Blame - regress/cert-userkey.sh - platform/external/openssh

blob: 6a23fe300bf78b071b636f0c1ec8b13f44ea6f30 [file] [log] [blame]

djm@openbsd.org	dd36932	2017-04-30 23:34:55 +0000	[diff] [blame]	1	# $OpenBSD: cert-userkey.sh,v 1.18 2017/04/30 23:34:55 djm Exp $
Damien Miller	58ac6de	2010-02-27 07:57:12 +1100	[diff] [blame]	2	# Placed in the Public Domain.
				3
				4	tid="certified user keys"
				5
				6	rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
				7	cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
markus@openbsd.org	5bf0933	2015-07-10 06:23:25 +0000	[diff] [blame]	8	cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
Damien Miller	58ac6de	2010-02-27 07:57:12 +1100	[diff] [blame]	9
Damien Miller	f54542a	2013-12-07 16:32:44 +1100	[diff] [blame]	10	PLAIN_TYPES=`$SSH -Q key-plain \| sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
				11
djm@openbsd.org	67f1459	2016-05-02 09:52:00 +0000	[diff] [blame]	12	if echo "$PLAIN_TYPES" \| grep '^rsa$' >/dev/null 2>&1 ; then
				13	PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
				14	fi
				15
markus@openbsd.org	5bf0933	2015-07-10 06:23:25 +0000	[diff] [blame]	16	kname() {
djm@openbsd.org	67f1459	2016-05-02 09:52:00 +0000	[diff] [blame]	17	case $ktype in
				18	rsa-sha2-*) ;;
dtucker@openbsd.org	cca3b43	2016-05-03 12:15:49 +0000	[diff] [blame]	19	# subshell because some seds will add a newline
				20	*) n=$(echo $1 \| sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;;
djm@openbsd.org	67f1459	2016-05-02 09:52:00 +0000	[diff] [blame]	21	esac
dtucker@openbsd.org	cca3b43	2016-05-03 12:15:49 +0000	[diff] [blame]	22	echo "$n,ssh-rsa,ssh-ed25519*"
markus@openbsd.org	5bf0933	2015-07-10 06:23:25 +0000	[diff] [blame]	23	}
				24
Damien Miller	700dcfa	2010-03-04 21:58:01 +1100	[diff] [blame]	25	# Create a CA key
Damien Miller	58ac6de	2010-02-27 07:57:12 +1100	[diff] [blame]	26	${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key \|\|\
				27	fail "ssh-keygen of user_ca_key failed"
Damien Miller	58ac6de	2010-02-27 07:57:12 +1100	[diff] [blame]	28
				29	# Generate and sign user keys
djm@openbsd.org	67f1459	2016-05-02 09:52:00 +0000	[diff] [blame]	30	for ktype in $PLAIN_TYPES $EXTRA_TYPES ; do
Damien Miller	58ac6de	2010-02-27 07:57:12 +1100	[diff] [blame]	31	verbose "$tid: sign user ${ktype} cert"
				32	${SSHKEYGEN} -q -N '' -t ${ktype} \
				33	-f $OBJ/cert_user_key_${ktype} \|\| \
djm@openbsd.org	67f1459	2016-05-02 09:52:00 +0000	[diff] [blame]	34	fatal "ssh-keygen of cert_user_key_${ktype} failed"
				35	# Generate RSA/SHA2 certs for rsa-sha2* keys.
				36	case $ktype in
				37	rsa-sha2-*) tflag="-t $ktype" ;;
				38	*) tflag="" ;;
				39	esac
				40	${SSHKEYGEN} -q -s $OBJ/user_ca_key -z $$ \
				41	-I "regress user key for $USER" \
				42	-n ${USER},mekmitasdigoat $tflag $OBJ/cert_user_key_${ktype} \|\| \
				43	fatal "couldn't sign cert_user_key_${ktype}"
Damien Miller	58ac6de	2010-02-27 07:57:12 +1100	[diff] [blame]	44	done
				45
Damien Miller	3bcce80	2010-05-21 14:48:16 +1000	[diff] [blame]	46	# Test explicitly-specified principals
djm@openbsd.org	67f1459	2016-05-02 09:52:00 +0000	[diff] [blame]	47	for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
markus@openbsd.org	5bf0933	2015-07-10 06:23:25 +0000	[diff] [blame]	48	t=$(kname $ktype)
Damien Miller	3bcce80	2010-05-21 14:48:16 +1000	[diff] [blame]	49	for privsep in yes no ; do
				50	_prefix="${ktype} privsep $privsep"
				51
				52	# Setup for AuthorizedPrincipalsFile
				53	rm -f $OBJ/authorized_keys_$USER
				54	(
				55	cat $OBJ/sshd_proxy_bak
				56	echo "UsePrivilegeSeparation $privsep"
				57	echo "AuthorizedPrincipalsFile " \
				58	"$OBJ/authorized_principals_%u"
				59	echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
markus@openbsd.org	5bf0933	2015-07-10 06:23:25 +0000	[diff] [blame]	60	echo "PubkeyAcceptedKeyTypes ${t}"
Damien Miller	3bcce80	2010-05-21 14:48:16 +1000	[diff] [blame]	61	) > $OBJ/sshd_proxy
markus@openbsd.org	5bf0933	2015-07-10 06:23:25 +0000	[diff] [blame]	62	(
				63	cat $OBJ/ssh_proxy_bak
				64	echo "PubkeyAcceptedKeyTypes ${t}"
				65	) > $OBJ/ssh_proxy
Damien Miller	3bcce80	2010-05-21 14:48:16 +1000	[diff] [blame]	66
				67	# Missing authorized_principals
				68	verbose "$tid: ${_prefix} missing authorized_principals"
				69	rm -f $OBJ/authorized_principals_$USER
djm@openbsd.org	dd36932	2017-04-30 23:34:55 +0000	[diff] [blame]	70	${SSH} -i $OBJ/cert_user_key_${ktype} \
Damien Miller	3bcce80	2010-05-21 14:48:16 +1000	[diff] [blame]	71	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
				72	if [ $? -eq 0 ]; then
				73	fail "ssh cert connect succeeded unexpectedly"
				74	fi
				75
				76	# Empty authorized_principals
				77	verbose "$tid: ${_prefix} empty authorized_principals"
				78	echo > $OBJ/authorized_principals_$USER
djm@openbsd.org	dd36932	2017-04-30 23:34:55 +0000	[diff] [blame]	79	${SSH} -i $OBJ/cert_user_key_${ktype} \
Damien Miller	3bcce80	2010-05-21 14:48:16 +1000	[diff] [blame]	80	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
				81	if [ $? -eq 0 ]; then
				82	fail "ssh cert connect succeeded unexpectedly"
				83	fi
djm@openbsd.org	67f1459	2016-05-02 09:52:00 +0000	[diff] [blame]	84
Damien Miller	3bcce80	2010-05-21 14:48:16 +1000	[diff] [blame]	85	# Wrong authorized_principals
				86	verbose "$tid: ${_prefix} wrong authorized_principals"
				87	echo gregorsamsa > $OBJ/authorized_principals_$USER
djm@openbsd.org	dd36932	2017-04-30 23:34:55 +0000	[diff] [blame]	88	${SSH} -i $OBJ/cert_user_key_${ktype} \
Damien Miller	3bcce80	2010-05-21 14:48:16 +1000	[diff] [blame]	89	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
				90	if [ $? -eq 0 ]; then
				91	fail "ssh cert connect succeeded unexpectedly"
				92	fi
				93
				94	# Correct authorized_principals
				95	verbose "$tid: ${_prefix} correct authorized_principals"
				96	echo mekmitasdigoat > $OBJ/authorized_principals_$USER
djm@openbsd.org	dd36932	2017-04-30 23:34:55 +0000	[diff] [blame]	97	${SSH} -i $OBJ/cert_user_key_${ktype} \
Damien Miller	3bcce80	2010-05-21 14:48:16 +1000	[diff] [blame]	98	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
				99	if [ $? -ne 0 ]; then
				100	fail "ssh cert connect failed"
				101	fi
				102
Damien Miller	ab139cd	2010-07-02 13:42:18 +1000	[diff] [blame]	103	# authorized_principals with bad key option
				104	verbose "$tid: ${_prefix} authorized_principals bad key opt"
				105	echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
djm@openbsd.org	dd36932	2017-04-30 23:34:55 +0000	[diff] [blame]	106	${SSH} -i $OBJ/cert_user_key_${ktype} \
Damien Miller	ab139cd	2010-07-02 13:42:18 +1000	[diff] [blame]	107	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
				108	if [ $? -eq 0 ]; then
				109	fail "ssh cert connect succeeded unexpectedly"
				110	fi
				111
				112	# authorized_principals with command=false
				113	verbose "$tid: ${_prefix} authorized_principals command=false"
				114	echo 'command="false" mekmitasdigoat' > \
				115	$OBJ/authorized_principals_$USER
djm@openbsd.org	dd36932	2017-04-30 23:34:55 +0000	[diff] [blame]	116	${SSH} -i $OBJ/cert_user_key_${ktype} \
Damien Miller	ab139cd	2010-07-02 13:42:18 +1000	[diff] [blame]	117	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
				118	if [ $? -eq 0 ]; then
				119	fail "ssh cert connect succeeded unexpectedly"
				120	fi
				121
				122
				123	# authorized_principals with command=true
				124	verbose "$tid: ${_prefix} authorized_principals command=true"
				125	echo 'command="true" mekmitasdigoat' > \
				126	$OBJ/authorized_principals_$USER
djm@openbsd.org	dd36932	2017-04-30 23:34:55 +0000	[diff] [blame]	127	${SSH} -i $OBJ/cert_user_key_${ktype} \
Damien Miller	ab139cd	2010-07-02 13:42:18 +1000	[diff] [blame]	128	-F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
				129	if [ $? -ne 0 ]; then
				130	fail "ssh cert connect failed"
				131	fi
				132
Damien Miller	3bcce80	2010-05-21 14:48:16 +1000	[diff] [blame]	133	# Setup for principals= key option
				134	rm -f $OBJ/authorized_principals_$USER
				135	(
				136	cat $OBJ/sshd_proxy_bak
				137	echo "UsePrivilegeSeparation $privsep"
markus@openbsd.org	5bf0933	2015-07-10 06:23:25 +0000	[diff] [blame]	138	echo "PubkeyAcceptedKeyTypes ${t}"
Damien Miller	3bcce80	2010-05-21 14:48:16 +1000	[diff] [blame]	139	) > $OBJ/sshd_proxy
markus@openbsd.org	5bf0933	2015-07-10 06:23:25 +0000	[diff] [blame]	140	(
				141	cat $OBJ/ssh_proxy_bak
				142	echo "PubkeyAcceptedKeyTypes ${t}"
				143	) > $OBJ/ssh_proxy
Damien Miller	3bcce80	2010-05-21 14:48:16 +1000	[diff] [blame]	144
				145	# Wrong principals list
				146	verbose "$tid: ${_prefix} wrong principals key option"
				147	(
Darren Tucker	56347ef	2013-05-17 13:28:36 +1000	[diff] [blame]	148	printf 'cert-authority,principals="gregorsamsa" '
Damien Miller	3bcce80	2010-05-21 14:48:16 +1000	[diff] [blame]	149	cat $OBJ/user_ca_key.pub
				150	) > $OBJ/authorized_keys_$USER
djm@openbsd.org	dd36932	2017-04-30 23:34:55 +0000	[diff] [blame]	151	${SSH} -i $OBJ/cert_user_key_${ktype} \
Damien Miller	3bcce80	2010-05-21 14:48:16 +1000	[diff] [blame]	152	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
				153	if [ $? -eq 0 ]; then
				154	fail "ssh cert connect succeeded unexpectedly"
				155	fi
				156
				157	# Correct principals list
				158	verbose "$tid: ${_prefix} correct principals key option"
				159	(
Darren Tucker	56347ef	2013-05-17 13:28:36 +1000	[diff] [blame]	160	printf 'cert-authority,principals="mekmitasdigoat" '
Damien Miller	3bcce80	2010-05-21 14:48:16 +1000	[diff] [blame]	161	cat $OBJ/user_ca_key.pub
				162	) > $OBJ/authorized_keys_$USER
djm@openbsd.org	dd36932	2017-04-30 23:34:55 +0000	[diff] [blame]	163	${SSH} -i $OBJ/cert_user_key_${ktype} \
Damien Miller	3bcce80	2010-05-21 14:48:16 +1000	[diff] [blame]	164	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
				165	if [ $? -ne 0 ]; then
				166	fail "ssh cert connect failed"
				167	fi
				168	done
				169	done
				170
Damien Miller	700dcfa	2010-03-04 21:58:01 +1100	[diff] [blame]	171	basic_tests() {
				172	auth=$1
				173	if test "x$auth" = "xauthorized_keys" ; then
				174	# Add CA to authorized_keys
				175	(
Darren Tucker	56347ef	2013-05-17 13:28:36 +1000	[diff] [blame]	176	printf 'cert-authority '
Damien Miller	700dcfa	2010-03-04 21:58:01 +1100	[diff] [blame]	177	cat $OBJ/user_ca_key.pub
				178	) > $OBJ/authorized_keys_$USER
				179	else
				180	echo > $OBJ/authorized_keys_$USER
				181	extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
				182	fi
djm@openbsd.org	67f1459	2016-05-02 09:52:00 +0000	[diff] [blame]	183
				184	for ktype in $PLAIN_TYPES ; do
markus@openbsd.org	5bf0933	2015-07-10 06:23:25 +0000	[diff] [blame]	185	t=$(kname $ktype)
Damien Miller	700dcfa	2010-03-04 21:58:01 +1100	[diff] [blame]	186	for privsep in yes no ; do
				187	_prefix="${ktype} privsep $privsep $auth"
				188	# Simple connect
				189	verbose "$tid: ${_prefix} connect"
				190	(
				191	cat $OBJ/sshd_proxy_bak
				192	echo "UsePrivilegeSeparation $privsep"
markus@openbsd.org	5bf0933	2015-07-10 06:23:25 +0000	[diff] [blame]	193	echo "PubkeyAcceptedKeyTypes ${t}"
Damien Miller	700dcfa	2010-03-04 21:58:01 +1100	[diff] [blame]	194	echo "$extra_sshd"
				195	) > $OBJ/sshd_proxy
markus@openbsd.org	5bf0933	2015-07-10 06:23:25 +0000	[diff] [blame]	196	(
				197	cat $OBJ/ssh_proxy_bak
				198	echo "PubkeyAcceptedKeyTypes ${t}"
				199	) > $OBJ/ssh_proxy
djm@openbsd.org	67f1459	2016-05-02 09:52:00 +0000	[diff] [blame]	200
djm@openbsd.org	dd36932	2017-04-30 23:34:55 +0000	[diff] [blame]	201	${SSH} -i $OBJ/cert_user_key_${ktype} \
Damien Miller	700dcfa	2010-03-04 21:58:01 +1100	[diff] [blame]	202	-F $OBJ/ssh_proxy somehost true
				203	if [ $? -ne 0 ]; then
				204	fail "ssh cert connect failed"
				205	fi
				206
				207	# Revoked keys
				208	verbose "$tid: ${_prefix} revoked key"
				209	(
				210	cat $OBJ/sshd_proxy_bak
				211	echo "UsePrivilegeSeparation $privsep"
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	212	echo "RevokedKeys $OBJ/cert_user_key_revoked"
markus@openbsd.org	5bf0933	2015-07-10 06:23:25 +0000	[diff] [blame]	213	echo "PubkeyAcceptedKeyTypes ${t}"
Damien Miller	700dcfa	2010-03-04 21:58:01 +1100	[diff] [blame]	214	echo "$extra_sshd"
				215	) > $OBJ/sshd_proxy
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	216	cp $OBJ/cert_user_key_${ktype}.pub \
				217	$OBJ/cert_user_key_revoked
djm@openbsd.org	dd36932	2017-04-30 23:34:55 +0000	[diff] [blame]	218	${SSH} -i $OBJ/cert_user_key_${ktype} \
Damien Miller	700dcfa	2010-03-04 21:58:01 +1100	[diff] [blame]	219	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
				220	if [ $? -eq 0 ]; then
				221	fail "ssh cert connect succeeded unexpecedly"
				222	fi
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	223	verbose "$tid: ${_prefix} revoked via KRL"
				224	rm $OBJ/cert_user_key_revoked
				225	${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
				226	$OBJ/cert_user_key_${ktype}.pub
djm@openbsd.org	dd36932	2017-04-30 23:34:55 +0000	[diff] [blame]	227	${SSH} -i $OBJ/cert_user_key_${ktype} \
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	228	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
				229	if [ $? -eq 0 ]; then
				230	fail "ssh cert connect succeeded unexpecedly"
				231	fi
				232	verbose "$tid: ${_prefix} empty KRL"
				233	${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
djm@openbsd.org	dd36932	2017-04-30 23:34:55 +0000	[diff] [blame]	234	${SSH} -i $OBJ/cert_user_key_${ktype} \
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	235	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
				236	if [ $? -ne 0 ]; then
				237	fail "ssh cert connect failed"
				238	fi
Damien Miller	700dcfa	2010-03-04 21:58:01 +1100	[diff] [blame]	239	done
djm@openbsd.org	67f1459	2016-05-02 09:52:00 +0000	[diff] [blame]	240
Damien Miller	700dcfa	2010-03-04 21:58:01 +1100	[diff] [blame]	241	# Revoked CA
				242	verbose "$tid: ${ktype} $auth revoked CA key"
Damien Miller	58ac6de	2010-02-27 07:57:12 +1100	[diff] [blame]	243	(
				244	cat $OBJ/sshd_proxy_bak
Damien Miller	700dcfa	2010-03-04 21:58:01 +1100	[diff] [blame]	245	echo "RevokedKeys $OBJ/user_ca_key.pub"
markus@openbsd.org	5bf0933	2015-07-10 06:23:25 +0000	[diff] [blame]	246	echo "PubkeyAcceptedKeyTypes ${t}"
Damien Miller	700dcfa	2010-03-04 21:58:01 +1100	[diff] [blame]	247	echo "$extra_sshd"
Damien Miller	58ac6de	2010-02-27 07:57:12 +1100	[diff] [blame]	248	) > $OBJ/sshd_proxy
djm@openbsd.org	dd36932	2017-04-30 23:34:55 +0000	[diff] [blame]	249	${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
Damien Miller	700dcfa	2010-03-04 21:58:01 +1100	[diff] [blame]	250	somehost true >/dev/null 2>&1
				251	if [ $? -eq 0 ]; then
				252	fail "ssh cert connect succeeded unexpecedly"
Damien Miller	58ac6de	2010-02-27 07:57:12 +1100	[diff] [blame]	253	fi
				254	done
djm@openbsd.org	67f1459	2016-05-02 09:52:00 +0000	[diff] [blame]	255
Damien Miller	700dcfa	2010-03-04 21:58:01 +1100	[diff] [blame]	256	verbose "$tid: $auth CA does not authenticate"
				257	(
				258	cat $OBJ/sshd_proxy_bak
markus@openbsd.org	5bf0933	2015-07-10 06:23:25 +0000	[diff] [blame]	259	echo "PubkeyAcceptedKeyTypes ${t}"
Damien Miller	700dcfa	2010-03-04 21:58:01 +1100	[diff] [blame]	260	echo "$extra_sshd"
				261	) > $OBJ/sshd_proxy
				262	verbose "$tid: ensure CA key does not authenticate user"
djm@openbsd.org	dd36932	2017-04-30 23:34:55 +0000	[diff] [blame]	263	${SSH} -i $OBJ/user_ca_key \
Damien Miller	700dcfa	2010-03-04 21:58:01 +1100	[diff] [blame]	264	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
				265	if [ $? -eq 0 ]; then
				266	fail "ssh cert connect with CA key succeeded unexpectedly"
				267	fi
				268	}
Damien Miller	58ac6de	2010-02-27 07:57:12 +1100	[diff] [blame]	269
Damien Miller	700dcfa	2010-03-04 21:58:01 +1100	[diff] [blame]	270	basic_tests authorized_keys
				271	basic_tests TrustedUserCAKeys
Damien Miller	58ac6de	2010-02-27 07:57:12 +1100	[diff] [blame]	272
				273	test_one() {
				274	ident=$1
				275	result=$2
				276	sign_opts=$3
Damien Miller	700dcfa	2010-03-04 21:58:01 +1100	[diff] [blame]	277	auth_choice=$4
Damien Miller	3bcce80	2010-05-21 14:48:16 +1000	[diff] [blame]	278	auth_opt=$5
Damien Miller	58ac6de	2010-02-27 07:57:12 +1100	[diff] [blame]	279
Damien Miller	700dcfa	2010-03-04 21:58:01 +1100	[diff] [blame]	280	if test "x$auth_choice" = "x" ; then
				281	auth_choice="authorized_keys TrustedUserCAKeys"
Damien Miller	58ac6de	2010-02-27 07:57:12 +1100	[diff] [blame]	282	fi
Damien Miller	700dcfa	2010-03-04 21:58:01 +1100	[diff] [blame]	283
				284	for auth in $auth_choice ; do
djm@openbsd.org	6a977a4	2015-07-03 04:39:23 +0000	[diff] [blame]	285	for ktype in rsa ed25519 ; do
Damien Miller	53f4bb6	2010-04-18 08:15:14 +1000	[diff] [blame]	286	cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
				287	if test "x$auth" = "xauthorized_keys" ; then
				288	# Add CA to authorized_keys
				289	(
Darren Tucker	56347ef	2013-05-17 13:28:36 +1000	[diff] [blame]	290	printf "cert-authority${auth_opt} "
Damien Miller	53f4bb6	2010-04-18 08:15:14 +1000	[diff] [blame]	291	cat $OBJ/user_ca_key.pub
				292	) > $OBJ/authorized_keys_$USER
				293	else
				294	echo > $OBJ/authorized_keys_$USER
				295	echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
				296	>> $OBJ/sshd_proxy
markus@openbsd.org	5bf0933	2015-07-10 06:23:25 +0000	[diff] [blame]	297	echo "PubkeyAcceptedKeyTypes ${t}*" \
				298	>> $OBJ/sshd_proxy
Damien Miller	3bcce80	2010-05-21 14:48:16 +1000	[diff] [blame]	299	if test "x$auth_opt" != "x" ; then
				300	echo $auth_opt >> $OBJ/sshd_proxy
				301	fi
Damien Miller	700dcfa	2010-03-04 21:58:01 +1100	[diff] [blame]	302	fi
djm@openbsd.org	67f1459	2016-05-02 09:52:00 +0000	[diff] [blame]	303
Damien Miller	53f4bb6	2010-04-18 08:15:14 +1000	[diff] [blame]	304	verbose "$tid: $ident auth $auth expect $result $ktype"
				305	${SSHKEYGEN} -q -s $OBJ/user_ca_key \
				306	-I "regress user key for $USER" \
djm@openbsd.org	6a977a4	2015-07-03 04:39:23 +0000	[diff] [blame]	307	$sign_opts $OBJ/cert_user_key_${ktype} \|\|
Damien Miller	53f4bb6	2010-04-18 08:15:14 +1000	[diff] [blame]	308	fail "couldn't sign cert_user_key_${ktype}"
				309
djm@openbsd.org	dd36932	2017-04-30 23:34:55 +0000	[diff] [blame]	310	${SSH} -i $OBJ/cert_user_key_${ktype} \
Damien Miller	53f4bb6	2010-04-18 08:15:14 +1000	[diff] [blame]	311	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
				312	rc=$?
				313	if [ "x$result" = "xsuccess" ] ; then
				314	if [ $rc -ne 0 ]; then
				315	fail "$ident failed unexpectedly"
				316	fi
				317	else
				318	if [ $rc -eq 0 ]; then
				319	fail "$ident succeeded unexpectedly"
				320	fi
Damien Miller	700dcfa	2010-03-04 21:58:01 +1100	[diff] [blame]	321	fi
Damien Miller	53f4bb6	2010-04-18 08:15:14 +1000	[diff] [blame]	322	done
Damien Miller	700dcfa	2010-03-04 21:58:01 +1100	[diff] [blame]	323	done
Damien Miller	58ac6de	2010-02-27 07:57:12 +1100	[diff] [blame]	324	}
				325
Damien Miller	700dcfa	2010-03-04 21:58:01 +1100	[diff] [blame]	326	test_one "correct principal" success "-n ${USER}"
				327	test_one "host-certificate" failure "-n ${USER} -h"
Damien Miller	58ac6de	2010-02-27 07:57:12 +1100	[diff] [blame]	328	test_one "wrong principals" failure "-n foo"
Damien Miller	700dcfa	2010-03-04 21:58:01 +1100	[diff] [blame]	329	test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101"
				330	test_one "cert expired" failure "-n ${USER} -V19800101:19900101"
				331	test_one "cert valid interval" success "-n ${USER} -V-1w:+2w"
				332	test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8"
				333	test_one "force-command" failure "-n ${USER} -Oforce-command=false"
				334
				335	# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals
				336	test_one "empty principals" success "" authorized_keys
				337	test_one "empty principals" failure "" TrustedUserCAKeys
Damien Miller	58ac6de	2010-02-27 07:57:12 +1100	[diff] [blame]	338
Damien Miller	3bcce80	2010-05-21 14:48:16 +1000	[diff] [blame]	339	# Check explicitly-specified principals: an empty principals list in the cert
				340	# should always be refused.
				341
				342	# AuthorizedPrincipalsFile
				343	rm -f $OBJ/authorized_keys_$USER
				344	echo mekmitasdigoat > $OBJ/authorized_principals_$USER
				345	test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \
				346	TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
				347	test_one "AuthorizedPrincipalsFile no principals" failure "" \
				348	TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
				349
				350	# principals= key option
				351	rm -f $OBJ/authorized_principals_$USER
				352	test_one "principals key option principals" success "-n mekmitasdigoat" \
				353	authorized_keys ',principals="mekmitasdigoat"'
				354	test_one "principals key option no principals" failure "" \
				355	authorized_keys ',principals="mekmitasdigoat"'
				356
djm@openbsd.org	85aa2ef	2016-11-30 03:01:33 +0000	[diff] [blame]	357	# command= options vs. force-command in key
				358	test_one "force-command match true" success \
				359	"-n ${USER} -Oforce-command=true" \
				360	authorized_keys ',command="true"'
				361	test_one "force-command match true" failure \
				362	"-n ${USER} -Oforce-command=false" \
				363	authorized_keys ',command="false"'
				364	test_one "force-command mismatch 1" failure \
				365	"-n ${USER} -Oforce-command=false" \
				366	authorized_keys ',command="true"'
				367	test_one "force-command mismatch 2" failure \
				368	"-n ${USER} -Oforce-command=true" \
				369	authorized_keys ',command="false"'
				370
Damien Miller	017d1e7	2010-03-04 21:57:21 +1100	[diff] [blame]	371	# Wrong certificate
Damien Miller	3bcce80	2010-05-21 14:48:16 +1000	[diff] [blame]	372	cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
djm@openbsd.org	67f1459	2016-05-02 09:52:00 +0000	[diff] [blame]	373	for ktype in $PLAIN_TYPES ; do
markus@openbsd.org	5bf0933	2015-07-10 06:23:25 +0000	[diff] [blame]	374	t=$(kname $ktype)
Damien Miller	017d1e7	2010-03-04 21:57:21 +1100	[diff] [blame]	375	# Self-sign
djm@openbsd.org	6a977a4	2015-07-03 04:39:23 +0000	[diff] [blame]	376	${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
Damien Miller	017d1e7	2010-03-04 21:57:21 +1100	[diff] [blame]	377	"regress user key for $USER" \
				378	-n $USER $OBJ/cert_user_key_${ktype} \|\|
djm@openbsd.org	67f1459	2016-05-02 09:52:00 +0000	[diff] [blame]	379	fatal "couldn't sign cert_user_key_${ktype}"
Damien Miller	017d1e7	2010-03-04 21:57:21 +1100	[diff] [blame]	380	verbose "$tid: user ${ktype} connect wrong cert"
djm@openbsd.org	dd36932	2017-04-30 23:34:55 +0000	[diff] [blame]	381	${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
Damien Miller	017d1e7	2010-03-04 21:57:21 +1100	[diff] [blame]	382	somehost true >/dev/null 2>&1
				383	if [ $? -eq 0 ]; then
				384	fail "ssh cert connect $ident succeeded unexpectedly"
				385	fi
				386	done
				387
Damien Miller	58ac6de	2010-02-27 07:57:12 +1100	[diff] [blame]	388	rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
Damien Miller	3bcce80	2010-05-21 14:48:16 +1000	[diff] [blame]	389	rm -f $OBJ/authorized_principals_$USER
Damien Miller	700dcfa	2010-03-04 21:58:01 +1100	[diff] [blame]	390