Let principals-command.sh work for noexec /var/run.

author: Colin Watson <cjwatson@debian.org> 2015-08-20 10:02:21 +0100
committer: Colin Watson <cjwatson@debian.org> 2015-08-20 10:35:52 +0100
commit: b06b9dabb90d7e2c7361f1db0bf1c59a2322506a (patch)
tree: 0322a33cf5ab900ec1bdca6e9ad9a1321b908786
parent: 2fb3683b54735e3b99706f0c44dbc9a062ff6987 (diff)
parent: 4c2916a2d9c0445b41e34805ddfbd7e323cbe6ec (diff)
5 files changed, 376 insertions, 112 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 8d8bd30fa..a4ea9396d 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-5c0c1192be30b7c0e60d96b5e6739c4ad49f087b
+4c2916a2d9c0445b41e34805ddfbd7e323cbe6ec
-5c0c1192be30b7c0e60d96b5e6739c4ad49f087b
+4c2916a2d9c0445b41e34805ddfbd7e323cbe6ec
 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9
 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9
 openssh_6.9p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index d98a173ea..13bb8da42 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -131,7 +131,8 @@ openssh (1:6.9p1-1) UNRELEASED; urgency=medium
    - sshd(8): Format UsePAM setting when using sshd -T (closes: #767648).
    - moduli(5): Update DH-GEX moduli (closes: #787037).
  * There are some things I want to fix before upgrading to 7.0p1, though I
-    intend to do that soon.  In the meantime, backport security patches:
+    intend to do that soon.  In the meantime, backport some patches, mainly
+    to fix security issues:
    - SECURITY: sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be
      world-writable.  Local attackers may be able to write arbitrary
      messages to logged-in users, including terminal escape sequences.
@@ -152,6 +153,7 @@ openssh (1:6.9p1-1) UNRELEASED; urgency=medium
      times in a single pass.  The LoginGraceTime timeout in sshd(8) and any
      authentication failure delays implemented by the authentication
      mechanism itself were still applied.  Found by Kingcope.
+    - Let principals-command.sh work for noexec /var/run.
  * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the
    GSSAPI key exchange patch.
  * Document the Debian-specific change to the default value of
diff --git a/debian/patches/backport-regress-principals-command-noexec.patch b/debian/patches/backport-regress-principals-command-noexec.patch
new file mode 100644
index 000000000..5d5f2d16e
--- /dev/null
+++ b/debian/patches/backport-regress-principals-command-noexec.patch
@@ -0,0 +1,257 @@
+From 4c2916a2d9c0445b41e34805ddfbd7e323cbe6ec Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Mon, 10 Aug 2015 11:13:44 +1000
+Subject: let principals-command.sh work for noexec /var/run
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=55b263fb7cfeacb81aaf1c2036e0394c881637da
+Forwarded: not-needed
+Last-Update: 2015-08-20
+Patch-Name: backport-regress-principals-command-noexec.patch
+---
+ regress/principals-command.sh | 222 +++++++++++++++++++++---------------------
+ 1 file changed, 113 insertions(+), 109 deletions(-)
+diff --git a/regress/principals-command.sh b/regress/principals-command.sh
+index 9006437..b90a8cf 100644
+--- a/regress/principals-command.sh
+++ b/regress/principals-command.sh
+@@ -14,15 +14,15 @@ fi
+ 
+ # Establish a AuthorizedPrincipalsCommand in /var/run where it will have
+ # acceptable directory permissions.
+-PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}"
+-cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
+PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}"
+cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'"
+ #!/bin/sh
+ test "x\$1" != "x${LOGNAME}" && exit 1
+ test -f "$OBJ/authorized_principals_${LOGNAME}" &&
+        exec cat "$OBJ/authorized_principals_${LOGNAME}"
+ _EOF
+ test $? -eq 0 || fatal "couldn't prepare principals command"
+-$SUDO chmod 0755 "$PRINCIPALS_COMMAND"
+$SUDO chmod 0755 "$PRINCIPALS_CMD"
+ 
+ # Create a CA key and a user certificate.
+ ${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key || \
+@@ -33,109 +33,113 @@ ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
+     -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
+        fatal "couldn't sign cert_user_key"
+ 
+-# Test explicitly-specified principals
+-for privsep in yes no ; do
+-       _prefix="privsep $privsep"
+-
+-       # Setup for AuthorizedPrincipalsCommand
+-       rm -f $OBJ/authorized_keys_$USER
+-       (
+-               cat $OBJ/sshd_proxy_bak
+-               echo "UsePrivilegeSeparation $privsep"
+-               echo "AuthorizedKeysFile none"
+-               echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u"
+-               echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
+-               echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+-       ) > $OBJ/sshd_proxy
+-
+-       # XXX test missing command
+-       # XXX test failing command
+-
+-       # Empty authorized_principals
+-       verbose "$tid: ${_prefix} empty authorized_principals"
+-       echo > $OBJ/authorized_principals_$USER
+-       ${SSH} -2i $OBJ/cert_user_key \
+-           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+-       if [ $? -eq 0 ]; then
+-               fail "ssh cert connect succeeded unexpectedly"
+-       fi
+-
+-       # Wrong authorized_principals
+-       verbose "$tid: ${_prefix} wrong authorized_principals"
+-       echo gregorsamsa > $OBJ/authorized_principals_$USER
+-       ${SSH} -2i $OBJ/cert_user_key \
+-           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+-       if [ $? -eq 0 ]; then
+-               fail "ssh cert connect succeeded unexpectedly"
+-       fi
+-
+-       # Correct authorized_principals
+-       verbose "$tid: ${_prefix} correct authorized_principals"
+-       echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+-       ${SSH} -2i $OBJ/cert_user_key \
+-           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+-       if [ $? -ne 0 ]; then
+-               fail "ssh cert connect failed"
+-       fi
+-
+-       # authorized_principals with bad key option
+-       verbose "$tid: ${_prefix} authorized_principals bad key opt"
+-       echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
+-       ${SSH} -2i $OBJ/cert_user_key \
+-           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+-       if [ $? -eq 0 ]; then
+-               fail "ssh cert connect succeeded unexpectedly"
+-       fi
+-
+-       # authorized_principals with command=false
+-       verbose "$tid: ${_prefix} authorized_principals command=false"
+-       echo 'command="false" mekmitasdigoat' > \
+-           $OBJ/authorized_principals_$USER
+-       ${SSH} -2i $OBJ/cert_user_key \
+-           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+-       if [ $? -eq 0 ]; then
+-               fail "ssh cert connect succeeded unexpectedly"
+-       fi
+-
+-
+-       # authorized_principals with command=true
+-       verbose "$tid: ${_prefix} authorized_principals command=true"
+-       echo 'command="true" mekmitasdigoat' > \
+-           $OBJ/authorized_principals_$USER
+-       ${SSH} -2i $OBJ/cert_user_key \
+-           -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
+-       if [ $? -ne 0 ]; then
+-               fail "ssh cert connect failed"
+-       fi
+-
+-       # Setup for principals= key option
+-       rm -f $OBJ/authorized_principals_$USER
+-       (
+-               cat $OBJ/sshd_proxy_bak
+-               echo "UsePrivilegeSeparation $privsep"
+-       ) > $OBJ/sshd_proxy
+-
+-       # Wrong principals list
+-       verbose "$tid: ${_prefix} wrong principals key option"
+-       (
+-               printf 'cert-authority,principals="gregorsamsa" '
+-               cat $OBJ/user_ca_key.pub
+-       ) > $OBJ/authorized_keys_$USER
+-       ${SSH} -2i $OBJ/cert_user_key \
+-           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+-       if [ $? -eq 0 ]; then
+-               fail "ssh cert connect succeeded unexpectedly"
+-       fi
+-
+-       # Correct principals list
+-       verbose "$tid: ${_prefix} correct principals key option"
+-       (
+-               printf 'cert-authority,principals="mekmitasdigoat" '
+-               cat $OBJ/user_ca_key.pub
+-       ) > $OBJ/authorized_keys_$USER
+-       ${SSH} -2i $OBJ/cert_user_key \
+-           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+-       if [ $? -ne 0 ]; then
+-               fail "ssh cert connect failed"
+-       fi
+-done
+if [ -x $PRINCIPALS_CMD ]; then
+       # Test explicitly-specified principals
+       for privsep in yes no ; do
+               _prefix="privsep $privsep"
+
+               # Setup for AuthorizedPrincipalsCommand
+               rm -f $OBJ/authorized_keys_$USER
+               (
+                       cat $OBJ/sshd_proxy_bak
+                       echo "UsePrivilegeSeparation $privsep"
+                       echo "AuthorizedKeysFile none"
+                       echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u"
+                       echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
+                       echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+               ) > $OBJ/sshd_proxy
+
+               # XXX test missing command
+               # XXX test failing command
+
+               # Empty authorized_principals
+               verbose "$tid: ${_prefix} empty authorized_principals"
+               echo > $OBJ/authorized_principals_$USER
+               ${SSH} -2i $OBJ/cert_user_key \
+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+               if [ $? -eq 0 ]; then
+                       fail "ssh cert connect succeeded unexpectedly"
+               fi
+
+               # Wrong authorized_principals
+               verbose "$tid: ${_prefix} wrong authorized_principals"
+               echo gregorsamsa > $OBJ/authorized_principals_$USER
+               ${SSH} -2i $OBJ/cert_user_key \
+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+               if [ $? -eq 0 ]; then
+                       fail "ssh cert connect succeeded unexpectedly"
+               fi
+
+               # Correct authorized_principals
+               verbose "$tid: ${_prefix} correct authorized_principals"
+               echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+               ${SSH} -2i $OBJ/cert_user_key \
+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+               if [ $? -ne 0 ]; then
+                       fail "ssh cert connect failed"
+               fi
+
+               # authorized_principals with bad key option
+               verbose "$tid: ${_prefix} authorized_principals bad key opt"
+               echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
+               ${SSH} -2i $OBJ/cert_user_key \
+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+               if [ $? -eq 0 ]; then
+                       fail "ssh cert connect succeeded unexpectedly"
+               fi
+
+               # authorized_principals with command=false
+               verbose "$tid: ${_prefix} authorized_principals command=false"
+               echo 'command="false" mekmitasdigoat' > \
+                   $OBJ/authorized_principals_$USER
+               ${SSH} -2i $OBJ/cert_user_key \
+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+               if [ $? -eq 0 ]; then
+                       fail "ssh cert connect succeeded unexpectedly"
+               fi
+
+               # authorized_principals with command=true
+               verbose "$tid: ${_prefix} authorized_principals command=true"
+               echo 'command="true" mekmitasdigoat' > \
+                   $OBJ/authorized_principals_$USER
+               ${SSH} -2i $OBJ/cert_user_key \
+                   -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
+               if [ $? -ne 0 ]; then
+                       fail "ssh cert connect failed"
+               fi
+
+               # Setup for principals= key option
+               rm -f $OBJ/authorized_principals_$USER
+               (
+                       cat $OBJ/sshd_proxy_bak
+                       echo "UsePrivilegeSeparation $privsep"
+               ) > $OBJ/sshd_proxy
+
+               # Wrong principals list
+               verbose "$tid: ${_prefix} wrong principals key option"
+               (
+                       printf 'cert-authority,principals="gregorsamsa" '
+                       cat $OBJ/user_ca_key.pub
+               ) > $OBJ/authorized_keys_$USER
+               ${SSH} -2i $OBJ/cert_user_key \
+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+               if [ $? -eq 0 ]; then
+                       fail "ssh cert connect succeeded unexpectedly"
+               fi
+
+               # Correct principals list
+               verbose "$tid: ${_prefix} correct principals key option"
+               (
+                       printf 'cert-authority,principals="mekmitasdigoat" '
+                       cat $OBJ/user_ca_key.pub
+               ) > $OBJ/authorized_keys_$USER
+               ${SSH} -2i $OBJ/cert_user_key \
+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+               if [ $? -ne 0 ]; then
+                       fail "ssh cert connect failed"
+               fi
+       done
+else
+       echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
+           "(/var/run mounted noexec?)"
+fi
diff --git a/debian/patches/series b/debian/patches/series
index 188ec8abc..15c939708 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -31,3 +31,4 @@ backport-fix-pty-permissions.patch
 backport-do-not-resend-username-to-pam.patch
 backport-pam-use-after-free.patch
 backport-kbdint-duplicates.patch
+backport-regress-principals-command-noexec.patch
diff --git a/regress/principals-command.sh b/regress/principals-command.sh
index 90064373d..b90a8cf2c 100644
--- a/regress/principals-command.sh
+++ b/regress/principals-command.sh
@@ -14,15 +14,15 @@ fi
 # Establish a AuthorizedPrincipalsCommand in /var/run where it will have
 # acceptable directory permissions.
-PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}"
+PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}"
-cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
+cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'"
 #!/bin/sh
 test "x\$1" != "x${LOGNAME}" && exit 1
 test -f "$OBJ/authorized_principals_${LOGNAME}" &&
        exec cat "$OBJ/authorized_principals_${LOGNAME}"
 _EOF
 test $? -eq 0 || fatal "couldn't prepare principals command"
-$SUDO chmod 0755 "$PRINCIPALS_COMMAND"
+$SUDO chmod 0755 "$PRINCIPALS_CMD"
 # Create a CA key and a user certificate.
 ${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key || \
@@ -33,109 +33,113 @@ ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
    -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
        fatal "couldn't sign cert_user_key"
-# Test explicitly-specified principals
+if [ -x $PRINCIPALS_CMD ]; then
-for privsep in yes no ; do
+        # Test explicitly-specified principals
-        _prefix="privsep $privsep"
+        for privsep in yes no ; do
+                _prefix="privsep $privsep"
-        # Setup for AuthorizedPrincipalsCommand
-        rm -f $OBJ/authorized_keys_$USER
+                # Setup for AuthorizedPrincipalsCommand
-        (
+                rm -f $OBJ/authorized_keys_$USER
-                cat $OBJ/sshd_proxy_bak
+                (
-                echo "UsePrivilegeSeparation $privsep"
+                        cat $OBJ/sshd_proxy_bak
-                echo "AuthorizedKeysFile none"
+                        echo "UsePrivilegeSeparation $privsep"
-                echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u"
+                        echo "AuthorizedKeysFile none"
-                echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
+                        echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u"
-                echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+                        echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
-        ) > $OBJ/sshd_proxy
+                        echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+                ) > $OBJ/sshd_proxy
-        # XXX test missing command
-        # XXX test failing command
+                # XXX test missing command
+                # XXX test failing command
-        # Empty authorized_principals
-        verbose "$tid: ${_prefix} empty authorized_principals"
+                # Empty authorized_principals
-        echo > $OBJ/authorized_principals_$USER
+                verbose "$tid: ${_prefix} empty authorized_principals"
-        ${SSH} -2i $OBJ/cert_user_key \
+                echo > $OBJ/authorized_principals_$USER
-            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                ${SSH} -2i $OBJ/cert_user_key \
-        if [ $? -eq 0 ]; then
+                    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-                fail "ssh cert connect succeeded unexpectedly"
+                if [ $? -eq 0 ]; then
-        fi
+                        fail "ssh cert connect succeeded unexpectedly"
+                fi
-        # Wrong authorized_principals
-        verbose "$tid: ${_prefix} wrong authorized_principals"
+                # Wrong authorized_principals
-        echo gregorsamsa > $OBJ/authorized_principals_$USER
+                verbose "$tid: ${_prefix} wrong authorized_principals"
-        ${SSH} -2i $OBJ/cert_user_key \
+                echo gregorsamsa > $OBJ/authorized_principals_$USER
-            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                ${SSH} -2i $OBJ/cert_user_key \
-        if [ $? -eq 0 ]; then
+                    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-                fail "ssh cert connect succeeded unexpectedly"
+                if [ $? -eq 0 ]; then
-        fi
+                        fail "ssh cert connect succeeded unexpectedly"
+                fi
-        # Correct authorized_principals
-        verbose "$tid: ${_prefix} correct authorized_principals"
+                # Correct authorized_principals
-        echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+                verbose "$tid: ${_prefix} correct authorized_principals"
-        ${SSH} -2i $OBJ/cert_user_key \
+                echo mekmitasdigoat > $OBJ/authorized_principals_$USER
-            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                ${SSH} -2i $OBJ/cert_user_key \
-        if [ $? -ne 0 ]; then
+                    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-                fail "ssh cert connect failed"
+                if [ $? -ne 0 ]; then
-        fi
+                        fail "ssh cert connect failed"
+                fi
-        # authorized_principals with bad key option
-        verbose "$tid: ${_prefix} authorized_principals bad key opt"
+                # authorized_principals with bad key option
-        echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
+                verbose "$tid: ${_prefix} authorized_principals bad key opt"
-        ${SSH} -2i $OBJ/cert_user_key \
+                echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
-            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                ${SSH} -2i $OBJ/cert_user_key \
-        if [ $? -eq 0 ]; then
+                    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-                fail "ssh cert connect succeeded unexpectedly"
+                if [ $? -eq 0 ]; then
-        fi
+                        fail "ssh cert connect succeeded unexpectedly"
+                fi
-        # authorized_principals with command=false
-        verbose "$tid: ${_prefix} authorized_principals command=false"
+                # authorized_principals with command=false
-        echo 'command="false" mekmitasdigoat' > \
+                verbose "$tid: ${_prefix} authorized_principals command=false"
-            $OBJ/authorized_principals_$USER
+                echo 'command="false" mekmitasdigoat' > \
-        ${SSH} -2i $OBJ/cert_user_key \
+                    $OBJ/authorized_principals_$USER
-            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                ${SSH} -2i $OBJ/cert_user_key \
-        if [ $? -eq 0 ]; then
+                    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-                fail "ssh cert connect succeeded unexpectedly"
+                if [ $? -eq 0 ]; then
-        fi
+                        fail "ssh cert connect succeeded unexpectedly"
+                fi
-        # authorized_principals with command=true
+                # authorized_principals with command=true
-        verbose "$tid: ${_prefix} authorized_principals command=true"
+                verbose "$tid: ${_prefix} authorized_principals command=true"
-        echo 'command="true" mekmitasdigoat' > \
+                echo 'command="true" mekmitasdigoat' > \
-            $OBJ/authorized_principals_$USER
+                    $OBJ/authorized_principals_$USER
-        ${SSH} -2i $OBJ/cert_user_key \
+                ${SSH} -2i $OBJ/cert_user_key \
-            -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
+                    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
-        if [ $? -ne 0 ]; then
+                if [ $? -ne 0 ]; then
-                fail "ssh cert connect failed"
+                        fail "ssh cert connect failed"
-        fi
+                fi
-        # Setup for principals= key option
+                # Setup for principals= key option
-        rm -f $OBJ/authorized_principals_$USER
+                rm -f $OBJ/authorized_principals_$USER
-        (
+                (
-                cat $OBJ/sshd_proxy_bak
+                        cat $OBJ/sshd_proxy_bak
-                echo "UsePrivilegeSeparation $privsep"
+                        echo "UsePrivilegeSeparation $privsep"
-        ) > $OBJ/sshd_proxy
+                ) > $OBJ/sshd_proxy
-        # Wrong principals list
+                # Wrong principals list
-        verbose "$tid: ${_prefix} wrong principals key option"
+                verbose "$tid: ${_prefix} wrong principals key option"
-        (
+                (
-                printf 'cert-authority,principals="gregorsamsa" '
+                        printf 'cert-authority,principals="gregorsamsa" '
-                cat $OBJ/user_ca_key.pub
+                        cat $OBJ/user_ca_key.pub
-        ) > $OBJ/authorized_keys_$USER
+                ) > $OBJ/authorized_keys_$USER
-        ${SSH} -2i $OBJ/cert_user_key \
+                ${SSH} -2i $OBJ/cert_user_key \
-            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-        if [ $? -eq 0 ]; then
+                if [ $? -eq 0 ]; then
-                fail "ssh cert connect succeeded unexpectedly"
+                        fail "ssh cert connect succeeded unexpectedly"
-        fi
+                fi
-        # Correct principals list
+                # Correct principals list
-        verbose "$tid: ${_prefix} correct principals key option"
+                verbose "$tid: ${_prefix} correct principals key option"
-        (
+                (
-                printf 'cert-authority,principals="mekmitasdigoat" '
+                        printf 'cert-authority,principals="mekmitasdigoat" '
-                cat $OBJ/user_ca_key.pub
+                        cat $OBJ/user_ca_key.pub
-        ) > $OBJ/authorized_keys_$USER
+                ) > $OBJ/authorized_keys_$USER
-        ${SSH} -2i $OBJ/cert_user_key \
+                ${SSH} -2i $OBJ/cert_user_key \
-            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-        if [ $? -ne 0 ]; then
+                if [ $? -ne 0 ]; then
-                fail "ssh cert connect failed"
+                        fail "ssh cert connect failed"
-        fi
+                fi
-done
+        done
+else
+        echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
+            "(/var/run mounted noexec?)"
+fi
author	Colin Watson <cjwatson@debian.org>	2015-08-20 10:02:21 +0100
committer	Colin Watson <cjwatson@debian.org>	2015-08-20 10:35:52 +0100
commit	b06b9dabb90d7e2c7361f1db0bf1c59a2322506a (patch)
tree	0322a33cf5ab900ec1bdca6e9ad9a1321b908786
parent	2fb3683b54735e3b99706f0c44dbc9a062ff6987 (diff)
parent	4c2916a2d9c0445b41e34805ddfbd7e323cbe6ec (diff)