diff options
author | Colin Watson <cjwatson@debian.org> | 2016-12-20 00:22:52 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2016-12-20 00:22:52 +0000 |
commit | 971a7653746a6972b907dfe0ce139c06e4a6f482 (patch) | |
tree | 70fb964265d57ae4967be55b75dbb2a122e9b969 /regress/principals-command.sh | |
parent | a8ed8d256b2e2c05b0c15565a7938028c5192277 (diff) | |
parent | 4a354fc231174901f2629437c2a6e924a2dd6772 (diff) |
Import openssh_7.4p1.orig.tar.gz
Diffstat (limited to 'regress/principals-command.sh')
-rw-r--r-- | regress/principals-command.sh | 54 |
1 files changed, 35 insertions, 19 deletions
diff --git a/regress/principals-command.sh b/regress/principals-command.sh index c0be7e747..9b38eb105 100644 --- a/regress/principals-command.sh +++ b/regress/principals-command.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: principals-command.sh,v 1.1 2015/05/21 06:44:25 djm Exp $ | 1 | # $OpenBSD: principals-command.sh,v 1.3 2016/09/26 21:34:38 bluhm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="authorized principals command" | 4 | tid="authorized principals command" |
@@ -6,41 +6,56 @@ tid="authorized principals command" | |||
6 | rm -f $OBJ/user_ca_key* $OBJ/cert_user_key* | 6 | rm -f $OBJ/user_ca_key* $OBJ/cert_user_key* |
7 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | 7 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak |
8 | 8 | ||
9 | if test -z "$SUDO" ; then | 9 | if [ -z "$SUDO" -a ! -w /var/run ]; then |
10 | echo "skipped (SUDO not set)" | 10 | echo "skipped (SUDO not set)" |
11 | echo "need SUDO to create file in /var/run, test won't work without" | 11 | echo "need SUDO to create file in /var/run, test won't work without" |
12 | exit 0 | 12 | exit 0 |
13 | fi | 13 | fi |
14 | 14 | ||
15 | SERIAL=$$ | ||
16 | |||
17 | # Create a CA key and a user certificate. | ||
18 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ | ||
19 | fatal "ssh-keygen of user_ca_key failed" | ||
20 | ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/cert_user_key || \ | ||
21 | fatal "ssh-keygen of cert_user_key failed" | ||
22 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "Joanne User" \ | ||
23 | -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ | ||
24 | fatal "couldn't sign cert_user_key" | ||
25 | |||
26 | CERT_BODY=`cat $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` | ||
27 | CA_BODY=`cat $OBJ/user_ca_key.pub | awk '{ print $2 }'` | ||
28 | CERT_FP=`${SSHKEYGEN} -lf $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` | ||
29 | CA_FP=`${SSHKEYGEN} -lf $OBJ/user_ca_key.pub | awk '{ print $2 }'` | ||
30 | |||
15 | # Establish a AuthorizedPrincipalsCommand in /var/run where it will have | 31 | # Establish a AuthorizedPrincipalsCommand in /var/run where it will have |
16 | # acceptable directory permissions. | 32 | # acceptable directory permissions. |
17 | PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}" | 33 | PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}" |
18 | cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'" | 34 | cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" |
19 | #!/bin/sh | 35 | #!/bin/sh |
20 | test "x\$1" != "x${LOGNAME}" && exit 1 | 36 | test "x\$1" != "x${LOGNAME}" && exit 1 |
37 | test "x\$2" != "xssh-rsa-cert-v01@openssh.com" && exit 1 | ||
38 | test "x\$3" != "xssh-ed25519" && exit 1 | ||
39 | test "x\$4" != "xJoanne User" && exit 1 | ||
40 | test "x\$5" != "x${SERIAL}" && exit 1 | ||
41 | test "x\$6" != "x${CA_FP}" && exit 1 | ||
42 | test "x\$7" != "x${CERT_FP}" && exit 1 | ||
43 | test "x\$8" != "x${CERT_BODY}" && exit 1 | ||
44 | test "x\$9" != "x${CA_BODY}" && exit 1 | ||
21 | test -f "$OBJ/authorized_principals_${LOGNAME}" && | 45 | test -f "$OBJ/authorized_principals_${LOGNAME}" && |
22 | exec cat "$OBJ/authorized_principals_${LOGNAME}" | 46 | exec cat "$OBJ/authorized_principals_${LOGNAME}" |
23 | _EOF | 47 | _EOF |
24 | test $? -eq 0 || fatal "couldn't prepare principals command" | 48 | test $? -eq 0 || fatal "couldn't prepare principals command" |
25 | $SUDO chmod 0755 "$PRINCIPALS_CMD" | 49 | $SUDO chmod 0755 "$PRINCIPALS_COMMAND" |
26 | 50 | ||
27 | if ! $OBJ/check-perm -m keys-command $PRINCIPALS_CMD ; then | 51 | if ! $OBJ/check-perm -m keys-command $PRINCIPALS_COMMAND ; then |
28 | echo "skipping: $PRINCIPALS_CMD is unsuitable as " \ | 52 | echo "skipping: $PRINCIPALS_COMMAND is unsuitable as " \ |
29 | "AuthorizedPrincipalsCommand" | 53 | "AuthorizedPrincipalsCommand" |
30 | $SUDO rm -f $PRINCIPALS_CMD | 54 | $SUDO rm -f $PRINCIPALS_COMMAND |
31 | exit 0 | 55 | exit 0 |
32 | fi | 56 | fi |
33 | 57 | ||
34 | # Create a CA key and a user certificate. | 58 | if [ -x $PRINCIPALS_COMMAND ]; then |
35 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ | ||
36 | fatal "ssh-keygen of user_ca_key failed" | ||
37 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key || \ | ||
38 | fatal "ssh-keygen of cert_user_key failed" | ||
39 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ | ||
40 | -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ | ||
41 | fatal "couldn't sign cert_user_key" | ||
42 | |||
43 | if [ -x $PRINCIPALS_CMD ]; then | ||
44 | # Test explicitly-specified principals | 59 | # Test explicitly-specified principals |
45 | for privsep in yes no ; do | 60 | for privsep in yes no ; do |
46 | _prefix="privsep $privsep" | 61 | _prefix="privsep $privsep" |
@@ -51,7 +66,8 @@ if [ -x $PRINCIPALS_CMD ]; then | |||
51 | cat $OBJ/sshd_proxy_bak | 66 | cat $OBJ/sshd_proxy_bak |
52 | echo "UsePrivilegeSeparation $privsep" | 67 | echo "UsePrivilegeSeparation $privsep" |
53 | echo "AuthorizedKeysFile none" | 68 | echo "AuthorizedKeysFile none" |
54 | echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u" | 69 | echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \ |
70 | "%u %t %T %i %s %F %f %k %K" | ||
55 | echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" | 71 | echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" |
56 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" | 72 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" |
57 | ) > $OBJ/sshd_proxy | 73 | ) > $OBJ/sshd_proxy |