principals-command.sh revision 296781 
1#	$OpenBSD: principals-command.sh,v 1.1 2015/05/21 06:44:25 djm Exp $
2#	Placed in the Public Domain.
3
4tid="authorized principals command"
5
6rm -f $OBJ/user_ca_key* $OBJ/cert_user_key*
7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8
9if test -z "$SUDO" ; then
10	echo "skipped (SUDO not set)"
11	echo "need SUDO to create file in /var/run, test won't work without"
12	exit 0
13fi
14
15# Establish a AuthorizedPrincipalsCommand in /var/run where it will have
16# acceptable directory permissions.
17PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}"
18cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'"
19#!/bin/sh
20test "x\$1" != "x${LOGNAME}" && exit 1
21test -f "$OBJ/authorized_principals_${LOGNAME}" &&
22	exec cat "$OBJ/authorized_principals_${LOGNAME}"
23_EOF
24test $? -eq 0 || fatal "couldn't prepare principals command"
25$SUDO chmod 0755 "$PRINCIPALS_CMD"
26
27if ! $OBJ/check-perm -m keys-command $PRINCIPALS_CMD ; then
28	echo "skipping: $PRINCIPALS_CMD is unsuitable as " \
29	    "AuthorizedPrincipalsCommand"
30	$SUDO rm -f $PRINCIPALS_CMD
31	exit 0
32fi
33
34# Create a CA key and a user certificate.
35${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key || \
36	fatal "ssh-keygen of user_ca_key failed"
37${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key || \
38	fatal "ssh-keygen of cert_user_key failed"
39${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
40    -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
41	fatal "couldn't sign cert_user_key"
42
43if [ -x $PRINCIPALS_CMD ]; then
44	# Test explicitly-specified principals
45	for privsep in yes no ; do
46		_prefix="privsep $privsep"
47
48		# Setup for AuthorizedPrincipalsCommand
49		rm -f $OBJ/authorized_keys_$USER
50		(
51			cat $OBJ/sshd_proxy_bak
52			echo "UsePrivilegeSeparation $privsep"
53			echo "AuthorizedKeysFile none"
54			echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u"
55			echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
56			echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
57		) > $OBJ/sshd_proxy
58
59		# XXX test missing command
60		# XXX test failing command
61
62		# Empty authorized_principals
63		verbose "$tid: ${_prefix} empty authorized_principals"
64		echo > $OBJ/authorized_principals_$USER
65		${SSH} -2i $OBJ/cert_user_key \
66		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
67		if [ $? -eq 0 ]; then
68			fail "ssh cert connect succeeded unexpectedly"
69		fi
70
71		# Wrong authorized_principals
72		verbose "$tid: ${_prefix} wrong authorized_principals"
73		echo gregorsamsa > $OBJ/authorized_principals_$USER
74		${SSH} -2i $OBJ/cert_user_key \
75		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
76		if [ $? -eq 0 ]; then
77			fail "ssh cert connect succeeded unexpectedly"
78		fi
79
80		# Correct authorized_principals
81		verbose "$tid: ${_prefix} correct authorized_principals"
82		echo mekmitasdigoat > $OBJ/authorized_principals_$USER
83		${SSH} -2i $OBJ/cert_user_key \
84		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
85		if [ $? -ne 0 ]; then
86			fail "ssh cert connect failed"
87		fi
88
89		# authorized_principals with bad key option
90		verbose "$tid: ${_prefix} authorized_principals bad key opt"
91		echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
92		${SSH} -2i $OBJ/cert_user_key \
93		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
94		if [ $? -eq 0 ]; then
95			fail "ssh cert connect succeeded unexpectedly"
96		fi
97
98		# authorized_principals with command=false
99		verbose "$tid: ${_prefix} authorized_principals command=false"
100		echo 'command="false" mekmitasdigoat' > \
101		    $OBJ/authorized_principals_$USER
102		${SSH} -2i $OBJ/cert_user_key \
103		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
104		if [ $? -eq 0 ]; then
105			fail "ssh cert connect succeeded unexpectedly"
106		fi
107
108		# authorized_principals with command=true
109		verbose "$tid: ${_prefix} authorized_principals command=true"
110		echo 'command="true" mekmitasdigoat' > \
111		    $OBJ/authorized_principals_$USER
112		${SSH} -2i $OBJ/cert_user_key \
113		    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
114		if [ $? -ne 0 ]; then
115			fail "ssh cert connect failed"
116		fi
117
118		# Setup for principals= key option
119		rm -f $OBJ/authorized_principals_$USER
120		(
121			cat $OBJ/sshd_proxy_bak
122			echo "UsePrivilegeSeparation $privsep"
123		) > $OBJ/sshd_proxy
124
125		# Wrong principals list
126		verbose "$tid: ${_prefix} wrong principals key option"
127		(
128			printf 'cert-authority,principals="gregorsamsa" '
129			cat $OBJ/user_ca_key.pub
130		) > $OBJ/authorized_keys_$USER
131		${SSH} -2i $OBJ/cert_user_key \
132		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
133		if [ $? -eq 0 ]; then
134			fail "ssh cert connect succeeded unexpectedly"
135		fi
136
137		# Correct principals list
138		verbose "$tid: ${_prefix} correct principals key option"
139		(
140			printf 'cert-authority,principals="mekmitasdigoat" '
141			cat $OBJ/user_ca_key.pub
142		) > $OBJ/authorized_keys_$USER
143		${SSH} -2i $OBJ/cert_user_key \
144		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
145		if [ $? -ne 0 ]; then
146			fail "ssh cert connect failed"
147		fi
148	done
149else
150	echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
151	    "(/var/run mounted noexec?)"
152fi
153