xref: /freebsd/crypto/openssh/regress/principals-command.sh (revision 557f75e54ae47df936c7de8fb97ec70c4180a5c0)
1*557f75e5SDag-Erling Smørgrav#	$OpenBSD: principals-command.sh,v 1.1 2015/05/21 06:44:25 djm Exp $
2*557f75e5SDag-Erling Smørgrav#	Placed in the Public Domain.
3*557f75e5SDag-Erling Smørgrav
4*557f75e5SDag-Erling Smørgravtid="authorized principals command"
5*557f75e5SDag-Erling Smørgrav
6*557f75e5SDag-Erling Smørgravrm -f $OBJ/user_ca_key* $OBJ/cert_user_key*
7*557f75e5SDag-Erling Smørgravcp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8*557f75e5SDag-Erling Smørgrav
9*557f75e5SDag-Erling Smørgravif test -z "$SUDO" ; then
10*557f75e5SDag-Erling Smørgrav	echo "skipped (SUDO not set)"
11*557f75e5SDag-Erling Smørgrav	echo "need SUDO to create file in /var/run, test won't work without"
12*557f75e5SDag-Erling Smørgrav	exit 0
13*557f75e5SDag-Erling Smørgravfi
14*557f75e5SDag-Erling Smørgrav
15*557f75e5SDag-Erling Smørgrav# Establish a AuthorizedPrincipalsCommand in /var/run where it will have
16*557f75e5SDag-Erling Smørgrav# acceptable directory permissions.
17*557f75e5SDag-Erling SmørgravPRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}"
18*557f75e5SDag-Erling Smørgravcat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
19*557f75e5SDag-Erling Smørgrav#!/bin/sh
20*557f75e5SDag-Erling Smørgravtest "x\$1" != "x${LOGNAME}" && exit 1
21*557f75e5SDag-Erling Smørgravtest -f "$OBJ/authorized_principals_${LOGNAME}" &&
22*557f75e5SDag-Erling Smørgrav	exec cat "$OBJ/authorized_principals_${LOGNAME}"
23*557f75e5SDag-Erling Smørgrav_EOF
24*557f75e5SDag-Erling Smørgravtest $? -eq 0 || fatal "couldn't prepare principals command"
25*557f75e5SDag-Erling Smørgrav$SUDO chmod 0755 "$PRINCIPALS_COMMAND"
26*557f75e5SDag-Erling Smørgrav
27*557f75e5SDag-Erling Smørgrav# Create a CA key and a user certificate.
28*557f75e5SDag-Erling Smørgrav${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key || \
29*557f75e5SDag-Erling Smørgrav	fatal "ssh-keygen of user_ca_key failed"
30*557f75e5SDag-Erling Smørgrav${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key || \
31*557f75e5SDag-Erling Smørgrav	fatal "ssh-keygen of cert_user_key failed"
32*557f75e5SDag-Erling Smørgrav${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
33*557f75e5SDag-Erling Smørgrav    -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
34*557f75e5SDag-Erling Smørgrav	fatal "couldn't sign cert_user_key"
35*557f75e5SDag-Erling Smørgrav
36*557f75e5SDag-Erling Smørgrav# Test explicitly-specified principals
37*557f75e5SDag-Erling Smørgravfor privsep in yes no ; do
38*557f75e5SDag-Erling Smørgrav	_prefix="privsep $privsep"
39*557f75e5SDag-Erling Smørgrav
40*557f75e5SDag-Erling Smørgrav	# Setup for AuthorizedPrincipalsCommand
41*557f75e5SDag-Erling Smørgrav	rm -f $OBJ/authorized_keys_$USER
42*557f75e5SDag-Erling Smørgrav	(
43*557f75e5SDag-Erling Smørgrav		cat $OBJ/sshd_proxy_bak
44*557f75e5SDag-Erling Smørgrav		echo "UsePrivilegeSeparation $privsep"
45*557f75e5SDag-Erling Smørgrav		echo "AuthorizedKeysFile none"
46*557f75e5SDag-Erling Smørgrav		echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u"
47*557f75e5SDag-Erling Smørgrav		echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
48*557f75e5SDag-Erling Smørgrav		echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
49*557f75e5SDag-Erling Smørgrav	) > $OBJ/sshd_proxy
50*557f75e5SDag-Erling Smørgrav
51*557f75e5SDag-Erling Smørgrav	# XXX test missing command
52*557f75e5SDag-Erling Smørgrav	# XXX test failing command
53*557f75e5SDag-Erling Smørgrav
54*557f75e5SDag-Erling Smørgrav	# Empty authorized_principals
55*557f75e5SDag-Erling Smørgrav	verbose "$tid: ${_prefix} empty authorized_principals"
56*557f75e5SDag-Erling Smørgrav	echo > $OBJ/authorized_principals_$USER
57*557f75e5SDag-Erling Smørgrav	${SSH} -2i $OBJ/cert_user_key \
58*557f75e5SDag-Erling Smørgrav	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
59*557f75e5SDag-Erling Smørgrav	if [ $? -eq 0 ]; then
60*557f75e5SDag-Erling Smørgrav		fail "ssh cert connect succeeded unexpectedly"
61*557f75e5SDag-Erling Smørgrav	fi
62*557f75e5SDag-Erling Smørgrav
63*557f75e5SDag-Erling Smørgrav	# Wrong authorized_principals
64*557f75e5SDag-Erling Smørgrav	verbose "$tid: ${_prefix} wrong authorized_principals"
65*557f75e5SDag-Erling Smørgrav	echo gregorsamsa > $OBJ/authorized_principals_$USER
66*557f75e5SDag-Erling Smørgrav	${SSH} -2i $OBJ/cert_user_key \
67*557f75e5SDag-Erling Smørgrav	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
68*557f75e5SDag-Erling Smørgrav	if [ $? -eq 0 ]; then
69*557f75e5SDag-Erling Smørgrav		fail "ssh cert connect succeeded unexpectedly"
70*557f75e5SDag-Erling Smørgrav	fi
71*557f75e5SDag-Erling Smørgrav
72*557f75e5SDag-Erling Smørgrav	# Correct authorized_principals
73*557f75e5SDag-Erling Smørgrav	verbose "$tid: ${_prefix} correct authorized_principals"
74*557f75e5SDag-Erling Smørgrav	echo mekmitasdigoat > $OBJ/authorized_principals_$USER
75*557f75e5SDag-Erling Smørgrav	${SSH} -2i $OBJ/cert_user_key \
76*557f75e5SDag-Erling Smørgrav	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
77*557f75e5SDag-Erling Smørgrav	if [ $? -ne 0 ]; then
78*557f75e5SDag-Erling Smørgrav		fail "ssh cert connect failed"
79*557f75e5SDag-Erling Smørgrav	fi
80*557f75e5SDag-Erling Smørgrav
81*557f75e5SDag-Erling Smørgrav	# authorized_principals with bad key option
82*557f75e5SDag-Erling Smørgrav	verbose "$tid: ${_prefix} authorized_principals bad key opt"
83*557f75e5SDag-Erling Smørgrav	echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
84*557f75e5SDag-Erling Smørgrav	${SSH} -2i $OBJ/cert_user_key \
85*557f75e5SDag-Erling Smørgrav	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
86*557f75e5SDag-Erling Smørgrav	if [ $? -eq 0 ]; then
87*557f75e5SDag-Erling Smørgrav		fail "ssh cert connect succeeded unexpectedly"
88*557f75e5SDag-Erling Smørgrav	fi
89*557f75e5SDag-Erling Smørgrav
90*557f75e5SDag-Erling Smørgrav	# authorized_principals with command=false
91*557f75e5SDag-Erling Smørgrav	verbose "$tid: ${_prefix} authorized_principals command=false"
92*557f75e5SDag-Erling Smørgrav	echo 'command="false" mekmitasdigoat' > \
93*557f75e5SDag-Erling Smørgrav	    $OBJ/authorized_principals_$USER
94*557f75e5SDag-Erling Smørgrav	${SSH} -2i $OBJ/cert_user_key \
95*557f75e5SDag-Erling Smørgrav	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
96*557f75e5SDag-Erling Smørgrav	if [ $? -eq 0 ]; then
97*557f75e5SDag-Erling Smørgrav		fail "ssh cert connect succeeded unexpectedly"
98*557f75e5SDag-Erling Smørgrav	fi
99*557f75e5SDag-Erling Smørgrav
100*557f75e5SDag-Erling Smørgrav
101*557f75e5SDag-Erling Smørgrav	# authorized_principals with command=true
102*557f75e5SDag-Erling Smørgrav	verbose "$tid: ${_prefix} authorized_principals command=true"
103*557f75e5SDag-Erling Smørgrav	echo 'command="true" mekmitasdigoat' > \
104*557f75e5SDag-Erling Smørgrav	    $OBJ/authorized_principals_$USER
105*557f75e5SDag-Erling Smørgrav	${SSH} -2i $OBJ/cert_user_key \
106*557f75e5SDag-Erling Smørgrav	    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
107*557f75e5SDag-Erling Smørgrav	if [ $? -ne 0 ]; then
108*557f75e5SDag-Erling Smørgrav		fail "ssh cert connect failed"
109*557f75e5SDag-Erling Smørgrav	fi
110*557f75e5SDag-Erling Smørgrav
111*557f75e5SDag-Erling Smørgrav	# Setup for principals= key option
112*557f75e5SDag-Erling Smørgrav	rm -f $OBJ/authorized_principals_$USER
113*557f75e5SDag-Erling Smørgrav	(
114*557f75e5SDag-Erling Smørgrav		cat $OBJ/sshd_proxy_bak
115*557f75e5SDag-Erling Smørgrav		echo "UsePrivilegeSeparation $privsep"
116*557f75e5SDag-Erling Smørgrav	) > $OBJ/sshd_proxy
117*557f75e5SDag-Erling Smørgrav
118*557f75e5SDag-Erling Smørgrav	# Wrong principals list
119*557f75e5SDag-Erling Smørgrav	verbose "$tid: ${_prefix} wrong principals key option"
120*557f75e5SDag-Erling Smørgrav	(
121*557f75e5SDag-Erling Smørgrav		printf 'cert-authority,principals="gregorsamsa" '
122*557f75e5SDag-Erling Smørgrav		cat $OBJ/user_ca_key.pub
123*557f75e5SDag-Erling Smørgrav	) > $OBJ/authorized_keys_$USER
124*557f75e5SDag-Erling Smørgrav	${SSH} -2i $OBJ/cert_user_key \
125*557f75e5SDag-Erling Smørgrav	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
126*557f75e5SDag-Erling Smørgrav	if [ $? -eq 0 ]; then
127*557f75e5SDag-Erling Smørgrav		fail "ssh cert connect succeeded unexpectedly"
128*557f75e5SDag-Erling Smørgrav	fi
129*557f75e5SDag-Erling Smørgrav
130*557f75e5SDag-Erling Smørgrav	# Correct principals list
131*557f75e5SDag-Erling Smørgrav	verbose "$tid: ${_prefix} correct principals key option"
132*557f75e5SDag-Erling Smørgrav	(
133*557f75e5SDag-Erling Smørgrav		printf 'cert-authority,principals="mekmitasdigoat" '
134*557f75e5SDag-Erling Smørgrav		cat $OBJ/user_ca_key.pub
135*557f75e5SDag-Erling Smørgrav	) > $OBJ/authorized_keys_$USER
136*557f75e5SDag-Erling Smørgrav	${SSH} -2i $OBJ/cert_user_key \
137*557f75e5SDag-Erling Smørgrav	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
138*557f75e5SDag-Erling Smørgrav	if [ $? -ne 0 ]; then
139*557f75e5SDag-Erling Smørgrav		fail "ssh cert connect failed"
140*557f75e5SDag-Erling Smørgrav	fi
141*557f75e5SDag-Erling Smørgravdone
142