summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2015-08-20 10:02:21 +0100
committerColin Watson <cjwatson@debian.org>2015-08-20 10:35:52 +0100
commitb06b9dabb90d7e2c7361f1db0bf1c59a2322506a (patch)
tree0322a33cf5ab900ec1bdca6e9ad9a1321b908786
parent2fb3683b54735e3b99706f0c44dbc9a062ff6987 (diff)
parent4c2916a2d9c0445b41e34805ddfbd7e323cbe6ec (diff)
Let principals-command.sh work for noexec /var/run.
-rw-r--r--debian/.git-dpm4
-rw-r--r--debian/changelog4
-rw-r--r--debian/patches/backport-regress-principals-command-noexec.patch257
-rw-r--r--debian/patches/series1
-rw-r--r--regress/principals-command.sh222
5 files changed, 376 insertions, 112 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 8d8bd30fa..a4ea9396d 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1# see git-dpm(1) from git-dpm package 1# see git-dpm(1) from git-dpm package
25c0c1192be30b7c0e60d96b5e6739c4ad49f087b 24c2916a2d9c0445b41e34805ddfbd7e323cbe6ec
35c0c1192be30b7c0e60d96b5e6739c4ad49f087b 34c2916a2d9c0445b41e34805ddfbd7e323cbe6ec
4544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 4544df7a04ae5b5c1fc30be7c445ad685d7a02dc9
5544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 5544df7a04ae5b5c1fc30be7c445ad685d7a02dc9
6openssh_6.9p1.orig.tar.gz 6openssh_6.9p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index d98a173ea..13bb8da42 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -131,7 +131,8 @@ openssh (1:6.9p1-1) UNRELEASED; urgency=medium
131 - sshd(8): Format UsePAM setting when using sshd -T (closes: #767648). 131 - sshd(8): Format UsePAM setting when using sshd -T (closes: #767648).
132 - moduli(5): Update DH-GEX moduli (closes: #787037). 132 - moduli(5): Update DH-GEX moduli (closes: #787037).
133 * There are some things I want to fix before upgrading to 7.0p1, though I 133 * There are some things I want to fix before upgrading to 7.0p1, though I
134 intend to do that soon. In the meantime, backport security patches: 134 intend to do that soon. In the meantime, backport some patches, mainly
135 to fix security issues:
135 - SECURITY: sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be 136 - SECURITY: sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be
136 world-writable. Local attackers may be able to write arbitrary 137 world-writable. Local attackers may be able to write arbitrary
137 messages to logged-in users, including terminal escape sequences. 138 messages to logged-in users, including terminal escape sequences.
@@ -152,6 +153,7 @@ openssh (1:6.9p1-1) UNRELEASED; urgency=medium
152 times in a single pass. The LoginGraceTime timeout in sshd(8) and any 153 times in a single pass. The LoginGraceTime timeout in sshd(8) and any
153 authentication failure delays implemented by the authentication 154 authentication failure delays implemented by the authentication
154 mechanism itself were still applied. Found by Kingcope. 155 mechanism itself were still applied. Found by Kingcope.
156 - Let principals-command.sh work for noexec /var/run.
155 * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the 157 * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the
156 GSSAPI key exchange patch. 158 GSSAPI key exchange patch.
157 * Document the Debian-specific change to the default value of 159 * Document the Debian-specific change to the default value of
diff --git a/debian/patches/backport-regress-principals-command-noexec.patch b/debian/patches/backport-regress-principals-command-noexec.patch
new file mode 100644
index 000000000..5d5f2d16e
--- /dev/null
+++ b/debian/patches/backport-regress-principals-command-noexec.patch
@@ -0,0 +1,257 @@
1From 4c2916a2d9c0445b41e34805ddfbd7e323cbe6ec Mon Sep 17 00:00:00 2001
2From: Damien Miller <djm@mindrot.org>
3Date: Mon, 10 Aug 2015 11:13:44 +1000
4Subject: let principals-command.sh work for noexec /var/run
5
6Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=55b263fb7cfeacb81aaf1c2036e0394c881637da
7Forwarded: not-needed
8Last-Update: 2015-08-20
9
10Patch-Name: backport-regress-principals-command-noexec.patch
11---
12 regress/principals-command.sh | 222 +++++++++++++++++++++---------------------
13 1 file changed, 113 insertions(+), 109 deletions(-)
14
15diff --git a/regress/principals-command.sh b/regress/principals-command.sh
16index 9006437..b90a8cf 100644
17--- a/regress/principals-command.sh
18+++ b/regress/principals-command.sh
19@@ -14,15 +14,15 @@ fi
20
21 # Establish a AuthorizedPrincipalsCommand in /var/run where it will have
22 # acceptable directory permissions.
23-PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}"
24-cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
25+PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}"
26+cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'"
27 #!/bin/sh
28 test "x\$1" != "x${LOGNAME}" && exit 1
29 test -f "$OBJ/authorized_principals_${LOGNAME}" &&
30 exec cat "$OBJ/authorized_principals_${LOGNAME}"
31 _EOF
32 test $? -eq 0 || fatal "couldn't prepare principals command"
33-$SUDO chmod 0755 "$PRINCIPALS_COMMAND"
34+$SUDO chmod 0755 "$PRINCIPALS_CMD"
35
36 # Create a CA key and a user certificate.
37 ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \
38@@ -33,109 +33,113 @@ ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
39 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
40 fatal "couldn't sign cert_user_key"
41
42-# Test explicitly-specified principals
43-for privsep in yes no ; do
44- _prefix="privsep $privsep"
45-
46- # Setup for AuthorizedPrincipalsCommand
47- rm -f $OBJ/authorized_keys_$USER
48- (
49- cat $OBJ/sshd_proxy_bak
50- echo "UsePrivilegeSeparation $privsep"
51- echo "AuthorizedKeysFile none"
52- echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u"
53- echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
54- echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
55- ) > $OBJ/sshd_proxy
56-
57- # XXX test missing command
58- # XXX test failing command
59-
60- # Empty authorized_principals
61- verbose "$tid: ${_prefix} empty authorized_principals"
62- echo > $OBJ/authorized_principals_$USER
63- ${SSH} -2i $OBJ/cert_user_key \
64- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
65- if [ $? -eq 0 ]; then
66- fail "ssh cert connect succeeded unexpectedly"
67- fi
68-
69- # Wrong authorized_principals
70- verbose "$tid: ${_prefix} wrong authorized_principals"
71- echo gregorsamsa > $OBJ/authorized_principals_$USER
72- ${SSH} -2i $OBJ/cert_user_key \
73- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
74- if [ $? -eq 0 ]; then
75- fail "ssh cert connect succeeded unexpectedly"
76- fi
77-
78- # Correct authorized_principals
79- verbose "$tid: ${_prefix} correct authorized_principals"
80- echo mekmitasdigoat > $OBJ/authorized_principals_$USER
81- ${SSH} -2i $OBJ/cert_user_key \
82- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
83- if [ $? -ne 0 ]; then
84- fail "ssh cert connect failed"
85- fi
86-
87- # authorized_principals with bad key option
88- verbose "$tid: ${_prefix} authorized_principals bad key opt"
89- echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
90- ${SSH} -2i $OBJ/cert_user_key \
91- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
92- if [ $? -eq 0 ]; then
93- fail "ssh cert connect succeeded unexpectedly"
94- fi
95-
96- # authorized_principals with command=false
97- verbose "$tid: ${_prefix} authorized_principals command=false"
98- echo 'command="false" mekmitasdigoat' > \
99- $OBJ/authorized_principals_$USER
100- ${SSH} -2i $OBJ/cert_user_key \
101- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
102- if [ $? -eq 0 ]; then
103- fail "ssh cert connect succeeded unexpectedly"
104- fi
105-
106-
107- # authorized_principals with command=true
108- verbose "$tid: ${_prefix} authorized_principals command=true"
109- echo 'command="true" mekmitasdigoat' > \
110- $OBJ/authorized_principals_$USER
111- ${SSH} -2i $OBJ/cert_user_key \
112- -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
113- if [ $? -ne 0 ]; then
114- fail "ssh cert connect failed"
115- fi
116-
117- # Setup for principals= key option
118- rm -f $OBJ/authorized_principals_$USER
119- (
120- cat $OBJ/sshd_proxy_bak
121- echo "UsePrivilegeSeparation $privsep"
122- ) > $OBJ/sshd_proxy
123-
124- # Wrong principals list
125- verbose "$tid: ${_prefix} wrong principals key option"
126- (
127- printf 'cert-authority,principals="gregorsamsa" '
128- cat $OBJ/user_ca_key.pub
129- ) > $OBJ/authorized_keys_$USER
130- ${SSH} -2i $OBJ/cert_user_key \
131- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
132- if [ $? -eq 0 ]; then
133- fail "ssh cert connect succeeded unexpectedly"
134- fi
135-
136- # Correct principals list
137- verbose "$tid: ${_prefix} correct principals key option"
138- (
139- printf 'cert-authority,principals="mekmitasdigoat" '
140- cat $OBJ/user_ca_key.pub
141- ) > $OBJ/authorized_keys_$USER
142- ${SSH} -2i $OBJ/cert_user_key \
143- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
144- if [ $? -ne 0 ]; then
145- fail "ssh cert connect failed"
146- fi
147-done
148+if [ -x $PRINCIPALS_CMD ]; then
149+ # Test explicitly-specified principals
150+ for privsep in yes no ; do
151+ _prefix="privsep $privsep"
152+
153+ # Setup for AuthorizedPrincipalsCommand
154+ rm -f $OBJ/authorized_keys_$USER
155+ (
156+ cat $OBJ/sshd_proxy_bak
157+ echo "UsePrivilegeSeparation $privsep"
158+ echo "AuthorizedKeysFile none"
159+ echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u"
160+ echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
161+ echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
162+ ) > $OBJ/sshd_proxy
163+
164+ # XXX test missing command
165+ # XXX test failing command
166+
167+ # Empty authorized_principals
168+ verbose "$tid: ${_prefix} empty authorized_principals"
169+ echo > $OBJ/authorized_principals_$USER
170+ ${SSH} -2i $OBJ/cert_user_key \
171+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
172+ if [ $? -eq 0 ]; then
173+ fail "ssh cert connect succeeded unexpectedly"
174+ fi
175+
176+ # Wrong authorized_principals
177+ verbose "$tid: ${_prefix} wrong authorized_principals"
178+ echo gregorsamsa > $OBJ/authorized_principals_$USER
179+ ${SSH} -2i $OBJ/cert_user_key \
180+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
181+ if [ $? -eq 0 ]; then
182+ fail "ssh cert connect succeeded unexpectedly"
183+ fi
184+
185+ # Correct authorized_principals
186+ verbose "$tid: ${_prefix} correct authorized_principals"
187+ echo mekmitasdigoat > $OBJ/authorized_principals_$USER
188+ ${SSH} -2i $OBJ/cert_user_key \
189+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
190+ if [ $? -ne 0 ]; then
191+ fail "ssh cert connect failed"
192+ fi
193+
194+ # authorized_principals with bad key option
195+ verbose "$tid: ${_prefix} authorized_principals bad key opt"
196+ echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
197+ ${SSH} -2i $OBJ/cert_user_key \
198+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
199+ if [ $? -eq 0 ]; then
200+ fail "ssh cert connect succeeded unexpectedly"
201+ fi
202+
203+ # authorized_principals with command=false
204+ verbose "$tid: ${_prefix} authorized_principals command=false"
205+ echo 'command="false" mekmitasdigoat' > \
206+ $OBJ/authorized_principals_$USER
207+ ${SSH} -2i $OBJ/cert_user_key \
208+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
209+ if [ $? -eq 0 ]; then
210+ fail "ssh cert connect succeeded unexpectedly"
211+ fi
212+
213+ # authorized_principals with command=true
214+ verbose "$tid: ${_prefix} authorized_principals command=true"
215+ echo 'command="true" mekmitasdigoat' > \
216+ $OBJ/authorized_principals_$USER
217+ ${SSH} -2i $OBJ/cert_user_key \
218+ -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
219+ if [ $? -ne 0 ]; then
220+ fail "ssh cert connect failed"
221+ fi
222+
223+ # Setup for principals= key option
224+ rm -f $OBJ/authorized_principals_$USER
225+ (
226+ cat $OBJ/sshd_proxy_bak
227+ echo "UsePrivilegeSeparation $privsep"
228+ ) > $OBJ/sshd_proxy
229+
230+ # Wrong principals list
231+ verbose "$tid: ${_prefix} wrong principals key option"
232+ (
233+ printf 'cert-authority,principals="gregorsamsa" '
234+ cat $OBJ/user_ca_key.pub
235+ ) > $OBJ/authorized_keys_$USER
236+ ${SSH} -2i $OBJ/cert_user_key \
237+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
238+ if [ $? -eq 0 ]; then
239+ fail "ssh cert connect succeeded unexpectedly"
240+ fi
241+
242+ # Correct principals list
243+ verbose "$tid: ${_prefix} correct principals key option"
244+ (
245+ printf 'cert-authority,principals="mekmitasdigoat" '
246+ cat $OBJ/user_ca_key.pub
247+ ) > $OBJ/authorized_keys_$USER
248+ ${SSH} -2i $OBJ/cert_user_key \
249+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
250+ if [ $? -ne 0 ]; then
251+ fail "ssh cert connect failed"
252+ fi
253+ done
254+else
255+ echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
256+ "(/var/run mounted noexec?)"
257+fi
diff --git a/debian/patches/series b/debian/patches/series
index 188ec8abc..15c939708 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -31,3 +31,4 @@ backport-fix-pty-permissions.patch
31backport-do-not-resend-username-to-pam.patch 31backport-do-not-resend-username-to-pam.patch
32backport-pam-use-after-free.patch 32backport-pam-use-after-free.patch
33backport-kbdint-duplicates.patch 33backport-kbdint-duplicates.patch
34backport-regress-principals-command-noexec.patch
diff --git a/regress/principals-command.sh b/regress/principals-command.sh
index 90064373d..b90a8cf2c 100644
--- a/regress/principals-command.sh
+++ b/regress/principals-command.sh
@@ -14,15 +14,15 @@ fi
14 14
15# Establish a AuthorizedPrincipalsCommand in /var/run where it will have 15# Establish a AuthorizedPrincipalsCommand in /var/run where it will have
16# acceptable directory permissions. 16# acceptable directory permissions.
17PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}" 17PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}"
18cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" 18cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'"
19#!/bin/sh 19#!/bin/sh
20test "x\$1" != "x${LOGNAME}" && exit 1 20test "x\$1" != "x${LOGNAME}" && exit 1
21test -f "$OBJ/authorized_principals_${LOGNAME}" && 21test -f "$OBJ/authorized_principals_${LOGNAME}" &&
22 exec cat "$OBJ/authorized_principals_${LOGNAME}" 22 exec cat "$OBJ/authorized_principals_${LOGNAME}"
23_EOF 23_EOF
24test $? -eq 0 || fatal "couldn't prepare principals command" 24test $? -eq 0 || fatal "couldn't prepare principals command"
25$SUDO chmod 0755 "$PRINCIPALS_COMMAND" 25$SUDO chmod 0755 "$PRINCIPALS_CMD"
26 26
27# Create a CA key and a user certificate. 27# Create a CA key and a user certificate.
28${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ 28${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \
@@ -33,109 +33,113 @@ ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
33 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ 33 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
34 fatal "couldn't sign cert_user_key" 34 fatal "couldn't sign cert_user_key"
35 35
36# Test explicitly-specified principals 36if [ -x $PRINCIPALS_CMD ]; then
37for privsep in yes no ; do 37 # Test explicitly-specified principals
38 _prefix="privsep $privsep" 38 for privsep in yes no ; do
39 39 _prefix="privsep $privsep"
40 # Setup for AuthorizedPrincipalsCommand 40
41 rm -f $OBJ/authorized_keys_$USER 41 # Setup for AuthorizedPrincipalsCommand
42 ( 42 rm -f $OBJ/authorized_keys_$USER
43 cat $OBJ/sshd_proxy_bak 43 (
44 echo "UsePrivilegeSeparation $privsep" 44 cat $OBJ/sshd_proxy_bak
45 echo "AuthorizedKeysFile none" 45 echo "UsePrivilegeSeparation $privsep"
46 echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u" 46 echo "AuthorizedKeysFile none"
47 echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" 47 echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u"
48 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" 48 echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
49 ) > $OBJ/sshd_proxy 49 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
50 50 ) > $OBJ/sshd_proxy
51 # XXX test missing command 51
52 # XXX test failing command 52 # XXX test missing command
53 53 # XXX test failing command
54 # Empty authorized_principals 54
55 verbose "$tid: ${_prefix} empty authorized_principals" 55 # Empty authorized_principals
56 echo > $OBJ/authorized_principals_$USER 56 verbose "$tid: ${_prefix} empty authorized_principals"
57 ${SSH} -2i $OBJ/cert_user_key \ 57 echo > $OBJ/authorized_principals_$USER
58 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 58 ${SSH} -2i $OBJ/cert_user_key \
59 if [ $? -eq 0 ]; then 59 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
60 fail "ssh cert connect succeeded unexpectedly" 60 if [ $? -eq 0 ]; then
61 fi 61 fail "ssh cert connect succeeded unexpectedly"
62 62 fi
63 # Wrong authorized_principals 63
64 verbose "$tid: ${_prefix} wrong authorized_principals" 64 # Wrong authorized_principals
65 echo gregorsamsa > $OBJ/authorized_principals_$USER 65 verbose "$tid: ${_prefix} wrong authorized_principals"
66 ${SSH} -2i $OBJ/cert_user_key \ 66 echo gregorsamsa > $OBJ/authorized_principals_$USER
67 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 67 ${SSH} -2i $OBJ/cert_user_key \
68 if [ $? -eq 0 ]; then 68 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
69 fail "ssh cert connect succeeded unexpectedly" 69 if [ $? -eq 0 ]; then
70 fi 70 fail "ssh cert connect succeeded unexpectedly"
71 71 fi
72 # Correct authorized_principals 72
73 verbose "$tid: ${_prefix} correct authorized_principals" 73 # Correct authorized_principals
74 echo mekmitasdigoat > $OBJ/authorized_principals_$USER 74 verbose "$tid: ${_prefix} correct authorized_principals"
75 ${SSH} -2i $OBJ/cert_user_key \ 75 echo mekmitasdigoat > $OBJ/authorized_principals_$USER
76 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 76 ${SSH} -2i $OBJ/cert_user_key \
77 if [ $? -ne 0 ]; then 77 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
78 fail "ssh cert connect failed" 78 if [ $? -ne 0 ]; then
79 fi 79 fail "ssh cert connect failed"
80 80 fi
81 # authorized_principals with bad key option 81
82 verbose "$tid: ${_prefix} authorized_principals bad key opt" 82 # authorized_principals with bad key option
83 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER 83 verbose "$tid: ${_prefix} authorized_principals bad key opt"
84 ${SSH} -2i $OBJ/cert_user_key \ 84 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
85 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 85 ${SSH} -2i $OBJ/cert_user_key \
86 if [ $? -eq 0 ]; then 86 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
87 fail "ssh cert connect succeeded unexpectedly" 87 if [ $? -eq 0 ]; then
88 fi 88 fail "ssh cert connect succeeded unexpectedly"
89 89 fi
90 # authorized_principals with command=false 90
91 verbose "$tid: ${_prefix} authorized_principals command=false" 91 # authorized_principals with command=false
92 echo 'command="false" mekmitasdigoat' > \ 92 verbose "$tid: ${_prefix} authorized_principals command=false"
93 $OBJ/authorized_principals_$USER 93 echo 'command="false" mekmitasdigoat' > \
94 ${SSH} -2i $OBJ/cert_user_key \ 94 $OBJ/authorized_principals_$USER
95 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 95 ${SSH} -2i $OBJ/cert_user_key \
96 if [ $? -eq 0 ]; then 96 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
97 fail "ssh cert connect succeeded unexpectedly" 97 if [ $? -eq 0 ]; then
98 fi 98 fail "ssh cert connect succeeded unexpectedly"
99 99 fi
100 100
101 # authorized_principals with command=true 101 # authorized_principals with command=true
102 verbose "$tid: ${_prefix} authorized_principals command=true" 102 verbose "$tid: ${_prefix} authorized_principals command=true"
103 echo 'command="true" mekmitasdigoat' > \ 103 echo 'command="true" mekmitasdigoat' > \
104 $OBJ/authorized_principals_$USER 104 $OBJ/authorized_principals_$USER
105 ${SSH} -2i $OBJ/cert_user_key \ 105 ${SSH} -2i $OBJ/cert_user_key \
106 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 106 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
107 if [ $? -ne 0 ]; then 107 if [ $? -ne 0 ]; then
108 fail "ssh cert connect failed" 108 fail "ssh cert connect failed"
109 fi 109 fi
110 110
111 # Setup for principals= key option 111 # Setup for principals= key option
112 rm -f $OBJ/authorized_principals_$USER 112 rm -f $OBJ/authorized_principals_$USER
113 ( 113 (
114 cat $OBJ/sshd_proxy_bak 114 cat $OBJ/sshd_proxy_bak
115 echo "UsePrivilegeSeparation $privsep" 115 echo "UsePrivilegeSeparation $privsep"
116 ) > $OBJ/sshd_proxy 116 ) > $OBJ/sshd_proxy
117 117
118 # Wrong principals list 118 # Wrong principals list
119 verbose "$tid: ${_prefix} wrong principals key option" 119 verbose "$tid: ${_prefix} wrong principals key option"
120 ( 120 (
121 printf 'cert-authority,principals="gregorsamsa" ' 121 printf 'cert-authority,principals="gregorsamsa" '
122 cat $OBJ/user_ca_key.pub 122 cat $OBJ/user_ca_key.pub
123 ) > $OBJ/authorized_keys_$USER 123 ) > $OBJ/authorized_keys_$USER
124 ${SSH} -2i $OBJ/cert_user_key \ 124 ${SSH} -2i $OBJ/cert_user_key \
125 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 125 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
126 if [ $? -eq 0 ]; then 126 if [ $? -eq 0 ]; then
127 fail "ssh cert connect succeeded unexpectedly" 127 fail "ssh cert connect succeeded unexpectedly"
128 fi 128 fi
129 129
130 # Correct principals list 130 # Correct principals list
131 verbose "$tid: ${_prefix} correct principals key option" 131 verbose "$tid: ${_prefix} correct principals key option"
132 ( 132 (
133 printf 'cert-authority,principals="mekmitasdigoat" ' 133 printf 'cert-authority,principals="mekmitasdigoat" '
134 cat $OBJ/user_ca_key.pub 134 cat $OBJ/user_ca_key.pub
135 ) > $OBJ/authorized_keys_$USER 135 ) > $OBJ/authorized_keys_$USER
136 ${SSH} -2i $OBJ/cert_user_key \ 136 ${SSH} -2i $OBJ/cert_user_key \
137 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 137 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
138 if [ $? -ne 0 ]; then 138 if [ $? -ne 0 ]; then
139 fail "ssh cert connect failed" 139 fail "ssh cert connect failed"
140 fi 140 fi
141done 141 done
142else
143 echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
144 "(/var/run mounted noexec?)"
145fi