1#/bin/sh 2 3set -xe 4 5rm -f ca_key ca_key.pub 6rm -f user_key user_key.pub 7rm -f *.cert 8 9ssh-keygen -q -f ca_key -t ed25519 -C CA -N '' 10ssh-keygen -q -f user_key -t ed25519 -C "user key" -N '' 11 12sign() { 13 output=$1 14 shift 15 set -xe 16 ssh-keygen -q -s ca_key -I user -n user \ 17 -V 19990101:19991231 -z 1 "$@" user_key.pub 18 mv user_key-cert.pub "$output" 19} 20 21sign all_permit.cert -Opermit-agent-forwarding -Opermit-port-forwarding \ 22 -Opermit-pty -Opermit-user-rc -Opermit-X11-forwarding 23sign no_permit.cert -Oclear 24 25sign no_agentfwd.cert -Ono-agent-forwarding 26sign no_portfwd.cert -Ono-port-forwarding 27sign no_pty.cert -Ono-pty 28sign no_user_rc.cert -Ono-user-rc 29sign no_x11fwd.cert -Ono-X11-forwarding 30 31sign only_agentfwd.cert -Oclear -Opermit-agent-forwarding 32sign only_portfwd.cert -Oclear -Opermit-port-forwarding 33sign only_pty.cert -Oclear -Opermit-pty 34sign only_user_rc.cert -Oclear -Opermit-user-rc 35sign only_x11fwd.cert -Oclear -Opermit-X11-forwarding 36 37sign force_command.cert -Oforce-command="foo" 38sign sourceaddr.cert -Osource-address="127.0.0.1/32,::1/128" 39 40# ssh-keygen won't permit generation of certs with invalid source-address 41# values, so we do it as a custom extension. 42sign bad_sourceaddr.cert -Ocritical:source-address=xxxxx 43 44sign unknown_critical.cert -Ocritical:blah=foo 45 46sign host.cert -h 47 48rm -f user_key ca_key user_key.pub ca_key.pub 49