} -2i $OBJ/cert_user_key \ 95*557f75e5SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 96*557f75e5SDag-Erling Smørgrav if [ $? -eq 0 ]; then 97*557f75e5SDag-Erling Smørgrav fail "ssh cert connect succeeded unexpectedly" 98*557f75e5SDag-Erling Smørgrav fi 99*557f75e5SDag-Erling Smørgrav 100*557f75e5SDag-Erling Smørgrav 101*557f75e5SDag-Erling Smørgrav # authorized_principals with command=true 102*557f75e5SDag-Erling Smørgrav verbose "$tid: ${_prefix} authorized_principals command=true" 103*557f75e5SDag-Erling Smørgrav echo 'command="true" mekmitasdigoat' > \ 104*557f75e5SDag-Erling Smørgrav $OBJ/authorized_principals_$USER 105*557f75e5SDag-Erling Smørgrav ${SSH} -2i $OBJ/cert_user_key \ 106*557f75e5SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 107*557f75e5SDag-Erling Smørgrav if [ $? -ne 0 ]; then 108*557f75e5SDag-Erling Smørgrav fail "ssh cert connect failed" 109*557f75e5SDag-Erling Smørgrav fi 110*557f75e5SDag-Erling Smørgrav 111*557f75e5SDag-Erling Smørgrav # Setup for principals= key option 112*557f75e5SDag-Erling Smørgrav rm -f $OBJ/authorized_principals_$USER 113*557f75e5SDag-Erling Smørgrav ( 114*557f75e5SDag-Erling Smørgrav cat $OBJ/sshd_proxy_bak 115*557f75e5SDag-Erling Smørgrav echo "UsePrivilegeSeparation $privsep" 116*557f75e5SDag-Erling Smørgrav ) > $OBJ/sshd_proxy 117*557f75e5SDag-Erling Smørgrav 118*557f75e5SDag-Erling Smørgrav # Wrong principals list 119*557f75e5SDag-Erling Smørgrav verbose "$tid: ${_prefix} wrong principals key option" 120*557f75e5SDag-Erling Smørgrav ( 121*557f75e5SDag-Erling Smørgrav printf 'cert-authority,principals="gregorsamsa" ' 122*557f75e5SDag-Erling Smørgrav cat $OBJ/user_ca_key.pub 123*557f75e5SDag-Erling Smørgrav ) > $OBJ/authorized_keys_$USER 124*557f75e5SDag-Erling Smørgrav ${SSH} -2i $OBJ/cert_user_key \ 125*557f75e5SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 126*557f75e5SDag-Erling Smørgrav if [ $? -eq 0 ]; then 127*557f75e5SDag-Erling Smørgrav fail "ssh cert connect succeeded unexpectedly" 128*557f75e5SDag-Erling Smørgrav fi 129*557f75e5SDag-Erling Smørgrav 130*557f75e5SDag-Erling Smørgrav # Correct principals list 131*557f75e5SDag-Erling Smørgrav verbose "$tid: ${_prefix} correct principals key option" 132*557f75e5SDag-Erling Smørgrav ( 133*557f75e5SDag-Erling Smørgrav printf 'cert-authority,principals="mekmitasdigoat" ' 134*557f75e5SDag-Erling Smørgrav cat $OBJ/user_ca_key.pub 135*557f75e5SDag-Erling Smørgrav ) > $OBJ/authorized_keys_$USER 136*557f75e5SDag-Erling Smørgrav ${SSH} -2i $OBJ/cert_user_key \ 137*557f75e5SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 138*557f75e5SDag-Erling Smørgrav if [ $? -ne 0 ]; then 139*557f75e5SDag-Erling Smørgrav fail "ssh cert connect failed" 140*557f75e5SDag-Erling Smørgrav fi 141*557f75e5SDag-Erling Smørgravdone 142