markus@openbsd.org | 5bf0933 | 2015-07-10 06:23:25 +0000 | [diff] [blame] | 1 | # $OpenBSD: cert-userkey.sh,v 1.14 2015/07/10 06:23:25 markus Exp $ |
Damien Miller | 58ac6de | 2010-02-27 07:57:12 +1100 | [diff] [blame] | 2 | # Placed in the Public Domain. |
| 3 | |
| 4 | tid="certified user keys" |
| 5 | |
| 6 | rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* |
| 7 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak |
markus@openbsd.org | 5bf0933 | 2015-07-10 06:23:25 +0000 | [diff] [blame] | 8 | cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak |
Damien Miller | 58ac6de | 2010-02-27 07:57:12 +1100 | [diff] [blame] | 9 | |
Damien Miller | f54542a | 2013-12-07 16:32:44 +1100 | [diff] [blame] | 10 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` |
| 11 | |
markus@openbsd.org | 5bf0933 | 2015-07-10 06:23:25 +0000 | [diff] [blame] | 12 | kname() { |
Damien Miller | 2651e34 | 2015-08-06 11:43:42 +1000 | [diff] [blame] | 13 | n=`echo "$1" | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'` |
| 14 | echo "$n*,ssh-rsa*,ssh-ed25519*" |
markus@openbsd.org | 5bf0933 | 2015-07-10 06:23:25 +0000 | [diff] [blame] | 15 | } |
| 16 | |
Damien Miller | 700dcfa | 2010-03-04 21:58:01 +1100 | [diff] [blame] | 17 | # Create a CA key |
Damien Miller | 58ac6de | 2010-02-27 07:57:12 +1100 | [diff] [blame] | 18 | ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ |
| 19 | fail "ssh-keygen of user_ca_key failed" |
Damien Miller | 58ac6de | 2010-02-27 07:57:12 +1100 | [diff] [blame] | 20 | |
| 21 | # Generate and sign user keys |
Damien Miller | f54542a | 2013-12-07 16:32:44 +1100 | [diff] [blame] | 22 | for ktype in $PLAIN_TYPES ; do |
Damien Miller | 58ac6de | 2010-02-27 07:57:12 +1100 | [diff] [blame] | 23 | verbose "$tid: sign user ${ktype} cert" |
| 24 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ |
| 25 | -f $OBJ/cert_user_key_${ktype} || \ |
| 26 | fail "ssh-keygen of cert_user_key_${ktype} failed" |
Damien Miller | 6618e92 | 2012-12-03 10:09:04 +1100 | [diff] [blame] | 27 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ |
| 28 | -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || |
Damien Miller | 58ac6de | 2010-02-27 07:57:12 +1100 | [diff] [blame] | 29 | fail "couldn't sign cert_user_key_${ktype}" |
Damien Miller | 58ac6de | 2010-02-27 07:57:12 +1100 | [diff] [blame] | 30 | done |
| 31 | |
Damien Miller | 3bcce80 | 2010-05-21 14:48:16 +1000 | [diff] [blame] | 32 | # Test explicitly-specified principals |
djm@openbsd.org | 6a977a4 | 2015-07-03 04:39:23 +0000 | [diff] [blame] | 33 | for ktype in $PLAIN_TYPES ; do |
markus@openbsd.org | 5bf0933 | 2015-07-10 06:23:25 +0000 | [diff] [blame] | 34 | t=$(kname $ktype) |
Damien Miller | 3bcce80 | 2010-05-21 14:48:16 +1000 | [diff] [blame] | 35 | for privsep in yes no ; do |
| 36 | _prefix="${ktype} privsep $privsep" |
| 37 | |
| 38 | # Setup for AuthorizedPrincipalsFile |
| 39 | rm -f $OBJ/authorized_keys_$USER |
| 40 | ( |
| 41 | cat $OBJ/sshd_proxy_bak |
| 42 | echo "UsePrivilegeSeparation $privsep" |
| 43 | echo "AuthorizedPrincipalsFile " \ |
| 44 | "$OBJ/authorized_principals_%u" |
| 45 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" |
markus@openbsd.org | 5bf0933 | 2015-07-10 06:23:25 +0000 | [diff] [blame] | 46 | echo "PubkeyAcceptedKeyTypes ${t}" |
Damien Miller | 3bcce80 | 2010-05-21 14:48:16 +1000 | [diff] [blame] | 47 | ) > $OBJ/sshd_proxy |
markus@openbsd.org | 5bf0933 | 2015-07-10 06:23:25 +0000 | [diff] [blame] | 48 | ( |
| 49 | cat $OBJ/ssh_proxy_bak |
| 50 | echo "PubkeyAcceptedKeyTypes ${t}" |
| 51 | ) > $OBJ/ssh_proxy |
Damien Miller | 3bcce80 | 2010-05-21 14:48:16 +1000 | [diff] [blame] | 52 | |
| 53 | # Missing authorized_principals |
| 54 | verbose "$tid: ${_prefix} missing authorized_principals" |
| 55 | rm -f $OBJ/authorized_principals_$USER |
| 56 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ |
| 57 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 58 | if [ $? -eq 0 ]; then |
| 59 | fail "ssh cert connect succeeded unexpectedly" |
| 60 | fi |
| 61 | |
| 62 | # Empty authorized_principals |
| 63 | verbose "$tid: ${_prefix} empty authorized_principals" |
| 64 | echo > $OBJ/authorized_principals_$USER |
| 65 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ |
| 66 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 67 | if [ $? -eq 0 ]; then |
| 68 | fail "ssh cert connect succeeded unexpectedly" |
| 69 | fi |
| 70 | |
| 71 | # Wrong authorized_principals |
| 72 | verbose "$tid: ${_prefix} wrong authorized_principals" |
| 73 | echo gregorsamsa > $OBJ/authorized_principals_$USER |
| 74 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ |
| 75 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 76 | if [ $? -eq 0 ]; then |
| 77 | fail "ssh cert connect succeeded unexpectedly" |
| 78 | fi |
| 79 | |
| 80 | # Correct authorized_principals |
| 81 | verbose "$tid: ${_prefix} correct authorized_principals" |
| 82 | echo mekmitasdigoat > $OBJ/authorized_principals_$USER |
| 83 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ |
| 84 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 85 | if [ $? -ne 0 ]; then |
| 86 | fail "ssh cert connect failed" |
| 87 | fi |
| 88 | |
Damien Miller | ab139cd | 2010-07-02 13:42:18 +1000 | [diff] [blame] | 89 | # authorized_principals with bad key option |
| 90 | verbose "$tid: ${_prefix} authorized_principals bad key opt" |
| 91 | echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER |
| 92 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ |
| 93 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 94 | if [ $? -eq 0 ]; then |
| 95 | fail "ssh cert connect succeeded unexpectedly" |
| 96 | fi |
| 97 | |
| 98 | # authorized_principals with command=false |
| 99 | verbose "$tid: ${_prefix} authorized_principals command=false" |
| 100 | echo 'command="false" mekmitasdigoat' > \ |
| 101 | $OBJ/authorized_principals_$USER |
| 102 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ |
| 103 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 104 | if [ $? -eq 0 ]; then |
| 105 | fail "ssh cert connect succeeded unexpectedly" |
| 106 | fi |
| 107 | |
| 108 | |
| 109 | # authorized_principals with command=true |
| 110 | verbose "$tid: ${_prefix} authorized_principals command=true" |
| 111 | echo 'command="true" mekmitasdigoat' > \ |
| 112 | $OBJ/authorized_principals_$USER |
| 113 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ |
| 114 | -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 |
| 115 | if [ $? -ne 0 ]; then |
| 116 | fail "ssh cert connect failed" |
| 117 | fi |
| 118 | |
Damien Miller | 3bcce80 | 2010-05-21 14:48:16 +1000 | [diff] [blame] | 119 | # Setup for principals= key option |
| 120 | rm -f $OBJ/authorized_principals_$USER |
| 121 | ( |
| 122 | cat $OBJ/sshd_proxy_bak |
| 123 | echo "UsePrivilegeSeparation $privsep" |
markus@openbsd.org | 5bf0933 | 2015-07-10 06:23:25 +0000 | [diff] [blame] | 124 | echo "PubkeyAcceptedKeyTypes ${t}" |
Damien Miller | 3bcce80 | 2010-05-21 14:48:16 +1000 | [diff] [blame] | 125 | ) > $OBJ/sshd_proxy |
markus@openbsd.org | 5bf0933 | 2015-07-10 06:23:25 +0000 | [diff] [blame] | 126 | ( |
| 127 | cat $OBJ/ssh_proxy_bak |
| 128 | echo "PubkeyAcceptedKeyTypes ${t}" |
| 129 | ) > $OBJ/ssh_proxy |
Damien Miller | 3bcce80 | 2010-05-21 14:48:16 +1000 | [diff] [blame] | 130 | |
| 131 | # Wrong principals list |
| 132 | verbose "$tid: ${_prefix} wrong principals key option" |
| 133 | ( |
Darren Tucker | 56347ef | 2013-05-17 13:28:36 +1000 | [diff] [blame] | 134 | printf 'cert-authority,principals="gregorsamsa" ' |
Damien Miller | 3bcce80 | 2010-05-21 14:48:16 +1000 | [diff] [blame] | 135 | cat $OBJ/user_ca_key.pub |
| 136 | ) > $OBJ/authorized_keys_$USER |
| 137 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ |
| 138 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 139 | if [ $? -eq 0 ]; then |
| 140 | fail "ssh cert connect succeeded unexpectedly" |
| 141 | fi |
| 142 | |
| 143 | # Correct principals list |
| 144 | verbose "$tid: ${_prefix} correct principals key option" |
| 145 | ( |
Darren Tucker | 56347ef | 2013-05-17 13:28:36 +1000 | [diff] [blame] | 146 | printf 'cert-authority,principals="mekmitasdigoat" ' |
Damien Miller | 3bcce80 | 2010-05-21 14:48:16 +1000 | [diff] [blame] | 147 | cat $OBJ/user_ca_key.pub |
| 148 | ) > $OBJ/authorized_keys_$USER |
| 149 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ |
| 150 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 151 | if [ $? -ne 0 ]; then |
| 152 | fail "ssh cert connect failed" |
| 153 | fi |
| 154 | done |
| 155 | done |
| 156 | |
Damien Miller | 700dcfa | 2010-03-04 21:58:01 +1100 | [diff] [blame] | 157 | basic_tests() { |
| 158 | auth=$1 |
| 159 | if test "x$auth" = "xauthorized_keys" ; then |
| 160 | # Add CA to authorized_keys |
| 161 | ( |
Darren Tucker | 56347ef | 2013-05-17 13:28:36 +1000 | [diff] [blame] | 162 | printf 'cert-authority ' |
Damien Miller | 700dcfa | 2010-03-04 21:58:01 +1100 | [diff] [blame] | 163 | cat $OBJ/user_ca_key.pub |
| 164 | ) > $OBJ/authorized_keys_$USER |
| 165 | else |
| 166 | echo > $OBJ/authorized_keys_$USER |
| 167 | extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" |
| 168 | fi |
| 169 | |
djm@openbsd.org | 6a977a4 | 2015-07-03 04:39:23 +0000 | [diff] [blame] | 170 | for ktype in $PLAIN_TYPES ; do |
markus@openbsd.org | 5bf0933 | 2015-07-10 06:23:25 +0000 | [diff] [blame] | 171 | t=$(kname $ktype) |
Damien Miller | 700dcfa | 2010-03-04 21:58:01 +1100 | [diff] [blame] | 172 | for privsep in yes no ; do |
| 173 | _prefix="${ktype} privsep $privsep $auth" |
| 174 | # Simple connect |
| 175 | verbose "$tid: ${_prefix} connect" |
| 176 | ( |
| 177 | cat $OBJ/sshd_proxy_bak |
| 178 | echo "UsePrivilegeSeparation $privsep" |
markus@openbsd.org | 5bf0933 | 2015-07-10 06:23:25 +0000 | [diff] [blame] | 179 | echo "PubkeyAcceptedKeyTypes ${t}" |
Damien Miller | 700dcfa | 2010-03-04 21:58:01 +1100 | [diff] [blame] | 180 | echo "$extra_sshd" |
| 181 | ) > $OBJ/sshd_proxy |
markus@openbsd.org | 5bf0933 | 2015-07-10 06:23:25 +0000 | [diff] [blame] | 182 | ( |
| 183 | cat $OBJ/ssh_proxy_bak |
| 184 | echo "PubkeyAcceptedKeyTypes ${t}" |
| 185 | ) > $OBJ/ssh_proxy |
Damien Miller | 700dcfa | 2010-03-04 21:58:01 +1100 | [diff] [blame] | 186 | |
| 187 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ |
| 188 | -F $OBJ/ssh_proxy somehost true |
| 189 | if [ $? -ne 0 ]; then |
| 190 | fail "ssh cert connect failed" |
| 191 | fi |
| 192 | |
| 193 | # Revoked keys |
| 194 | verbose "$tid: ${_prefix} revoked key" |
| 195 | ( |
| 196 | cat $OBJ/sshd_proxy_bak |
| 197 | echo "UsePrivilegeSeparation $privsep" |
Damien Miller | ebafebd | 2013-01-18 11:51:56 +1100 | [diff] [blame] | 198 | echo "RevokedKeys $OBJ/cert_user_key_revoked" |
markus@openbsd.org | 5bf0933 | 2015-07-10 06:23:25 +0000 | [diff] [blame] | 199 | echo "PubkeyAcceptedKeyTypes ${t}" |
Damien Miller | 700dcfa | 2010-03-04 21:58:01 +1100 | [diff] [blame] | 200 | echo "$extra_sshd" |
| 201 | ) > $OBJ/sshd_proxy |
Damien Miller | ebafebd | 2013-01-18 11:51:56 +1100 | [diff] [blame] | 202 | cp $OBJ/cert_user_key_${ktype}.pub \ |
| 203 | $OBJ/cert_user_key_revoked |
Damien Miller | 700dcfa | 2010-03-04 21:58:01 +1100 | [diff] [blame] | 204 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ |
| 205 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 206 | if [ $? -eq 0 ]; then |
| 207 | fail "ssh cert connect succeeded unexpecedly" |
| 208 | fi |
Damien Miller | ebafebd | 2013-01-18 11:51:56 +1100 | [diff] [blame] | 209 | verbose "$tid: ${_prefix} revoked via KRL" |
| 210 | rm $OBJ/cert_user_key_revoked |
| 211 | ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \ |
| 212 | $OBJ/cert_user_key_${ktype}.pub |
| 213 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ |
| 214 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 215 | if [ $? -eq 0 ]; then |
| 216 | fail "ssh cert connect succeeded unexpecedly" |
| 217 | fi |
| 218 | verbose "$tid: ${_prefix} empty KRL" |
| 219 | ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked |
| 220 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ |
| 221 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 222 | if [ $? -ne 0 ]; then |
| 223 | fail "ssh cert connect failed" |
| 224 | fi |
Damien Miller | 700dcfa | 2010-03-04 21:58:01 +1100 | [diff] [blame] | 225 | done |
| 226 | |
| 227 | # Revoked CA |
| 228 | verbose "$tid: ${ktype} $auth revoked CA key" |
Damien Miller | 58ac6de | 2010-02-27 07:57:12 +1100 | [diff] [blame] | 229 | ( |
| 230 | cat $OBJ/sshd_proxy_bak |
Damien Miller | 700dcfa | 2010-03-04 21:58:01 +1100 | [diff] [blame] | 231 | echo "RevokedKeys $OBJ/user_ca_key.pub" |
markus@openbsd.org | 5bf0933 | 2015-07-10 06:23:25 +0000 | [diff] [blame] | 232 | echo "PubkeyAcceptedKeyTypes ${t}" |
Damien Miller | 700dcfa | 2010-03-04 21:58:01 +1100 | [diff] [blame] | 233 | echo "$extra_sshd" |
Damien Miller | 58ac6de | 2010-02-27 07:57:12 +1100 | [diff] [blame] | 234 | ) > $OBJ/sshd_proxy |
Damien Miller | 58ac6de | 2010-02-27 07:57:12 +1100 | [diff] [blame] | 235 | ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ |
Damien Miller | 700dcfa | 2010-03-04 21:58:01 +1100 | [diff] [blame] | 236 | somehost true >/dev/null 2>&1 |
| 237 | if [ $? -eq 0 ]; then |
| 238 | fail "ssh cert connect succeeded unexpecedly" |
Damien Miller | 58ac6de | 2010-02-27 07:57:12 +1100 | [diff] [blame] | 239 | fi |
| 240 | done |
Damien Miller | 700dcfa | 2010-03-04 21:58:01 +1100 | [diff] [blame] | 241 | |
| 242 | verbose "$tid: $auth CA does not authenticate" |
| 243 | ( |
| 244 | cat $OBJ/sshd_proxy_bak |
markus@openbsd.org | 5bf0933 | 2015-07-10 06:23:25 +0000 | [diff] [blame] | 245 | echo "PubkeyAcceptedKeyTypes ${t}" |
Damien Miller | 700dcfa | 2010-03-04 21:58:01 +1100 | [diff] [blame] | 246 | echo "$extra_sshd" |
| 247 | ) > $OBJ/sshd_proxy |
| 248 | verbose "$tid: ensure CA key does not authenticate user" |
| 249 | ${SSH} -2i $OBJ/user_ca_key \ |
| 250 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 251 | if [ $? -eq 0 ]; then |
| 252 | fail "ssh cert connect with CA key succeeded unexpectedly" |
| 253 | fi |
| 254 | } |
Damien Miller | 58ac6de | 2010-02-27 07:57:12 +1100 | [diff] [blame] | 255 | |
Damien Miller | 700dcfa | 2010-03-04 21:58:01 +1100 | [diff] [blame] | 256 | basic_tests authorized_keys |
| 257 | basic_tests TrustedUserCAKeys |
Damien Miller | 58ac6de | 2010-02-27 07:57:12 +1100 | [diff] [blame] | 258 | |
| 259 | test_one() { |
| 260 | ident=$1 |
| 261 | result=$2 |
| 262 | sign_opts=$3 |
Damien Miller | 700dcfa | 2010-03-04 21:58:01 +1100 | [diff] [blame] | 263 | auth_choice=$4 |
Damien Miller | 3bcce80 | 2010-05-21 14:48:16 +1000 | [diff] [blame] | 264 | auth_opt=$5 |
Damien Miller | 58ac6de | 2010-02-27 07:57:12 +1100 | [diff] [blame] | 265 | |
Damien Miller | 700dcfa | 2010-03-04 21:58:01 +1100 | [diff] [blame] | 266 | if test "x$auth_choice" = "x" ; then |
| 267 | auth_choice="authorized_keys TrustedUserCAKeys" |
Damien Miller | 58ac6de | 2010-02-27 07:57:12 +1100 | [diff] [blame] | 268 | fi |
Damien Miller | 700dcfa | 2010-03-04 21:58:01 +1100 | [diff] [blame] | 269 | |
| 270 | for auth in $auth_choice ; do |
djm@openbsd.org | 6a977a4 | 2015-07-03 04:39:23 +0000 | [diff] [blame] | 271 | for ktype in rsa ed25519 ; do |
Damien Miller | 53f4bb6 | 2010-04-18 08:15:14 +1000 | [diff] [blame] | 272 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy |
| 273 | if test "x$auth" = "xauthorized_keys" ; then |
| 274 | # Add CA to authorized_keys |
| 275 | ( |
Darren Tucker | 56347ef | 2013-05-17 13:28:36 +1000 | [diff] [blame] | 276 | printf "cert-authority${auth_opt} " |
Damien Miller | 53f4bb6 | 2010-04-18 08:15:14 +1000 | [diff] [blame] | 277 | cat $OBJ/user_ca_key.pub |
| 278 | ) > $OBJ/authorized_keys_$USER |
| 279 | else |
| 280 | echo > $OBJ/authorized_keys_$USER |
| 281 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \ |
| 282 | >> $OBJ/sshd_proxy |
markus@openbsd.org | 5bf0933 | 2015-07-10 06:23:25 +0000 | [diff] [blame] | 283 | echo "PubkeyAcceptedKeyTypes ${t}*" \ |
| 284 | >> $OBJ/sshd_proxy |
Damien Miller | 3bcce80 | 2010-05-21 14:48:16 +1000 | [diff] [blame] | 285 | if test "x$auth_opt" != "x" ; then |
| 286 | echo $auth_opt >> $OBJ/sshd_proxy |
| 287 | fi |
Damien Miller | 700dcfa | 2010-03-04 21:58:01 +1100 | [diff] [blame] | 288 | fi |
Damien Miller | 53f4bb6 | 2010-04-18 08:15:14 +1000 | [diff] [blame] | 289 | |
| 290 | verbose "$tid: $ident auth $auth expect $result $ktype" |
| 291 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ |
| 292 | -I "regress user key for $USER" \ |
djm@openbsd.org | 6a977a4 | 2015-07-03 04:39:23 +0000 | [diff] [blame] | 293 | $sign_opts $OBJ/cert_user_key_${ktype} || |
Damien Miller | 53f4bb6 | 2010-04-18 08:15:14 +1000 | [diff] [blame] | 294 | fail "couldn't sign cert_user_key_${ktype}" |
| 295 | |
| 296 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ |
| 297 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 298 | rc=$? |
| 299 | if [ "x$result" = "xsuccess" ] ; then |
| 300 | if [ $rc -ne 0 ]; then |
| 301 | fail "$ident failed unexpectedly" |
| 302 | fi |
| 303 | else |
| 304 | if [ $rc -eq 0 ]; then |
| 305 | fail "$ident succeeded unexpectedly" |
| 306 | fi |
Damien Miller | 700dcfa | 2010-03-04 21:58:01 +1100 | [diff] [blame] | 307 | fi |
Damien Miller | 53f4bb6 | 2010-04-18 08:15:14 +1000 | [diff] [blame] | 308 | done |
Damien Miller | 700dcfa | 2010-03-04 21:58:01 +1100 | [diff] [blame] | 309 | done |
Damien Miller | 58ac6de | 2010-02-27 07:57:12 +1100 | [diff] [blame] | 310 | } |
| 311 | |
Damien Miller | 700dcfa | 2010-03-04 21:58:01 +1100 | [diff] [blame] | 312 | test_one "correct principal" success "-n ${USER}" |
| 313 | test_one "host-certificate" failure "-n ${USER} -h" |
Damien Miller | 58ac6de | 2010-02-27 07:57:12 +1100 | [diff] [blame] | 314 | test_one "wrong principals" failure "-n foo" |
Damien Miller | 700dcfa | 2010-03-04 21:58:01 +1100 | [diff] [blame] | 315 | test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101" |
| 316 | test_one "cert expired" failure "-n ${USER} -V19800101:19900101" |
| 317 | test_one "cert valid interval" success "-n ${USER} -V-1w:+2w" |
| 318 | test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8" |
| 319 | test_one "force-command" failure "-n ${USER} -Oforce-command=false" |
| 320 | |
| 321 | # Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals |
| 322 | test_one "empty principals" success "" authorized_keys |
| 323 | test_one "empty principals" failure "" TrustedUserCAKeys |
Damien Miller | 58ac6de | 2010-02-27 07:57:12 +1100 | [diff] [blame] | 324 | |
Damien Miller | 3bcce80 | 2010-05-21 14:48:16 +1000 | [diff] [blame] | 325 | # Check explicitly-specified principals: an empty principals list in the cert |
| 326 | # should always be refused. |
| 327 | |
| 328 | # AuthorizedPrincipalsFile |
| 329 | rm -f $OBJ/authorized_keys_$USER |
| 330 | echo mekmitasdigoat > $OBJ/authorized_principals_$USER |
| 331 | test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \ |
| 332 | TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u" |
| 333 | test_one "AuthorizedPrincipalsFile no principals" failure "" \ |
| 334 | TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u" |
| 335 | |
| 336 | # principals= key option |
| 337 | rm -f $OBJ/authorized_principals_$USER |
| 338 | test_one "principals key option principals" success "-n mekmitasdigoat" \ |
| 339 | authorized_keys ',principals="mekmitasdigoat"' |
| 340 | test_one "principals key option no principals" failure "" \ |
| 341 | authorized_keys ',principals="mekmitasdigoat"' |
| 342 | |
Damien Miller | 017d1e7 | 2010-03-04 21:57:21 +1100 | [diff] [blame] | 343 | # Wrong certificate |
Damien Miller | 3bcce80 | 2010-05-21 14:48:16 +1000 | [diff] [blame] | 344 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy |
djm@openbsd.org | 6a977a4 | 2015-07-03 04:39:23 +0000 | [diff] [blame] | 345 | for ktype in $PLAIN_TYPES ; do |
markus@openbsd.org | 5bf0933 | 2015-07-10 06:23:25 +0000 | [diff] [blame] | 346 | t=$(kname $ktype) |
Damien Miller | 017d1e7 | 2010-03-04 21:57:21 +1100 | [diff] [blame] | 347 | # Self-sign |
djm@openbsd.org | 6a977a4 | 2015-07-03 04:39:23 +0000 | [diff] [blame] | 348 | ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ |
Damien Miller | 017d1e7 | 2010-03-04 21:57:21 +1100 | [diff] [blame] | 349 | "regress user key for $USER" \ |
| 350 | -n $USER $OBJ/cert_user_key_${ktype} || |
| 351 | fail "couldn't sign cert_user_key_${ktype}" |
| 352 | verbose "$tid: user ${ktype} connect wrong cert" |
| 353 | ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ |
| 354 | somehost true >/dev/null 2>&1 |
| 355 | if [ $? -eq 0 ]; then |
| 356 | fail "ssh cert connect $ident succeeded unexpectedly" |
| 357 | fi |
| 358 | done |
| 359 | |
Damien Miller | 58ac6de | 2010-02-27 07:57:12 +1100 | [diff] [blame] | 360 | rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* |
Damien Miller | 3bcce80 | 2010-05-21 14:48:16 +1000 | [diff] [blame] | 361 | rm -f $OBJ/authorized_principals_$USER |
Damien Miller | 700dcfa | 2010-03-04 21:58:01 +1100 | [diff] [blame] | 362 | |