principals-command.sh revision 295367 
1#	$OpenBSD: principals-command.sh,v 1.1 2015/05/21 06:44:25 djm Exp $
2#	Placed in the Public Domain.
3
4tid="authorized principals command"
5
6rm -f $OBJ/user_ca_key* $OBJ/cert_user_key*
7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8
9if test -z "$SUDO" ; then
10	echo "skipped (SUDO not set)"
11	echo "need SUDO to create file in /var/run, test won't work without"
12	exit 0
13fi
14
15# Establish a AuthorizedPrincipalsCommand in /var/run where it will have
16# acceptable directory permissions.
17PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}"
18cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'"
19#!/bin/sh
20test "x\$1" != "x${LOGNAME}" && exit 1
21test -f "$OBJ/authorized_principals_${LOGNAME}" &&
22	exec cat "$OBJ/authorized_principals_${LOGNAME}"
23_EOF
24test $? -eq 0 || fatal "couldn't prepare principals command"
25$SUDO chmod 0755 "$PRINCIPALS_CMD"
26
27# Create a CA key and a user certificate.
28${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key || \
29	fatal "ssh-keygen of user_ca_key failed"
30${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key || \
31	fatal "ssh-keygen of cert_user_key failed"
32${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
33    -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
34	fatal "couldn't sign cert_user_key"
35
36if [ -x $PRINCIPALS_CMD ]; then
37	# Test explicitly-specified principals
38	for privsep in yes no ; do
39		_prefix="privsep $privsep"
40
41		# Setup for AuthorizedPrincipalsCommand
42		rm -f $OBJ/authorized_keys_$USER
43		(
44			cat $OBJ/sshd_proxy_bak
45			echo "UsePrivilegeSeparation $privsep"
46			echo "AuthorizedKeysFile none"
47			echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u"
48			echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
49			echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
50		) > $OBJ/sshd_proxy
51
52		# XXX test missing command
53		# XXX test failing command
54
55		# Empty authorized_principals
56		verbose "$tid: ${_prefix} empty authorized_principals"
57		echo > $OBJ/authorized_principals_$USER
58		${SSH} -2i $OBJ/cert_user_key \
59		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
60		if [ $? -eq 0 ]; then
61			fail "ssh cert connect succeeded unexpectedly"
62		fi
63
64		# Wrong authorized_principals
65		verbose "$tid: ${_prefix} wrong authorized_principals"
66		echo gregorsamsa > $OBJ/authorized_principals_$USER
67		${SSH} -2i $OBJ/cert_user_key \
68		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
69		if [ $? -eq 0 ]; then
70			fail "ssh cert connect succeeded unexpectedly"
71		fi
72
73		# Correct authorized_principals
74		verbose "$tid: ${_prefix} correct authorized_principals"
75		echo mekmitasdigoat > $OBJ/authorized_principals_$USER
76		${SSH} -2i $OBJ/cert_user_key \
77		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
78		if [ $? -ne 0 ]; then
79			fail "ssh cert connect failed"
80		fi
81
82		# authorized_principals with bad key option
83		verbose "$tid: ${_prefix} authorized_principals bad key opt"
84		echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
85		${SSH} -2i $OBJ/cert_user_key \
86		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
87		if [ $? -eq 0 ]; then
88			fail "ssh cert connect succeeded unexpectedly"
89		fi
90
91		# authorized_principals with command=false
92		verbose "$tid: ${_prefix} authorized_principals command=false"
93		echo 'command="false" mekmitasdigoat' > \
94		    $OBJ/authorized_principals_$USER
95		${SSH} -2i $OBJ/cert_user_key \
96		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
97		if [ $? -eq 0 ]; then
98			fail "ssh cert connect succeeded unexpectedly"
99		fi
100
101		# authorized_principals with command=true
102		verbose "$tid: ${_prefix} authorized_principals command=true"
103		echo 'command="true" mekmitasdigoat' > \
104		    $OBJ/authorized_principals_$USER
105		${SSH} -2i $OBJ/cert_user_key \
106		    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
107		if [ $? -ne 0 ]; then
108			fail "ssh cert connect failed"
109		fi
110
111		# Setup for principals= key option
112		rm -f $OBJ/authorized_principals_$USER
113		(
114			cat $OBJ/sshd_proxy_bak
115			echo "UsePrivilegeSeparation $privsep"
116		) > $OBJ/sshd_proxy
117
118		# Wrong principals list
119		verbose "$tid: ${_prefix} wrong principals key option"
120		(
121			printf 'cert-authority,principals="gregorsamsa" '
122			cat $OBJ/user_ca_key.pub
123		) > $OBJ/authorized_keys_$USER
124		${SSH} -2i $OBJ/cert_user_key \
125		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
126		if [ $? -eq 0 ]; then
127			fail "ssh cert connect succeeded unexpectedly"
128		fi
129
130		# Correct principals list
131		verbose "$tid: ${_prefix} correct principals key option"
132		(
133			printf 'cert-authority,principals="mekmitasdigoat" '
134			cat $OBJ/user_ca_key.pub
135		) > $OBJ/authorized_keys_$USER
136		${SSH} -2i $OBJ/cert_user_key \
137		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
138		if [ $? -ne 0 ]; then
139			fail "ssh cert connect failed"
140		fi
141	done
142else
143	echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
144	    "(/var/run mounted noexec?)"
145fi
146