1# $OpenBSD: principals-command.sh,v 1.4 2017/04/30 23:34:55 djm Exp $ 2# Placed in the Public Domain. 3 4tid="authorized principals command" 5 6rm -f $OBJ/user_ca_key* $OBJ/cert_user_key* 7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 8 9if [ -z "$SUDO" -a ! -w /var/run ]; then 10 echo "skipped (SUDO not set)" 11 echo "need SUDO to create file in /var/run, test won't work without" 12 exit 0 13fi 14 15SERIAL=$$ 16 17# Create a CA key and a user certificate. 18${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ 19 fatal "ssh-keygen of user_ca_key failed" 20${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/cert_user_key || \ 21 fatal "ssh-keygen of cert_user_key failed" 22${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "Joanne User" \ 23 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ 24 fatal "couldn't sign cert_user_key" 25 26CERT_BODY=`cat $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` 27CA_BODY=`cat $OBJ/user_ca_key.pub | awk '{ print $2 }'` 28CERT_FP=`${SSHKEYGEN} -lf $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` 29CA_FP=`${SSHKEYGEN} -lf $OBJ/user_ca_key.pub | awk '{ print $2 }'` 30 31# Establish a AuthorizedPrincipalsCommand in /var/run where it will have 32# acceptable directory permissions. 33PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}" 34cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" 35#!/bin/sh 36test "x\$1" != "x${LOGNAME}" && exit 1 37test "x\$2" != "xssh-rsa-cert-v01@openssh.com" && exit 1 38test "x\$3" != "xssh-ed25519" && exit 1 39test "x\$4" != "xJoanne User" && exit 1 40test "x\$5" != "x${SERIAL}" && exit 1 41test "x\$6" != "x${CA_FP}" && exit 1 42test "x\$7" != "x${CERT_FP}" && exit 1 43test "x\$8" != "x${CERT_BODY}" && exit 1 44test "x\$9" != "x${CA_BODY}" && exit 1 45test -f "$OBJ/authorized_principals_${LOGNAME}" && 46 exec cat "$OBJ/authorized_principals_${LOGNAME}" 47_EOF 48test $? -eq 0 || fatal "couldn't prepare principals command" 49$SUDO chmod 0755 "$PRINCIPALS_COMMAND" 50 51if ! $OBJ/check-perm -m keys-command $PRINCIPALS_COMMAND ; then 52 echo "skipping: $PRINCIPALS_COMMAND is unsuitable as " \ 53 "AuthorizedPrincipalsCommand" 54 $SUDO rm -f $PRINCIPALS_COMMAND 55 exit 0 56fi 57 58if [ -x $PRINCIPALS_COMMAND ]; then 59 # Test explicitly-specified principals 60 for privsep in yes no ; do 61 _prefix="privsep $privsep" 62 63 # Setup for AuthorizedPrincipalsCommand 64 rm -f $OBJ/authorized_keys_$USER 65 ( 66 cat $OBJ/sshd_proxy_bak 67 echo "UsePrivilegeSeparation $privsep" 68 echo "AuthorizedKeysFile none" 69 echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \ 70 "%u %t %T %i %s %F %f %k %K" 71 echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" 72 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" 73 ) > $OBJ/sshd_proxy 74 75 # XXX test missing command 76 # XXX test failing command 77 78 # Empty authorized_principals 79 verbose "$tid: ${_prefix} empty authorized_principals" 80 echo > $OBJ/authorized_principals_$USER 81 ${SSH} -i $OBJ/cert_user_key \ 82 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 83 if [ $? -eq 0 ]; then 84 fail "ssh cert connect succeeded unexpectedly" 85 fi 86 87 # Wrong authorized_principals 88 verbose "$tid: ${_prefix} wrong authorized_principals" 89 echo gregorsamsa > $OBJ/authorized_principals_$USER 90 ${SSH} -i $OBJ/cert_user_key \ 91 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 92 if [ $? -eq 0 ]; then 93 fail "ssh cert connect succeeded unexpectedly" 94 fi 95 96 # Correct authorized_principals 97 verbose "$tid: ${_prefix} correct authorized_principals" 98 echo mekmitasdigoat > $OBJ/authorized_principals_$USER 99 ${SSH} -i $OBJ/cert_user_key \ 100 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 101 if [ $? -ne 0 ]; then 102 fail "ssh cert connect failed" 103 fi 104 105 # authorized_principals with bad key option 106 verbose "$tid: ${_prefix} authorized_principals bad key opt" 107 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER 108 ${SSH} -i $OBJ/cert_user_key \ 109 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 110 if [ $? -eq 0 ]; then 111 fail "ssh cert connect succeeded unexpectedly" 112 fi 113 114 # authorized_principals with command=false 115 verbose "$tid: ${_prefix} authorized_principals command=false" 116 echo 'command="false" mekmitasdigoat' > \ 117 $OBJ/authorized_principals_$USER 118 ${SSH} -i $OBJ/cert_user_key \ 119 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 120 if [ $? -eq 0 ]; then 121 fail "ssh cert connect succeeded unexpectedly" 122 fi 123 124 # authorized_principals with command=true 125 verbose "$tid: ${_prefix} authorized_principals command=true" 126 echo 'command="true" mekmitasdigoat' > \ 127 $OBJ/authorized_principals_$USER 128 ${SSH} -i $OBJ/cert_user_key \ 129 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 130 if [ $? -ne 0 ]; then 131 fail "ssh cert connect failed" 132 fi 133 134 # Setup for principals= key option 135 rm -f $OBJ/authorized_principals_$USER 136 ( 137 cat $OBJ/sshd_proxy_bak 138 echo "UsePrivilegeSeparation $privsep" 139 ) > $OBJ/sshd_proxy 140 141 # Wrong principals list 142 verbose "$tid: ${_prefix} wrong principals key option" 143 ( 144 printf 'cert-authority,principals="gregorsamsa" ' 145 cat $OBJ/user_ca_key.pub 146 ) > $OBJ/authorized_keys_$USER 147 ${SSH} -i $OBJ/cert_user_key \ 148 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 149 if [ $? -eq 0 ]; then 150 fail "ssh cert connect succeeded unexpectedly" 151 fi 152 153 # Correct principals list 154 verbose "$tid: ${_prefix} correct principals key option" 155 ( 156 printf 'cert-authority,principals="mekmitasdigoat" ' 157 cat $OBJ/user_ca_key.pub 158 ) > $OBJ/authorized_keys_$USER 159 ${SSH} -i $OBJ/cert_user_key \ 160 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 161 if [ $? -ne 0 ]; then 162 fail "ssh cert connect failed" 163 fi 164 done 165else 166 echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \ 167 "(/var/run mounted noexec?)" 168fi 169