xref: /freebsd/crypto/openssh/regress/principals-command.sh (revision 3332f1b444d4a73238e9f59cca27bfc95fe936bd)
1#	$OpenBSD: principals-command.sh,v 1.11 2019/12/16 02:39:05 djm Exp $
2#	Placed in the Public Domain.
3
4tid="authorized principals command"
5
6rm -f $OBJ/user_ca_key* $OBJ/cert_user_key*
7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8
9if [ -z "$SUDO" -a ! -w /var/run ]; then
10	echo "skipped (SUDO not set)"
11	echo "need SUDO to create file in /var/run, test won't work without"
12	exit 0
13fi
14
15case "$SSH_KEYTYPES" in
16	*ssh-rsa*)	userkeytype=rsa ;;
17	*)		userkeytype=ed25519 ;;
18esac
19
20SERIAL=$$
21
22# Create a CA key and a user certificate.
23${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key || \
24	fatal "ssh-keygen of user_ca_key failed"
25${SSHKEYGEN} -q -N '' -t ${userkeytype} -f $OBJ/cert_user_key || \
26	fatal "ssh-keygen of cert_user_key failed"
27${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "Joanne User" \
28    -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
29	fatal "couldn't sign cert_user_key"
30
31CERT_BODY=`cat $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'`
32CA_BODY=`cat $OBJ/user_ca_key.pub | awk '{ print $2 }'`
33CERT_FP=`${SSHKEYGEN} -lf $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'`
34CA_FP=`${SSHKEYGEN} -lf $OBJ/user_ca_key.pub | awk '{ print $2 }'`
35
36# Establish a AuthorizedPrincipalsCommand in /var/run where it will have
37# acceptable directory permissions.
38PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}.$$"
39trap "$SUDO rm -f ${PRINCIPALS_COMMAND}" 0
40cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
41#!/bin/sh
42test "x\$1" != "x${LOGNAME}" && exit 1
43test "x\$2" != "xssh-${userkeytype}-cert-v01@openssh.com" && exit 1
44test "x\$3" != "xssh-ed25519" && exit 1
45test "x\$4" != "xJoanne User" && exit 1
46test "x\$5" != "x${SERIAL}" && exit 1
47test "x\$6" != "x${CA_FP}" && exit 1
48test "x\$7" != "x${CERT_FP}" && exit 1
49test "x\$8" != "x${CERT_BODY}" && exit 1
50test "x\$9" != "x${CA_BODY}" && exit 1
51test -f "$OBJ/authorized_principals_${LOGNAME}" &&
52	exec cat "$OBJ/authorized_principals_${LOGNAME}"
53_EOF
54test $? -eq 0 || fatal "couldn't prepare principals command"
55$SUDO chmod 0755 "$PRINCIPALS_COMMAND"
56
57if ! $OBJ/check-perm -m keys-command $PRINCIPALS_COMMAND ; then
58	echo "skipping: $PRINCIPALS_COMMAND is unsuitable as " \
59	    "AuthorizedPrincipalsCommand"
60	$SUDO rm -f $PRINCIPALS_COMMAND
61	exit 0
62fi
63
64if [ -x $PRINCIPALS_COMMAND ]; then
65	# Test explicitly-specified principals
66	for privsep in yes ; do
67		_prefix="privsep $privsep"
68
69		# Setup for AuthorizedPrincipalsCommand
70		rm -f $OBJ/authorized_keys_$USER
71		(
72			cat $OBJ/sshd_proxy_bak
73			echo "UsePrivilegeSeparation $privsep"
74			echo "AuthorizedKeysFile none"
75			echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
76			    "%u %t %T %i %s %F %f %k %K"
77			echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
78			echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
79		) > $OBJ/sshd_proxy
80
81		# XXX test missing command
82		# XXX test failing command
83
84		# Empty authorized_principals
85		verbose "$tid: ${_prefix} empty authorized_principals"
86		echo > $OBJ/authorized_principals_$USER
87		${SSH} -i $OBJ/cert_user_key \
88		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
89		if [ $? -eq 0 ]; then
90			fail "ssh cert connect succeeded unexpectedly"
91		fi
92
93		# Wrong authorized_principals
94		verbose "$tid: ${_prefix} wrong authorized_principals"
95		echo gregorsamsa > $OBJ/authorized_principals_$USER
96		${SSH} -i $OBJ/cert_user_key \
97		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
98		if [ $? -eq 0 ]; then
99			fail "ssh cert connect succeeded unexpectedly"
100		fi
101
102		# Correct authorized_principals
103		verbose "$tid: ${_prefix} correct authorized_principals"
104		echo mekmitasdigoat > $OBJ/authorized_principals_$USER
105		${SSH} -i $OBJ/cert_user_key \
106		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
107		if [ $? -ne 0 ]; then
108			fail "ssh cert connect failed"
109		fi
110
111		# authorized_principals with bad key option
112		verbose "$tid: ${_prefix} authorized_principals bad key opt"
113		echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
114		${SSH} -i $OBJ/cert_user_key \
115		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
116		if [ $? -eq 0 ]; then
117			fail "ssh cert connect succeeded unexpectedly"
118		fi
119
120		# authorized_principals with command=false
121		verbose "$tid: ${_prefix} authorized_principals command=false"
122		echo 'command="false" mekmitasdigoat' > \
123		    $OBJ/authorized_principals_$USER
124		${SSH} -i $OBJ/cert_user_key \
125		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
126		if [ $? -eq 0 ]; then
127			fail "ssh cert connect succeeded unexpectedly"
128		fi
129
130		# authorized_principals with command=true
131		verbose "$tid: ${_prefix} authorized_principals command=true"
132		echo 'command="true" mekmitasdigoat' > \
133		    $OBJ/authorized_principals_$USER
134		${SSH} -i $OBJ/cert_user_key \
135		    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
136		if [ $? -ne 0 ]; then
137			fail "ssh cert connect failed"
138		fi
139
140		# Setup for principals= key option
141		rm -f $OBJ/authorized_principals_$USER
142		(
143			cat $OBJ/sshd_proxy_bak
144			echo "UsePrivilegeSeparation $privsep"
145		) > $OBJ/sshd_proxy
146
147		# Wrong principals list
148		verbose "$tid: ${_prefix} wrong principals key option"
149		(
150			printf 'cert-authority,principals="gregorsamsa" '
151			cat $OBJ/user_ca_key.pub
152		) > $OBJ/authorized_keys_$USER
153		${SSH} -i $OBJ/cert_user_key \
154		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
155		if [ $? -eq 0 ]; then
156			fail "ssh cert connect succeeded unexpectedly"
157		fi
158
159		# Correct principals list
160		verbose "$tid: ${_prefix} correct principals key option"
161		(
162			printf 'cert-authority,principals="mekmitasdigoat" '
163			cat $OBJ/user_ca_key.pub
164		) > $OBJ/authorized_keys_$USER
165		${SSH} -i $OBJ/cert_user_key \
166		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
167		if [ $? -ne 0 ]; then
168			fail "ssh cert connect failed"
169		fi
170	done
171else
172	echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
173	    "(/var/run mounted noexec?)"
174fi
175