Let principals-command.sh work for noexec /var/run.

author: Colin Watson <cjwatson@debian.org> 2015-08-20 10:02:21 +0100
committer: Colin Watson <cjwatson@debian.org> 2015-08-20 10:35:52 +0100
commit: b06b9dabb90d7e2c7361f1db0bf1c59a2322506a (patch)
tree: 0322a33cf5ab900ec1bdca6e9ad9a1321b908786 /debian/patches
parent: 2fb3683b54735e3b99706f0c44dbc9a062ff6987 (diff)
parent: 4c2916a2d9c0445b41e34805ddfbd7e323cbe6ec (diff)
2 files changed, 258 insertions, 0 deletions
diff --git a/debian/patches/backport-regress-principals-command-noexec.patch b/debian/patches/backport-regress-principals-command-noexec.patch
new file mode 100644
index 000000000..5d5f2d16e
--- /dev/null
+++ b/debian/patches/backport-regress-principals-command-noexec.patch
@@ -0,0 +1,257 @@
+From 4c2916a2d9c0445b41e34805ddfbd7e323cbe6ec Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Mon, 10 Aug 2015 11:13:44 +1000
+Subject: let principals-command.sh work for noexec /var/run
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=55b263fb7cfeacb81aaf1c2036e0394c881637da
+Forwarded: not-needed
+Last-Update: 2015-08-20
+Patch-Name: backport-regress-principals-command-noexec.patch
+---
+ regress/principals-command.sh | 222 +++++++++++++++++++++---------------------
+ 1 file changed, 113 insertions(+), 109 deletions(-)
+diff --git a/regress/principals-command.sh b/regress/principals-command.sh
+index 9006437..b90a8cf 100644
+--- a/regress/principals-command.sh
+++ b/regress/principals-command.sh
+@@ -14,15 +14,15 @@ fi
+ 
+ # Establish a AuthorizedPrincipalsCommand in /var/run where it will have
+ # acceptable directory permissions.
+-PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}"
+-cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
+PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}"
+cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'"
+ #!/bin/sh
+ test "x\$1" != "x${LOGNAME}" && exit 1
+ test -f "$OBJ/authorized_principals_${LOGNAME}" &&
+        exec cat "$OBJ/authorized_principals_${LOGNAME}"
+ _EOF
+ test $? -eq 0 || fatal "couldn't prepare principals command"
+-$SUDO chmod 0755 "$PRINCIPALS_COMMAND"
+$SUDO chmod 0755 "$PRINCIPALS_CMD"
+ 
+ # Create a CA key and a user certificate.
+ ${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key || \
+@@ -33,109 +33,113 @@ ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
+     -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
+        fatal "couldn't sign cert_user_key"
+ 
+-# Test explicitly-specified principals
+-for privsep in yes no ; do
+-       _prefix="privsep $privsep"
+-
+-       # Setup for AuthorizedPrincipalsCommand
+-       rm -f $OBJ/authorized_keys_$USER
+-       (
+-               cat $OBJ/sshd_proxy_bak
+-               echo "UsePrivilegeSeparation $privsep"
+-               echo "AuthorizedKeysFile none"
+-               echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u"
+-               echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
+-               echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+-       ) > $OBJ/sshd_proxy
+-
+-       # XXX test missing command
+-       # XXX test failing command
+-
+-       # Empty authorized_principals
+-       verbose "$tid: ${_prefix} empty authorized_principals"
+-       echo > $OBJ/authorized_principals_$USER
+-       ${SSH} -2i $OBJ/cert_user_key \
+-           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+-       if [ $? -eq 0 ]; then
+-               fail "ssh cert connect succeeded unexpectedly"
+-       fi
+-
+-       # Wrong authorized_principals
+-       verbose "$tid: ${_prefix} wrong authorized_principals"
+-       echo gregorsamsa > $OBJ/authorized_principals_$USER
+-       ${SSH} -2i $OBJ/cert_user_key \
+-           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+-       if [ $? -eq 0 ]; then
+-               fail "ssh cert connect succeeded unexpectedly"
+-       fi
+-
+-       # Correct authorized_principals
+-       verbose "$tid: ${_prefix} correct authorized_principals"
+-       echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+-       ${SSH} -2i $OBJ/cert_user_key \
+-           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+-       if [ $? -ne 0 ]; then
+-               fail "ssh cert connect failed"
+-       fi
+-
+-       # authorized_principals with bad key option
+-       verbose "$tid: ${_prefix} authorized_principals bad key opt"
+-       echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
+-       ${SSH} -2i $OBJ/cert_user_key \
+-           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+-       if [ $? -eq 0 ]; then
+-               fail "ssh cert connect succeeded unexpectedly"
+-       fi
+-
+-       # authorized_principals with command=false
+-       verbose "$tid: ${_prefix} authorized_principals command=false"
+-       echo 'command="false" mekmitasdigoat' > \
+-           $OBJ/authorized_principals_$USER
+-       ${SSH} -2i $OBJ/cert_user_key \
+-           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+-       if [ $? -eq 0 ]; then
+-               fail "ssh cert connect succeeded unexpectedly"
+-       fi
+-
+-
+-       # authorized_principals with command=true
+-       verbose "$tid: ${_prefix} authorized_principals command=true"
+-       echo 'command="true" mekmitasdigoat' > \
+-           $OBJ/authorized_principals_$USER
+-       ${SSH} -2i $OBJ/cert_user_key \
+-           -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
+-       if [ $? -ne 0 ]; then
+-               fail "ssh cert connect failed"
+-       fi
+-
+-       # Setup for principals= key option
+-       rm -f $OBJ/authorized_principals_$USER
+-       (
+-               cat $OBJ/sshd_proxy_bak
+-               echo "UsePrivilegeSeparation $privsep"
+-       ) > $OBJ/sshd_proxy
+-
+-       # Wrong principals list
+-       verbose "$tid: ${_prefix} wrong principals key option"
+-       (
+-               printf 'cert-authority,principals="gregorsamsa" '
+-               cat $OBJ/user_ca_key.pub
+-       ) > $OBJ/authorized_keys_$USER
+-       ${SSH} -2i $OBJ/cert_user_key \
+-           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+-       if [ $? -eq 0 ]; then
+-               fail "ssh cert connect succeeded unexpectedly"
+-       fi
+-
+-       # Correct principals list
+-       verbose "$tid: ${_prefix} correct principals key option"
+-       (
+-               printf 'cert-authority,principals="mekmitasdigoat" '
+-               cat $OBJ/user_ca_key.pub
+-       ) > $OBJ/authorized_keys_$USER
+-       ${SSH} -2i $OBJ/cert_user_key \
+-           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+-       if [ $? -ne 0 ]; then
+-               fail "ssh cert connect failed"
+-       fi
+-done
+if [ -x $PRINCIPALS_CMD ]; then
+       # Test explicitly-specified principals
+       for privsep in yes no ; do
+               _prefix="privsep $privsep"
+
+               # Setup for AuthorizedPrincipalsCommand
+               rm -f $OBJ/authorized_keys_$USER
+               (
+                       cat $OBJ/sshd_proxy_bak
+                       echo "UsePrivilegeSeparation $privsep"
+                       echo "AuthorizedKeysFile none"
+                       echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u"
+                       echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
+                       echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+               ) > $OBJ/sshd_proxy
+
+               # XXX test missing command
+               # XXX test failing command
+
+               # Empty authorized_principals
+               verbose "$tid: ${_prefix} empty authorized_principals"
+               echo > $OBJ/authorized_principals_$USER
+               ${SSH} -2i $OBJ/cert_user_key \
+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+               if [ $? -eq 0 ]; then
+                       fail "ssh cert connect succeeded unexpectedly"
+               fi
+
+               # Wrong authorized_principals
+               verbose "$tid: ${_prefix} wrong authorized_principals"
+               echo gregorsamsa > $OBJ/authorized_principals_$USER
+               ${SSH} -2i $OBJ/cert_user_key \
+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+               if [ $? -eq 0 ]; then
+                       fail "ssh cert connect succeeded unexpectedly"
+               fi
+
+               # Correct authorized_principals
+               verbose "$tid: ${_prefix} correct authorized_principals"
+               echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+               ${SSH} -2i $OBJ/cert_user_key \
+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+               if [ $? -ne 0 ]; then
+                       fail "ssh cert connect failed"
+               fi
+
+               # authorized_principals with bad key option
+               verbose "$tid: ${_prefix} authorized_principals bad key opt"
+               echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
+               ${SSH} -2i $OBJ/cert_user_key \
+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+               if [ $? -eq 0 ]; then
+                       fail "ssh cert connect succeeded unexpectedly"
+               fi
+
+               # authorized_principals with command=false
+               verbose "$tid: ${_prefix} authorized_principals command=false"
+               echo 'command="false" mekmitasdigoat' > \
+                   $OBJ/authorized_principals_$USER
+               ${SSH} -2i $OBJ/cert_user_key \
+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+               if [ $? -eq 0 ]; then
+                       fail "ssh cert connect succeeded unexpectedly"
+               fi
+
+               # authorized_principals with command=true
+               verbose "$tid: ${_prefix} authorized_principals command=true"
+               echo 'command="true" mekmitasdigoat' > \
+                   $OBJ/authorized_principals_$USER
+               ${SSH} -2i $OBJ/cert_user_key \
+                   -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
+               if [ $? -ne 0 ]; then
+                       fail "ssh cert connect failed"
+               fi
+
+               # Setup for principals= key option
+               rm -f $OBJ/authorized_principals_$USER
+               (
+                       cat $OBJ/sshd_proxy_bak
+                       echo "UsePrivilegeSeparation $privsep"
+               ) > $OBJ/sshd_proxy
+
+               # Wrong principals list
+               verbose "$tid: ${_prefix} wrong principals key option"
+               (
+                       printf 'cert-authority,principals="gregorsamsa" '
+                       cat $OBJ/user_ca_key.pub
+               ) > $OBJ/authorized_keys_$USER
+               ${SSH} -2i $OBJ/cert_user_key \
+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+               if [ $? -eq 0 ]; then
+                       fail "ssh cert connect succeeded unexpectedly"
+               fi
+
+               # Correct principals list
+               verbose "$tid: ${_prefix} correct principals key option"
+               (
+                       printf 'cert-authority,principals="mekmitasdigoat" '
+                       cat $OBJ/user_ca_key.pub
+               ) > $OBJ/authorized_keys_$USER
+               ${SSH} -2i $OBJ/cert_user_key \
+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+               if [ $? -ne 0 ]; then
+                       fail "ssh cert connect failed"
+               fi
+       done
+else
+       echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
+           "(/var/run mounted noexec?)"
+fi
diff --git a/debian/patches/series b/debian/patches/series
index 188ec8abc..15c939708 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -31,3 +31,4 @@ backport-fix-pty-permissions.patch
 backport-do-not-resend-username-to-pam.patch
 backport-pam-use-after-free.patch
 backport-kbdint-duplicates.patch
+backport-regress-principals-command-noexec.patch
author	Colin Watson <cjwatson@debian.org>	2015-08-20 10:02:21 +0100
committer	Colin Watson <cjwatson@debian.org>	2015-08-20 10:35:52 +0100
commit	b06b9dabb90d7e2c7361f1db0bf1c59a2322506a (patch)
tree	0322a33cf5ab900ec1bdca6e9ad9a1321b908786 /debian/patches
parent	2fb3683b54735e3b99706f0c44dbc9a062ff6987 (diff)
parent	4c2916a2d9c0445b41e34805ddfbd7e323cbe6ec (diff)

diff --git a/debian/patches/backport-regress-principals-command-noexec.patch b/debian/patches/backport-regress-principals-command-noexec.patch new file mode 100644 index 000000000..5d5f2d16e --- /dev/null +++ b/debian/patches/backport-regress-principals-command-noexec.patch
@@ -0,0 +1,257 @@
		1	From 4c2916a2d9c0445b41e34805ddfbd7e323cbe6ec Mon Sep 17 00:00:00 2001
		2	From: Damien Miller <djm@mindrot.org>
		3	Date: Mon, 10 Aug 2015 11:13:44 +1000
		4	Subject: let principals-command.sh work for noexec /var/run
		5
		6	Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=55b263fb7cfeacb81aaf1c2036e0394c881637da
		7	Forwarded: not-needed
		8	Last-Update: 2015-08-20
		9
		10	Patch-Name: backport-regress-principals-command-noexec.patch
		11	---
		12	regress/principals-command.sh \| 222 +++++++++++++++++++++---------------------
		13	1 file changed, 113 insertions(+), 109 deletions(-)
		14
		15	diff --git a/regress/principals-command.sh b/regress/principals-command.sh
		16	index 9006437..b90a8cf 100644
		17	--- a/regress/principals-command.sh
		18	+++ b/regress/principals-command.sh
		19	@@ -14,15 +14,15 @@ fi
		20
		21	# Establish a AuthorizedPrincipalsCommand in /var/run where it will have
		22	# acceptable directory permissions.
		23	-PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}"
		24	-cat << _EOF \| $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
		25	+PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}"
		26	+cat << _EOF \| $SUDO sh -c "cat > '$PRINCIPALS_CMD'"
		27	#!/bin/sh
		28	test "x\$1" != "x${LOGNAME}" && exit 1
		29	test -f "$OBJ/authorized_principals_${LOGNAME}" &&
		30	exec cat "$OBJ/authorized_principals_${LOGNAME}"
		31	_EOF
		32	test $? -eq 0 \|\| fatal "couldn't prepare principals command"
		33	-$SUDO chmod 0755 "$PRINCIPALS_COMMAND"
		34	+$SUDO chmod 0755 "$PRINCIPALS_CMD"
		35
		36	# Create a CA key and a user certificate.
		37	${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key \|\| \
		38	@@ -33,109 +33,113 @@ ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
		39	-z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key \|\| \
		40	fatal "couldn't sign cert_user_key"
		41
		42	-# Test explicitly-specified principals
		43	-for privsep in yes no ; do
		44	- _prefix="privsep $privsep"
		45	-
		46	- # Setup for AuthorizedPrincipalsCommand
		47	- rm -f $OBJ/authorized_keys_$USER
		48	- (
		49	- cat $OBJ/sshd_proxy_bak
		50	- echo "UsePrivilegeSeparation $privsep"
		51	- echo "AuthorizedKeysFile none"
		52	- echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u"
		53	- echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
		54	- echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
		55	- ) > $OBJ/sshd_proxy
		56	-
		57	- # XXX test missing command
		58	- # XXX test failing command
		59	-
		60	- # Empty authorized_principals
		61	- verbose "$tid: ${_prefix} empty authorized_principals"
		62	- echo > $OBJ/authorized_principals_$USER
		63	- ${SSH} -2i $OBJ/cert_user_key \
		64	- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		65	- if [ $? -eq 0 ]; then
		66	- fail "ssh cert connect succeeded unexpectedly"
		67	- fi
		68	-
		69	- # Wrong authorized_principals
		70	- verbose "$tid: ${_prefix} wrong authorized_principals"
		71	- echo gregorsamsa > $OBJ/authorized_principals_$USER
		72	- ${SSH} -2i $OBJ/cert_user_key \
		73	- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		74	- if [ $? -eq 0 ]; then
		75	- fail "ssh cert connect succeeded unexpectedly"
		76	- fi
		77	-
		78	- # Correct authorized_principals
		79	- verbose "$tid: ${_prefix} correct authorized_principals"
		80	- echo mekmitasdigoat > $OBJ/authorized_principals_$USER
		81	- ${SSH} -2i $OBJ/cert_user_key \
		82	- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		83	- if [ $? -ne 0 ]; then
		84	- fail "ssh cert connect failed"
		85	- fi
		86	-
		87	- # authorized_principals with bad key option
		88	- verbose "$tid: ${_prefix} authorized_principals bad key opt"
		89	- echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
		90	- ${SSH} -2i $OBJ/cert_user_key \
		91	- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		92	- if [ $? -eq 0 ]; then
		93	- fail "ssh cert connect succeeded unexpectedly"
		94	- fi
		95	-
		96	- # authorized_principals with command=false
		97	- verbose "$tid: ${_prefix} authorized_principals command=false"
		98	- echo 'command="false" mekmitasdigoat' > \
		99	- $OBJ/authorized_principals_$USER
		100	- ${SSH} -2i $OBJ/cert_user_key \
		101	- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		102	- if [ $? -eq 0 ]; then
		103	- fail "ssh cert connect succeeded unexpectedly"
		104	- fi
		105	-
		106	-
		107	- # authorized_principals with command=true
		108	- verbose "$tid: ${_prefix} authorized_principals command=true"
		109	- echo 'command="true" mekmitasdigoat' > \
		110	- $OBJ/authorized_principals_$USER
		111	- ${SSH} -2i $OBJ/cert_user_key \
		112	- -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
		113	- if [ $? -ne 0 ]; then
		114	- fail "ssh cert connect failed"
		115	- fi
		116	-
		117	- # Setup for principals= key option
		118	- rm -f $OBJ/authorized_principals_$USER
		119	- (
		120	- cat $OBJ/sshd_proxy_bak
		121	- echo "UsePrivilegeSeparation $privsep"
		122	- ) > $OBJ/sshd_proxy
		123	-
		124	- # Wrong principals list
		125	- verbose "$tid: ${_prefix} wrong principals key option"
		126	- (
		127	- printf 'cert-authority,principals="gregorsamsa" '
		128	- cat $OBJ/user_ca_key.pub
		129	- ) > $OBJ/authorized_keys_$USER
		130	- ${SSH} -2i $OBJ/cert_user_key \
		131	- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		132	- if [ $? -eq 0 ]; then
		133	- fail "ssh cert connect succeeded unexpectedly"
		134	- fi
		135	-
		136	- # Correct principals list
		137	- verbose "$tid: ${_prefix} correct principals key option"
		138	- (
		139	- printf 'cert-authority,principals="mekmitasdigoat" '
		140	- cat $OBJ/user_ca_key.pub
		141	- ) > $OBJ/authorized_keys_$USER
		142	- ${SSH} -2i $OBJ/cert_user_key \
		143	- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		144	- if [ $? -ne 0 ]; then
		145	- fail "ssh cert connect failed"
		146	- fi
		147	-done
		148	+if [ -x $PRINCIPALS_CMD ]; then
		149	+ # Test explicitly-specified principals
		150	+ for privsep in yes no ; do
		151	+ _prefix="privsep $privsep"
		152	+
		153	+ # Setup for AuthorizedPrincipalsCommand
		154	+ rm -f $OBJ/authorized_keys_$USER
		155	+ (
		156	+ cat $OBJ/sshd_proxy_bak
		157	+ echo "UsePrivilegeSeparation $privsep"
		158	+ echo "AuthorizedKeysFile none"
		159	+ echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u"
		160	+ echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
		161	+ echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
		162	+ ) > $OBJ/sshd_proxy
		163	+
		164	+ # XXX test missing command
		165	+ # XXX test failing command
		166	+
		167	+ # Empty authorized_principals
		168	+ verbose "$tid: ${_prefix} empty authorized_principals"
		169	+ echo > $OBJ/authorized_principals_$USER
		170	+ ${SSH} -2i $OBJ/cert_user_key \
		171	+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		172	+ if [ $? -eq 0 ]; then
		173	+ fail "ssh cert connect succeeded unexpectedly"
		174	+ fi
		175	+
		176	+ # Wrong authorized_principals
		177	+ verbose "$tid: ${_prefix} wrong authorized_principals"
		178	+ echo gregorsamsa > $OBJ/authorized_principals_$USER
		179	+ ${SSH} -2i $OBJ/cert_user_key \
		180	+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		181	+ if [ $? -eq 0 ]; then
		182	+ fail "ssh cert connect succeeded unexpectedly"
		183	+ fi
		184	+
		185	+ # Correct authorized_principals
		186	+ verbose "$tid: ${_prefix} correct authorized_principals"
		187	+ echo mekmitasdigoat > $OBJ/authorized_principals_$USER
		188	+ ${SSH} -2i $OBJ/cert_user_key \
		189	+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		190	+ if [ $? -ne 0 ]; then
		191	+ fail "ssh cert connect failed"
		192	+ fi
		193	+
		194	+ # authorized_principals with bad key option
		195	+ verbose "$tid: ${_prefix} authorized_principals bad key opt"
		196	+ echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
		197	+ ${SSH} -2i $OBJ/cert_user_key \
		198	+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		199	+ if [ $? -eq 0 ]; then
		200	+ fail "ssh cert connect succeeded unexpectedly"
		201	+ fi
		202	+
		203	+ # authorized_principals with command=false
		204	+ verbose "$tid: ${_prefix} authorized_principals command=false"
		205	+ echo 'command="false" mekmitasdigoat' > \
		206	+ $OBJ/authorized_principals_$USER
		207	+ ${SSH} -2i $OBJ/cert_user_key \
		208	+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		209	+ if [ $? -eq 0 ]; then
		210	+ fail "ssh cert connect succeeded unexpectedly"
		211	+ fi
		212	+
		213	+ # authorized_principals with command=true
		214	+ verbose "$tid: ${_prefix} authorized_principals command=true"
		215	+ echo 'command="true" mekmitasdigoat' > \
		216	+ $OBJ/authorized_principals_$USER
		217	+ ${SSH} -2i $OBJ/cert_user_key \
		218	+ -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
		219	+ if [ $? -ne 0 ]; then
		220	+ fail "ssh cert connect failed"
		221	+ fi
		222	+
		223	+ # Setup for principals= key option
		224	+ rm -f $OBJ/authorized_principals_$USER
		225	+ (
		226	+ cat $OBJ/sshd_proxy_bak
		227	+ echo "UsePrivilegeSeparation $privsep"
		228	+ ) > $OBJ/sshd_proxy
		229	+
		230	+ # Wrong principals list
		231	+ verbose "$tid: ${_prefix} wrong principals key option"
		232	+ (
		233	+ printf 'cert-authority,principals="gregorsamsa" '
		234	+ cat $OBJ/user_ca_key.pub
		235	+ ) > $OBJ/authorized_keys_$USER
		236	+ ${SSH} -2i $OBJ/cert_user_key \
		237	+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		238	+ if [ $? -eq 0 ]; then
		239	+ fail "ssh cert connect succeeded unexpectedly"
		240	+ fi
		241	+
		242	+ # Correct principals list
		243	+ verbose "$tid: ${_prefix} correct principals key option"
		244	+ (
		245	+ printf 'cert-authority,principals="mekmitasdigoat" '
		246	+ cat $OBJ/user_ca_key.pub
		247	+ ) > $OBJ/authorized_keys_$USER
		248	+ ${SSH} -2i $OBJ/cert_user_key \
		249	+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		250	+ if [ $? -ne 0 ]; then
		251	+ fail "ssh cert connect failed"
		252	+ fi
		253	+ done
		254	+else
		255	+ echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
		256	+ "(/var/run mounted noexec?)"
		257	+fi


diff --git a/debian/patches/series b/debian/patches/series index 188ec8abc..15c939708 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -31,3 +31,4 @@ backport-fix-pty-permissions.patch
31	backport-do-not-resend-username-to-pam.patch	31	backport-do-not-resend-username-to-pam.patch
32	backport-pam-use-after-free.patch	32	backport-pam-use-after-free.patch
33	backport-kbdint-duplicates.patch	33	backport-kbdint-duplicates.patch
		34	backport-regress-principals-command-noexec.patch