diff options
author | Colin Watson <cjwatson@debian.org> | 2015-08-20 10:02:21 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2015-08-20 10:35:52 +0100 |
commit | b06b9dabb90d7e2c7361f1db0bf1c59a2322506a (patch) | |
tree | 0322a33cf5ab900ec1bdca6e9ad9a1321b908786 | |
parent | 2fb3683b54735e3b99706f0c44dbc9a062ff6987 (diff) | |
parent | 4c2916a2d9c0445b41e34805ddfbd7e323cbe6ec (diff) |
Let principals-command.sh work for noexec /var/run.
-rw-r--r-- | debian/.git-dpm | 4 | ||||
-rw-r--r-- | debian/changelog | 4 | ||||
-rw-r--r-- | debian/patches/backport-regress-principals-command-noexec.patch | 257 | ||||
-rw-r--r-- | debian/patches/series | 1 | ||||
-rw-r--r-- | regress/principals-command.sh | 222 |
5 files changed, 376 insertions, 112 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm index 8d8bd30fa..a4ea9396d 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm | |||
@@ -1,6 +1,6 @@ | |||
1 | # see git-dpm(1) from git-dpm package | 1 | # see git-dpm(1) from git-dpm package |
2 | 5c0c1192be30b7c0e60d96b5e6739c4ad49f087b | 2 | 4c2916a2d9c0445b41e34805ddfbd7e323cbe6ec |
3 | 5c0c1192be30b7c0e60d96b5e6739c4ad49f087b | 3 | 4c2916a2d9c0445b41e34805ddfbd7e323cbe6ec |
4 | 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 | 4 | 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 |
5 | 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 | 5 | 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 |
6 | openssh_6.9p1.orig.tar.gz | 6 | openssh_6.9p1.orig.tar.gz |
diff --git a/debian/changelog b/debian/changelog index d98a173ea..13bb8da42 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -131,7 +131,8 @@ openssh (1:6.9p1-1) UNRELEASED; urgency=medium | |||
131 | - sshd(8): Format UsePAM setting when using sshd -T (closes: #767648). | 131 | - sshd(8): Format UsePAM setting when using sshd -T (closes: #767648). |
132 | - moduli(5): Update DH-GEX moduli (closes: #787037). | 132 | - moduli(5): Update DH-GEX moduli (closes: #787037). |
133 | * There are some things I want to fix before upgrading to 7.0p1, though I | 133 | * There are some things I want to fix before upgrading to 7.0p1, though I |
134 | intend to do that soon. In the meantime, backport security patches: | 134 | intend to do that soon. In the meantime, backport some patches, mainly |
135 | to fix security issues: | ||
135 | - SECURITY: sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be | 136 | - SECURITY: sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be |
136 | world-writable. Local attackers may be able to write arbitrary | 137 | world-writable. Local attackers may be able to write arbitrary |
137 | messages to logged-in users, including terminal escape sequences. | 138 | messages to logged-in users, including terminal escape sequences. |
@@ -152,6 +153,7 @@ openssh (1:6.9p1-1) UNRELEASED; urgency=medium | |||
152 | times in a single pass. The LoginGraceTime timeout in sshd(8) and any | 153 | times in a single pass. The LoginGraceTime timeout in sshd(8) and any |
153 | authentication failure delays implemented by the authentication | 154 | authentication failure delays implemented by the authentication |
154 | mechanism itself were still applied. Found by Kingcope. | 155 | mechanism itself were still applied. Found by Kingcope. |
156 | - Let principals-command.sh work for noexec /var/run. | ||
155 | * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the | 157 | * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the |
156 | GSSAPI key exchange patch. | 158 | GSSAPI key exchange patch. |
157 | * Document the Debian-specific change to the default value of | 159 | * Document the Debian-specific change to the default value of |
diff --git a/debian/patches/backport-regress-principals-command-noexec.patch b/debian/patches/backport-regress-principals-command-noexec.patch new file mode 100644 index 000000000..5d5f2d16e --- /dev/null +++ b/debian/patches/backport-regress-principals-command-noexec.patch | |||
@@ -0,0 +1,257 @@ | |||
1 | From 4c2916a2d9c0445b41e34805ddfbd7e323cbe6ec Mon Sep 17 00:00:00 2001 | ||
2 | From: Damien Miller <djm@mindrot.org> | ||
3 | Date: Mon, 10 Aug 2015 11:13:44 +1000 | ||
4 | Subject: let principals-command.sh work for noexec /var/run | ||
5 | |||
6 | Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=55b263fb7cfeacb81aaf1c2036e0394c881637da | ||
7 | Forwarded: not-needed | ||
8 | Last-Update: 2015-08-20 | ||
9 | |||
10 | Patch-Name: backport-regress-principals-command-noexec.patch | ||
11 | --- | ||
12 | regress/principals-command.sh | 222 +++++++++++++++++++++--------------------- | ||
13 | 1 file changed, 113 insertions(+), 109 deletions(-) | ||
14 | |||
15 | diff --git a/regress/principals-command.sh b/regress/principals-command.sh | ||
16 | index 9006437..b90a8cf 100644 | ||
17 | --- a/regress/principals-command.sh | ||
18 | +++ b/regress/principals-command.sh | ||
19 | @@ -14,15 +14,15 @@ fi | ||
20 | |||
21 | # Establish a AuthorizedPrincipalsCommand in /var/run where it will have | ||
22 | # acceptable directory permissions. | ||
23 | -PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}" | ||
24 | -cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" | ||
25 | +PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}" | ||
26 | +cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'" | ||
27 | #!/bin/sh | ||
28 | test "x\$1" != "x${LOGNAME}" && exit 1 | ||
29 | test -f "$OBJ/authorized_principals_${LOGNAME}" && | ||
30 | exec cat "$OBJ/authorized_principals_${LOGNAME}" | ||
31 | _EOF | ||
32 | test $? -eq 0 || fatal "couldn't prepare principals command" | ||
33 | -$SUDO chmod 0755 "$PRINCIPALS_COMMAND" | ||
34 | +$SUDO chmod 0755 "$PRINCIPALS_CMD" | ||
35 | |||
36 | # Create a CA key and a user certificate. | ||
37 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ | ||
38 | @@ -33,109 +33,113 @@ ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ | ||
39 | -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ | ||
40 | fatal "couldn't sign cert_user_key" | ||
41 | |||
42 | -# Test explicitly-specified principals | ||
43 | -for privsep in yes no ; do | ||
44 | - _prefix="privsep $privsep" | ||
45 | - | ||
46 | - # Setup for AuthorizedPrincipalsCommand | ||
47 | - rm -f $OBJ/authorized_keys_$USER | ||
48 | - ( | ||
49 | - cat $OBJ/sshd_proxy_bak | ||
50 | - echo "UsePrivilegeSeparation $privsep" | ||
51 | - echo "AuthorizedKeysFile none" | ||
52 | - echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u" | ||
53 | - echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" | ||
54 | - echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" | ||
55 | - ) > $OBJ/sshd_proxy | ||
56 | - | ||
57 | - # XXX test missing command | ||
58 | - # XXX test failing command | ||
59 | - | ||
60 | - # Empty authorized_principals | ||
61 | - verbose "$tid: ${_prefix} empty authorized_principals" | ||
62 | - echo > $OBJ/authorized_principals_$USER | ||
63 | - ${SSH} -2i $OBJ/cert_user_key \ | ||
64 | - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
65 | - if [ $? -eq 0 ]; then | ||
66 | - fail "ssh cert connect succeeded unexpectedly" | ||
67 | - fi | ||
68 | - | ||
69 | - # Wrong authorized_principals | ||
70 | - verbose "$tid: ${_prefix} wrong authorized_principals" | ||
71 | - echo gregorsamsa > $OBJ/authorized_principals_$USER | ||
72 | - ${SSH} -2i $OBJ/cert_user_key \ | ||
73 | - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
74 | - if [ $? -eq 0 ]; then | ||
75 | - fail "ssh cert connect succeeded unexpectedly" | ||
76 | - fi | ||
77 | - | ||
78 | - # Correct authorized_principals | ||
79 | - verbose "$tid: ${_prefix} correct authorized_principals" | ||
80 | - echo mekmitasdigoat > $OBJ/authorized_principals_$USER | ||
81 | - ${SSH} -2i $OBJ/cert_user_key \ | ||
82 | - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
83 | - if [ $? -ne 0 ]; then | ||
84 | - fail "ssh cert connect failed" | ||
85 | - fi | ||
86 | - | ||
87 | - # authorized_principals with bad key option | ||
88 | - verbose "$tid: ${_prefix} authorized_principals bad key opt" | ||
89 | - echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER | ||
90 | - ${SSH} -2i $OBJ/cert_user_key \ | ||
91 | - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
92 | - if [ $? -eq 0 ]; then | ||
93 | - fail "ssh cert connect succeeded unexpectedly" | ||
94 | - fi | ||
95 | - | ||
96 | - # authorized_principals with command=false | ||
97 | - verbose "$tid: ${_prefix} authorized_principals command=false" | ||
98 | - echo 'command="false" mekmitasdigoat' > \ | ||
99 | - $OBJ/authorized_principals_$USER | ||
100 | - ${SSH} -2i $OBJ/cert_user_key \ | ||
101 | - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
102 | - if [ $? -eq 0 ]; then | ||
103 | - fail "ssh cert connect succeeded unexpectedly" | ||
104 | - fi | ||
105 | - | ||
106 | - | ||
107 | - # authorized_principals with command=true | ||
108 | - verbose "$tid: ${_prefix} authorized_principals command=true" | ||
109 | - echo 'command="true" mekmitasdigoat' > \ | ||
110 | - $OBJ/authorized_principals_$USER | ||
111 | - ${SSH} -2i $OBJ/cert_user_key \ | ||
112 | - -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 | ||
113 | - if [ $? -ne 0 ]; then | ||
114 | - fail "ssh cert connect failed" | ||
115 | - fi | ||
116 | - | ||
117 | - # Setup for principals= key option | ||
118 | - rm -f $OBJ/authorized_principals_$USER | ||
119 | - ( | ||
120 | - cat $OBJ/sshd_proxy_bak | ||
121 | - echo "UsePrivilegeSeparation $privsep" | ||
122 | - ) > $OBJ/sshd_proxy | ||
123 | - | ||
124 | - # Wrong principals list | ||
125 | - verbose "$tid: ${_prefix} wrong principals key option" | ||
126 | - ( | ||
127 | - printf 'cert-authority,principals="gregorsamsa" ' | ||
128 | - cat $OBJ/user_ca_key.pub | ||
129 | - ) > $OBJ/authorized_keys_$USER | ||
130 | - ${SSH} -2i $OBJ/cert_user_key \ | ||
131 | - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
132 | - if [ $? -eq 0 ]; then | ||
133 | - fail "ssh cert connect succeeded unexpectedly" | ||
134 | - fi | ||
135 | - | ||
136 | - # Correct principals list | ||
137 | - verbose "$tid: ${_prefix} correct principals key option" | ||
138 | - ( | ||
139 | - printf 'cert-authority,principals="mekmitasdigoat" ' | ||
140 | - cat $OBJ/user_ca_key.pub | ||
141 | - ) > $OBJ/authorized_keys_$USER | ||
142 | - ${SSH} -2i $OBJ/cert_user_key \ | ||
143 | - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
144 | - if [ $? -ne 0 ]; then | ||
145 | - fail "ssh cert connect failed" | ||
146 | - fi | ||
147 | -done | ||
148 | +if [ -x $PRINCIPALS_CMD ]; then | ||
149 | + # Test explicitly-specified principals | ||
150 | + for privsep in yes no ; do | ||
151 | + _prefix="privsep $privsep" | ||
152 | + | ||
153 | + # Setup for AuthorizedPrincipalsCommand | ||
154 | + rm -f $OBJ/authorized_keys_$USER | ||
155 | + ( | ||
156 | + cat $OBJ/sshd_proxy_bak | ||
157 | + echo "UsePrivilegeSeparation $privsep" | ||
158 | + echo "AuthorizedKeysFile none" | ||
159 | + echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u" | ||
160 | + echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" | ||
161 | + echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" | ||
162 | + ) > $OBJ/sshd_proxy | ||
163 | + | ||
164 | + # XXX test missing command | ||
165 | + # XXX test failing command | ||
166 | + | ||
167 | + # Empty authorized_principals | ||
168 | + verbose "$tid: ${_prefix} empty authorized_principals" | ||
169 | + echo > $OBJ/authorized_principals_$USER | ||
170 | + ${SSH} -2i $OBJ/cert_user_key \ | ||
171 | + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
172 | + if [ $? -eq 0 ]; then | ||
173 | + fail "ssh cert connect succeeded unexpectedly" | ||
174 | + fi | ||
175 | + | ||
176 | + # Wrong authorized_principals | ||
177 | + verbose "$tid: ${_prefix} wrong authorized_principals" | ||
178 | + echo gregorsamsa > $OBJ/authorized_principals_$USER | ||
179 | + ${SSH} -2i $OBJ/cert_user_key \ | ||
180 | + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
181 | + if [ $? -eq 0 ]; then | ||
182 | + fail "ssh cert connect succeeded unexpectedly" | ||
183 | + fi | ||
184 | + | ||
185 | + # Correct authorized_principals | ||
186 | + verbose "$tid: ${_prefix} correct authorized_principals" | ||
187 | + echo mekmitasdigoat > $OBJ/authorized_principals_$USER | ||
188 | + ${SSH} -2i $OBJ/cert_user_key \ | ||
189 | + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
190 | + if [ $? -ne 0 ]; then | ||
191 | + fail "ssh cert connect failed" | ||
192 | + fi | ||
193 | + | ||
194 | + # authorized_principals with bad key option | ||
195 | + verbose "$tid: ${_prefix} authorized_principals bad key opt" | ||
196 | + echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER | ||
197 | + ${SSH} -2i $OBJ/cert_user_key \ | ||
198 | + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
199 | + if [ $? -eq 0 ]; then | ||
200 | + fail "ssh cert connect succeeded unexpectedly" | ||
201 | + fi | ||
202 | + | ||
203 | + # authorized_principals with command=false | ||
204 | + verbose "$tid: ${_prefix} authorized_principals command=false" | ||
205 | + echo 'command="false" mekmitasdigoat' > \ | ||
206 | + $OBJ/authorized_principals_$USER | ||
207 | + ${SSH} -2i $OBJ/cert_user_key \ | ||
208 | + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
209 | + if [ $? -eq 0 ]; then | ||
210 | + fail "ssh cert connect succeeded unexpectedly" | ||
211 | + fi | ||
212 | + | ||
213 | + # authorized_principals with command=true | ||
214 | + verbose "$tid: ${_prefix} authorized_principals command=true" | ||
215 | + echo 'command="true" mekmitasdigoat' > \ | ||
216 | + $OBJ/authorized_principals_$USER | ||
217 | + ${SSH} -2i $OBJ/cert_user_key \ | ||
218 | + -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 | ||
219 | + if [ $? -ne 0 ]; then | ||
220 | + fail "ssh cert connect failed" | ||
221 | + fi | ||
222 | + | ||
223 | + # Setup for principals= key option | ||
224 | + rm -f $OBJ/authorized_principals_$USER | ||
225 | + ( | ||
226 | + cat $OBJ/sshd_proxy_bak | ||
227 | + echo "UsePrivilegeSeparation $privsep" | ||
228 | + ) > $OBJ/sshd_proxy | ||
229 | + | ||
230 | + # Wrong principals list | ||
231 | + verbose "$tid: ${_prefix} wrong principals key option" | ||
232 | + ( | ||
233 | + printf 'cert-authority,principals="gregorsamsa" ' | ||
234 | + cat $OBJ/user_ca_key.pub | ||
235 | + ) > $OBJ/authorized_keys_$USER | ||
236 | + ${SSH} -2i $OBJ/cert_user_key \ | ||
237 | + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
238 | + if [ $? -eq 0 ]; then | ||
239 | + fail "ssh cert connect succeeded unexpectedly" | ||
240 | + fi | ||
241 | + | ||
242 | + # Correct principals list | ||
243 | + verbose "$tid: ${_prefix} correct principals key option" | ||
244 | + ( | ||
245 | + printf 'cert-authority,principals="mekmitasdigoat" ' | ||
246 | + cat $OBJ/user_ca_key.pub | ||
247 | + ) > $OBJ/authorized_keys_$USER | ||
248 | + ${SSH} -2i $OBJ/cert_user_key \ | ||
249 | + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
250 | + if [ $? -ne 0 ]; then | ||
251 | + fail "ssh cert connect failed" | ||
252 | + fi | ||
253 | + done | ||
254 | +else | ||
255 | + echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \ | ||
256 | + "(/var/run mounted noexec?)" | ||
257 | +fi | ||
diff --git a/debian/patches/series b/debian/patches/series index 188ec8abc..15c939708 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
@@ -31,3 +31,4 @@ backport-fix-pty-permissions.patch | |||
31 | backport-do-not-resend-username-to-pam.patch | 31 | backport-do-not-resend-username-to-pam.patch |
32 | backport-pam-use-after-free.patch | 32 | backport-pam-use-after-free.patch |
33 | backport-kbdint-duplicates.patch | 33 | backport-kbdint-duplicates.patch |
34 | backport-regress-principals-command-noexec.patch | ||
diff --git a/regress/principals-command.sh b/regress/principals-command.sh index 90064373d..b90a8cf2c 100644 --- a/regress/principals-command.sh +++ b/regress/principals-command.sh | |||
@@ -14,15 +14,15 @@ fi | |||
14 | 14 | ||
15 | # Establish a AuthorizedPrincipalsCommand in /var/run where it will have | 15 | # Establish a AuthorizedPrincipalsCommand in /var/run where it will have |
16 | # acceptable directory permissions. | 16 | # acceptable directory permissions. |
17 | PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}" | 17 | PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}" |
18 | cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" | 18 | cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'" |
19 | #!/bin/sh | 19 | #!/bin/sh |
20 | test "x\$1" != "x${LOGNAME}" && exit 1 | 20 | test "x\$1" != "x${LOGNAME}" && exit 1 |
21 | test -f "$OBJ/authorized_principals_${LOGNAME}" && | 21 | test -f "$OBJ/authorized_principals_${LOGNAME}" && |
22 | exec cat "$OBJ/authorized_principals_${LOGNAME}" | 22 | exec cat "$OBJ/authorized_principals_${LOGNAME}" |
23 | _EOF | 23 | _EOF |
24 | test $? -eq 0 || fatal "couldn't prepare principals command" | 24 | test $? -eq 0 || fatal "couldn't prepare principals command" |
25 | $SUDO chmod 0755 "$PRINCIPALS_COMMAND" | 25 | $SUDO chmod 0755 "$PRINCIPALS_CMD" |
26 | 26 | ||
27 | # Create a CA key and a user certificate. | 27 | # Create a CA key and a user certificate. |
28 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ | 28 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ |
@@ -33,109 +33,113 @@ ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ | |||
33 | -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ | 33 | -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ |
34 | fatal "couldn't sign cert_user_key" | 34 | fatal "couldn't sign cert_user_key" |
35 | 35 | ||
36 | # Test explicitly-specified principals | 36 | if [ -x $PRINCIPALS_CMD ]; then |
37 | for privsep in yes no ; do | 37 | # Test explicitly-specified principals |
38 | _prefix="privsep $privsep" | 38 | for privsep in yes no ; do |
39 | 39 | _prefix="privsep $privsep" | |
40 | # Setup for AuthorizedPrincipalsCommand | 40 | |
41 | rm -f $OBJ/authorized_keys_$USER | 41 | # Setup for AuthorizedPrincipalsCommand |
42 | ( | 42 | rm -f $OBJ/authorized_keys_$USER |
43 | cat $OBJ/sshd_proxy_bak | 43 | ( |
44 | echo "UsePrivilegeSeparation $privsep" | 44 | cat $OBJ/sshd_proxy_bak |
45 | echo "AuthorizedKeysFile none" | 45 | echo "UsePrivilegeSeparation $privsep" |
46 | echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u" | 46 | echo "AuthorizedKeysFile none" |
47 | echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" | 47 | echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u" |
48 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" | 48 | echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" |
49 | ) > $OBJ/sshd_proxy | 49 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" |
50 | 50 | ) > $OBJ/sshd_proxy | |
51 | # XXX test missing command | 51 | |
52 | # XXX test failing command | 52 | # XXX test missing command |
53 | 53 | # XXX test failing command | |
54 | # Empty authorized_principals | 54 | |
55 | verbose "$tid: ${_prefix} empty authorized_principals" | 55 | # Empty authorized_principals |
56 | echo > $OBJ/authorized_principals_$USER | 56 | verbose "$tid: ${_prefix} empty authorized_principals" |
57 | ${SSH} -2i $OBJ/cert_user_key \ | 57 | echo > $OBJ/authorized_principals_$USER |
58 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 58 | ${SSH} -2i $OBJ/cert_user_key \ |
59 | if [ $? -eq 0 ]; then | 59 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
60 | fail "ssh cert connect succeeded unexpectedly" | 60 | if [ $? -eq 0 ]; then |
61 | fi | 61 | fail "ssh cert connect succeeded unexpectedly" |
62 | 62 | fi | |
63 | # Wrong authorized_principals | 63 | |
64 | verbose "$tid: ${_prefix} wrong authorized_principals" | 64 | # Wrong authorized_principals |
65 | echo gregorsamsa > $OBJ/authorized_principals_$USER | 65 | verbose "$tid: ${_prefix} wrong authorized_principals" |
66 | ${SSH} -2i $OBJ/cert_user_key \ | 66 | echo gregorsamsa > $OBJ/authorized_principals_$USER |
67 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 67 | ${SSH} -2i $OBJ/cert_user_key \ |
68 | if [ $? -eq 0 ]; then | 68 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
69 | fail "ssh cert connect succeeded unexpectedly" | 69 | if [ $? -eq 0 ]; then |
70 | fi | 70 | fail "ssh cert connect succeeded unexpectedly" |
71 | 71 | fi | |
72 | # Correct authorized_principals | 72 | |
73 | verbose "$tid: ${_prefix} correct authorized_principals" | 73 | # Correct authorized_principals |
74 | echo mekmitasdigoat > $OBJ/authorized_principals_$USER | 74 | verbose "$tid: ${_prefix} correct authorized_principals" |
75 | ${SSH} -2i $OBJ/cert_user_key \ | 75 | echo mekmitasdigoat > $OBJ/authorized_principals_$USER |
76 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 76 | ${SSH} -2i $OBJ/cert_user_key \ |
77 | if [ $? -ne 0 ]; then | 77 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
78 | fail "ssh cert connect failed" | 78 | if [ $? -ne 0 ]; then |
79 | fi | 79 | fail "ssh cert connect failed" |
80 | 80 | fi | |
81 | # authorized_principals with bad key option | 81 | |
82 | verbose "$tid: ${_prefix} authorized_principals bad key opt" | 82 | # authorized_principals with bad key option |
83 | echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER | 83 | verbose "$tid: ${_prefix} authorized_principals bad key opt" |
84 | ${SSH} -2i $OBJ/cert_user_key \ | 84 | echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER |
85 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 85 | ${SSH} -2i $OBJ/cert_user_key \ |
86 | if [ $? -eq 0 ]; then | 86 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
87 | fail "ssh cert connect succeeded unexpectedly" | 87 | if [ $? -eq 0 ]; then |
88 | fi | 88 | fail "ssh cert connect succeeded unexpectedly" |
89 | 89 | fi | |
90 | # authorized_principals with command=false | 90 | |
91 | verbose "$tid: ${_prefix} authorized_principals command=false" | 91 | # authorized_principals with command=false |
92 | echo 'command="false" mekmitasdigoat' > \ | 92 | verbose "$tid: ${_prefix} authorized_principals command=false" |
93 | $OBJ/authorized_principals_$USER | 93 | echo 'command="false" mekmitasdigoat' > \ |
94 | ${SSH} -2i $OBJ/cert_user_key \ | 94 | $OBJ/authorized_principals_$USER |
95 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 95 | ${SSH} -2i $OBJ/cert_user_key \ |
96 | if [ $? -eq 0 ]; then | 96 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
97 | fail "ssh cert connect succeeded unexpectedly" | 97 | if [ $? -eq 0 ]; then |
98 | fi | 98 | fail "ssh cert connect succeeded unexpectedly" |
99 | 99 | fi | |
100 | 100 | ||
101 | # authorized_principals with command=true | 101 | # authorized_principals with command=true |
102 | verbose "$tid: ${_prefix} authorized_principals command=true" | 102 | verbose "$tid: ${_prefix} authorized_principals command=true" |
103 | echo 'command="true" mekmitasdigoat' > \ | 103 | echo 'command="true" mekmitasdigoat' > \ |
104 | $OBJ/authorized_principals_$USER | 104 | $OBJ/authorized_principals_$USER |
105 | ${SSH} -2i $OBJ/cert_user_key \ | 105 | ${SSH} -2i $OBJ/cert_user_key \ |
106 | -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 | 106 | -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 |
107 | if [ $? -ne 0 ]; then | 107 | if [ $? -ne 0 ]; then |
108 | fail "ssh cert connect failed" | 108 | fail "ssh cert connect failed" |
109 | fi | 109 | fi |
110 | 110 | ||
111 | # Setup for principals= key option | 111 | # Setup for principals= key option |
112 | rm -f $OBJ/authorized_principals_$USER | 112 | rm -f $OBJ/authorized_principals_$USER |
113 | ( | 113 | ( |
114 | cat $OBJ/sshd_proxy_bak | 114 | cat $OBJ/sshd_proxy_bak |
115 | echo "UsePrivilegeSeparation $privsep" | 115 | echo "UsePrivilegeSeparation $privsep" |
116 | ) > $OBJ/sshd_proxy | 116 | ) > $OBJ/sshd_proxy |
117 | 117 | ||
118 | # Wrong principals list | 118 | # Wrong principals list |
119 | verbose "$tid: ${_prefix} wrong principals key option" | 119 | verbose "$tid: ${_prefix} wrong principals key option" |
120 | ( | 120 | ( |
121 | printf 'cert-authority,principals="gregorsamsa" ' | 121 | printf 'cert-authority,principals="gregorsamsa" ' |
122 | cat $OBJ/user_ca_key.pub | 122 | cat $OBJ/user_ca_key.pub |
123 | ) > $OBJ/authorized_keys_$USER | 123 | ) > $OBJ/authorized_keys_$USER |
124 | ${SSH} -2i $OBJ/cert_user_key \ | 124 | ${SSH} -2i $OBJ/cert_user_key \ |
125 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 125 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
126 | if [ $? -eq 0 ]; then | 126 | if [ $? -eq 0 ]; then |
127 | fail "ssh cert connect succeeded unexpectedly" | 127 | fail "ssh cert connect succeeded unexpectedly" |
128 | fi | 128 | fi |
129 | 129 | ||
130 | # Correct principals list | 130 | # Correct principals list |
131 | verbose "$tid: ${_prefix} correct principals key option" | 131 | verbose "$tid: ${_prefix} correct principals key option" |
132 | ( | 132 | ( |
133 | printf 'cert-authority,principals="mekmitasdigoat" ' | 133 | printf 'cert-authority,principals="mekmitasdigoat" ' |
134 | cat $OBJ/user_ca_key.pub | 134 | cat $OBJ/user_ca_key.pub |
135 | ) > $OBJ/authorized_keys_$USER | 135 | ) > $OBJ/authorized_keys_$USER |
136 | ${SSH} -2i $OBJ/cert_user_key \ | 136 | ${SSH} -2i $OBJ/cert_user_key \ |
137 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 137 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
138 | if [ $? -ne 0 ]; then | 138 | if [ $? -ne 0 ]; then |
139 | fail "ssh cert connect failed" | 139 | fail "ssh cert connect failed" |
140 | fi | 140 | fi |
141 | done | 141 | done |
142 | else | ||
143 | echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \ | ||
144 | "(/var/run mounted noexec?)" | ||
145 | fi | ||