1# $OpenBSD: principals-command.sh,v 1.11 2019/12/16 02:39:05 djm Exp $ 2# Placed in the Public Domain. 3 4tid="authorized principals command" 5 6rm -f $OBJ/user_ca_key* $OBJ/cert_user_key* 7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 8 9if [ -z "$SUDO" -a ! -w /var/run ]; then 10 echo "skipped (SUDO not set)" 11 echo "need SUDO to create file in /var/run, test won't work without" 12 exit 0 13fi 14 15case "$SSH_KEYTYPES" in 16 *ssh-rsa*) userkeytype=rsa ;; 17 *) userkeytype=ed25519 ;; 18esac 19 20SERIAL=$$ 21 22# Create a CA key and a user certificate. 23${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ 24 fatal "ssh-keygen of user_ca_key failed" 25${SSHKEYGEN} -q -N '' -t ${userkeytype} -f $OBJ/cert_user_key || \ 26 fatal "ssh-keygen of cert_user_key failed" 27${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "Joanne User" \ 28 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ 29 fatal "couldn't sign cert_user_key" 30 31CERT_BODY=`cat $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` 32CA_BODY=`cat $OBJ/user_ca_key.pub | awk '{ print $2 }'` 33CERT_FP=`${SSHKEYGEN} -lf $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` 34CA_FP=`${SSHKEYGEN} -lf $OBJ/user_ca_key.pub | awk '{ print $2 }'` 35 36# Establish a AuthorizedPrincipalsCommand in /var/run where it will have 37# acceptable directory permissions. 38PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}.$$" 39trap "$SUDO rm -f ${PRINCIPALS_COMMAND}" 0 40cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" 41#!/bin/sh 42test "x\$1" != "x${LOGNAME}" && exit 1 43test "x\$2" != "xssh-${userkeytype}-cert-v01@openssh.com" && exit 1 44test "x\$3" != "xssh-ed25519" && exit 1 45test "x\$4" != "xJoanne User" && exit 1 46test "x\$5" != "x${SERIAL}" && exit 1 47test "x\$6" != "x${CA_FP}" && exit 1 48test "x\$7" != "x${CERT_FP}" && exit 1 49test "x\$8" != "x${CERT_BODY}" && exit 1 50test "x\$9" != "x${CA_BODY}" && exit 1 51test -f "$OBJ/authorized_principals_${LOGNAME}" && 52 exec cat "$OBJ/authorized_principals_${LOGNAME}" 53_EOF 54test $? -eq 0 || fatal "couldn't prepare principals command" 55$SUDO chmod 0755 "$PRINCIPALS_COMMAND" 56 57if ! $OBJ/check-perm -m keys-command $PRINCIPALS_COMMAND ; then 58 echo "skipping: $PRINCIPALS_COMMAND is unsuitable as " \ 59 "AuthorizedPrincipalsCommand" 60 $SUDO rm -f $PRINCIPALS_COMMAND 61 exit 0 62fi 63 64if [ -x $PRINCIPALS_COMMAND ]; then 65 # Test explicitly-specified principals 66 for privsep in yes ; do 67 _prefix="privsep $privsep" 68 69 # Setup for AuthorizedPrincipalsCommand 70 rm -f $OBJ/authorized_keys_$USER 71 ( 72 cat $OBJ/sshd_proxy_bak 73 echo "UsePrivilegeSeparation $privsep" 74 echo "AuthorizedKeysFile none" 75 echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \ 76 "%u %t %T %i %s %F %f %k %K" 77 echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" 78 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" 79 ) > $OBJ/sshd_proxy 80 81 # XXX test missing command 82 # XXX test failing command 83 84 # Empty authorized_principals 85 verbose "$tid: ${_prefix} empty authorized_principals" 86 echo > $OBJ/authorized_principals_$USER 87 ${SSH} -i $OBJ/cert_user_key \ 88 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 89 if [ $? -eq 0 ]; then 90 fail "ssh cert connect succeeded unexpectedly" 91 fi 92 93 # Wrong authorized_principals 94 verbose "$tid: ${_prefix} wrong authorized_principals" 95 echo gregorsamsa > $OBJ/authorized_principals_$USER 96 ${SSH} -i $OBJ/cert_user_key \ 97 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 98 if [ $? -eq 0 ]; then 99 fail "ssh cert connect succeeded unexpectedly" 100 fi 101 102 # Correct authorized_principals 103 verbose "$tid: ${_prefix} correct authorized_principals" 104 echo mekmitasdigoat > $OBJ/authorized_principals_$USER 105 ${SSH} -i $OBJ/cert_user_key \ 106 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 107 if [ $? -ne 0 ]; then 108 fail "ssh cert connect failed" 109 fi 110 111 # authorized_principals with bad key option 112 verbose "$tid: ${_prefix} authorized_principals bad key opt" 113 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER 114 ${SSH} -i $OBJ/cert_user_key \ 115 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 116 if [ $? -eq 0 ]; then 117 fail "ssh cert connect succeeded unexpectedly" 118 fi 119 120 # authorized_principals with command=false 121 verbose "$tid: ${_prefix} authorized_principals command=false" 122 echo 'command="false" mekmitasdigoat' > \ 123 $OBJ/authorized_principals_$USER 124 ${SSH} -i $OBJ/cert_user_key \ 125 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 126 if [ $? -eq 0 ]; then 127 fail "ssh cert connect succeeded unexpectedly" 128 fi 129 130 # authorized_principals with command=true 131 verbose "$tid: ${_prefix} authorized_principals command=true" 132 echo 'command="true" mekmitasdigoat' > \ 133 $OBJ/authorized_principals_$USER 134 ${SSH} -i $OBJ/cert_user_key \ 135 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 136 if [ $? -ne 0 ]; then 137 fail "ssh cert connect failed" 138 fi 139 140 # Setup for principals= key option 141 rm -f $OBJ/authorized_principals_$USER 142 ( 143 cat $OBJ/sshd_proxy_bak 144 echo "UsePrivilegeSeparation $privsep" 145 ) > $OBJ/sshd_proxy 146 147 # Wrong principals list 148 verbose "$tid: ${_prefix} wrong principals key option" 149 ( 150 printf 'cert-authority,principals="gregorsamsa" ' 151 cat $OBJ/user_ca_key.pub 152 ) > $OBJ/authorized_keys_$USER 153 ${SSH} -i $OBJ/cert_user_key \ 154 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 155 if [ $? -eq 0 ]; then 156 fail "ssh cert connect succeeded unexpectedly" 157 fi 158 159 # Correct principals list 160 verbose "$tid: ${_prefix} correct principals key option" 161 ( 162 printf 'cert-authority,principals="mekmitasdigoat" ' 163 cat $OBJ/user_ca_key.pub 164 ) > $OBJ/authorized_keys_$USER 165 ${SSH} -i $OBJ/cert_user_key \ 166 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 167 if [ $? -ne 0 ]; then 168 fail "ssh cert connect failed" 169 fi 170 done 171else 172 echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \ 173 "(/var/run mounted noexec?)" 174fi 175