2 files changed, 142 insertions, 2 deletions
diff --git a/regress/Makefile b/regress/Makefile
index 68df9b391..0ea179579 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.80 2015/04/23 05:01:19 dtucker Exp $
+#       $OpenBSD: Makefile,v 1.81 2015/05/21 06:44:25 djm Exp $
 REGRESS_TARGETS=        unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec
 tests:          prep $(REGRESS_TARGETS)
@@ -73,7 +73,8 @@ LTESTS= 	connect \
                limit-keytype \
                hostkey-agent \
                keygen-knownhosts \
-                hostkey-rotate
+                hostkey-rotate \
+                principals-command
 #               dhgex \
diff --git a/regress/principals-command.sh b/regress/principals-command.sh
new file mode 100644
index 000000000..c3816e081
--- /dev/null
+++ b/regress/principals-command.sh
@@ -0,0 +1,139 @@
+#       $OpenBSD: principals-command.sh,v 1.1 2015/05/21 06:44:25 djm Exp $
+#       Placed in the Public Domain.
+tid="authorized principals command"
+rm -f $OBJ/user_ca_key* $OBJ/cert_user_key*
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+if [ -z "$SUDO" ]; then
+        fatal "need SUDO to create file in /var/run, test won't work without"
+fi
+# Establish a AuthorizedPrincipalsCommand in /var/run where it will have
+# acceptable directory permissions.
+PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}"
+cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
+#!/bin/sh
+test "x\$1" != "x${LOGNAME}" && exit 1
+test -f "$OBJ/authorized_principals_${LOGNAME}" &&
+        exec cat "$OBJ/authorized_principals_${LOGNAME}"
+_EOF
+test $? -eq 0 || fatal "couldn't prepare principals command"
+$SUDO chmod 0755 "$PRINCIPALS_COMMAND"
+# Create a CA key and a user certificate.
+${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key || \
+        fatal "ssh-keygen of user_ca_key failed"
+${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key || \
+        fatal "ssh-keygen of cert_user_key failed"
+${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
+    -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
+        fatal "couldn't sign cert_user_key"
+# Test explicitly-specified principals
+for privsep in yes no ; do
+        _prefix="privsep $privsep"
+        # Setup for AuthorizedPrincipalsCommand
+        rm -f $OBJ/authorized_keys_$USER
+        (
+                cat $OBJ/sshd_proxy_bak
+                echo "UsePrivilegeSeparation $privsep"
+                echo "AuthorizedKeysFile none"
+                echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u"
+                echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
+                echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+        ) > $OBJ/sshd_proxy
+        # XXX test missing command
+        # XXX test failing command
+        # Empty authorized_principals
+        verbose "$tid: ${_prefix} empty authorized_principals"
+        echo > $OBJ/authorized_principals_$USER
+        ${SSH} -2i $OBJ/cert_user_key \
+            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+        if [ $? -eq 0 ]; then
+                fail "ssh cert connect succeeded unexpectedly"
+        fi
+        # Wrong authorized_principals
+        verbose "$tid: ${_prefix} wrong authorized_principals"
+        echo gregorsamsa > $OBJ/authorized_principals_$USER
+        ${SSH} -2i $OBJ/cert_user_key \
+            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+        if [ $? -eq 0 ]; then
+                fail "ssh cert connect succeeded unexpectedly"
+        fi
+        # Correct authorized_principals
+        verbose "$tid: ${_prefix} correct authorized_principals"
+        echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+        ${SSH} -2i $OBJ/cert_user_key \
+            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+        if [ $? -ne 0 ]; then
+                fail "ssh cert connect failed"
+        fi
+        # authorized_principals with bad key option
+        verbose "$tid: ${_prefix} authorized_principals bad key opt"
+        echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
+        ${SSH} -2i $OBJ/cert_user_key \
+            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+        if [ $? -eq 0 ]; then
+                fail "ssh cert connect succeeded unexpectedly"
+        fi
+        # authorized_principals with command=false
+        verbose "$tid: ${_prefix} authorized_principals command=false"
+        echo 'command="false" mekmitasdigoat' > \
+            $OBJ/authorized_principals_$USER
+        ${SSH} -2i $OBJ/cert_user_key \
+            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+        if [ $? -eq 0 ]; then
+                fail "ssh cert connect succeeded unexpectedly"
+        fi
+        # authorized_principals with command=true
+        verbose "$tid: ${_prefix} authorized_principals command=true"
+        echo 'command="true" mekmitasdigoat' > \
+            $OBJ/authorized_principals_$USER
+        ${SSH} -2i $OBJ/cert_user_key \
+            -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
+        if [ $? -ne 0 ]; then
+                fail "ssh cert connect failed"
+        fi
+        # Setup for principals= key option
+        rm -f $OBJ/authorized_principals_$USER
+        (
+                cat $OBJ/sshd_proxy_bak
+                echo "UsePrivilegeSeparation $privsep"
+        ) > $OBJ/sshd_proxy
+        # Wrong principals list
+        verbose "$tid: ${_prefix} wrong principals key option"
+        (
+                printf 'cert-authority,principals="gregorsamsa" '
+                cat $OBJ/user_ca_key.pub
+        ) > $OBJ/authorized_keys_$USER
+        ${SSH} -2i $OBJ/cert_user_key \
+            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+        if [ $? -eq 0 ]; then
+                fail "ssh cert connect succeeded unexpectedly"
+        fi
+        # Correct principals list
+        verbose "$tid: ${_prefix} correct principals key option"
+        (
+                printf 'cert-authority,principals="mekmitasdigoat" '
+                cat $OBJ/user_ca_key.pub
+        ) > $OBJ/authorized_keys_$USER
+        ${SSH} -2i $OBJ/cert_user_key \
+            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+        if [ $? -ne 0 ]; then
+                fail "ssh cert connect failed"
+        fi
+done

diff --git a/regress/Makefile b/regress/Makefile index 68df9b391..0ea179579 100644 --- a/regress/Makefile +++ b/regress/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.80 2015/04/23 05:01:19 dtucker Exp $	1	# $OpenBSD: Makefile,v 1.81 2015/05/21 06:44:25 djm Exp $
2		2
3	REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec	3	REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec
4	tests: prep $(REGRESS_TARGETS)	4	tests: prep $(REGRESS_TARGETS)
@@ -73,7 +73,8 @@ LTESTS= connect \
73	limit-keytype \	73	limit-keytype \
74	hostkey-agent \	74	hostkey-agent \
75	keygen-knownhosts \	75	keygen-knownhosts \
76	hostkey-rotate	76	hostkey-rotate \
		77	principals-command
77		78
78		79
79	# dhgex \	80	# dhgex \


diff --git a/regress/principals-command.sh b/regress/principals-command.sh new file mode 100644 index 000000000..c3816e081 --- /dev/null +++ b/regress/principals-command.sh
@@ -0,0 +1,139 @@
		1	# $OpenBSD: principals-command.sh,v 1.1 2015/05/21 06:44:25 djm Exp $
		2	# Placed in the Public Domain.
		3
		4	tid="authorized principals command"
		5
		6	rm -f $OBJ/user_ca_key* $OBJ/cert_user_key*
		7	cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
		8
		9	if [ -z "$SUDO" ]; then
		10	fatal "need SUDO to create file in /var/run, test won't work without"
		11	fi
		12
		13	# Establish a AuthorizedPrincipalsCommand in /var/run where it will have
		14	# acceptable directory permissions.
		15	PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}"
		16	cat << _EOF \| $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
		17	#!/bin/sh
		18	test "x\$1" != "x${LOGNAME}" && exit 1
		19	test -f "$OBJ/authorized_principals_${LOGNAME}" &&
		20	exec cat "$OBJ/authorized_principals_${LOGNAME}"
		21	_EOF
		22	test $? -eq 0 \|\| fatal "couldn't prepare principals command"
		23	$SUDO chmod 0755 "$PRINCIPALS_COMMAND"
		24
		25	# Create a CA key and a user certificate.
		26	${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key \|\| \
		27	fatal "ssh-keygen of user_ca_key failed"
		28	${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key \|\| \
		29	fatal "ssh-keygen of cert_user_key failed"
		30	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
		31	-z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key \|\| \
		32	fatal "couldn't sign cert_user_key"
		33
		34	# Test explicitly-specified principals
		35	for privsep in yes no ; do
		36	_prefix="privsep $privsep"
		37
		38	# Setup for AuthorizedPrincipalsCommand
		39	rm -f $OBJ/authorized_keys_$USER
		40	(
		41	cat $OBJ/sshd_proxy_bak
		42	echo "UsePrivilegeSeparation $privsep"
		43	echo "AuthorizedKeysFile none"
		44	echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u"
		45	echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
		46	echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
		47	) > $OBJ/sshd_proxy
		48
		49	# XXX test missing command
		50	# XXX test failing command
		51
		52	# Empty authorized_principals
		53	verbose "$tid: ${_prefix} empty authorized_principals"
		54	echo > $OBJ/authorized_principals_$USER
		55	${SSH} -2i $OBJ/cert_user_key \
		56	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		57	if [ $? -eq 0 ]; then
		58	fail "ssh cert connect succeeded unexpectedly"
		59	fi
		60
		61	# Wrong authorized_principals
		62	verbose "$tid: ${_prefix} wrong authorized_principals"
		63	echo gregorsamsa > $OBJ/authorized_principals_$USER
		64	${SSH} -2i $OBJ/cert_user_key \
		65	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		66	if [ $? -eq 0 ]; then
		67	fail "ssh cert connect succeeded unexpectedly"
		68	fi
		69
		70	# Correct authorized_principals
		71	verbose "$tid: ${_prefix} correct authorized_principals"
		72	echo mekmitasdigoat > $OBJ/authorized_principals_$USER
		73	${SSH} -2i $OBJ/cert_user_key \
		74	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		75	if [ $? -ne 0 ]; then
		76	fail "ssh cert connect failed"
		77	fi
		78
		79	# authorized_principals with bad key option
		80	verbose "$tid: ${_prefix} authorized_principals bad key opt"
		81	echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
		82	${SSH} -2i $OBJ/cert_user_key \
		83	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		84	if [ $? -eq 0 ]; then
		85	fail "ssh cert connect succeeded unexpectedly"
		86	fi
		87
		88	# authorized_principals with command=false
		89	verbose "$tid: ${_prefix} authorized_principals command=false"
		90	echo 'command="false" mekmitasdigoat' > \
		91	$OBJ/authorized_principals_$USER
		92	${SSH} -2i $OBJ/cert_user_key \
		93	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		94	if [ $? -eq 0 ]; then
		95	fail "ssh cert connect succeeded unexpectedly"
		96	fi
		97
		98
		99	# authorized_principals with command=true
		100	verbose "$tid: ${_prefix} authorized_principals command=true"
		101	echo 'command="true" mekmitasdigoat' > \
		102	$OBJ/authorized_principals_$USER
		103	${SSH} -2i $OBJ/cert_user_key \
		104	-F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
		105	if [ $? -ne 0 ]; then
		106	fail "ssh cert connect failed"
		107	fi
		108
		109	# Setup for principals= key option
		110	rm -f $OBJ/authorized_principals_$USER
		111	(
		112	cat $OBJ/sshd_proxy_bak
		113	echo "UsePrivilegeSeparation $privsep"
		114	) > $OBJ/sshd_proxy
		115
		116	# Wrong principals list
		117	verbose "$tid: ${_prefix} wrong principals key option"
		118	(
		119	printf 'cert-authority,principals="gregorsamsa" '
		120	cat $OBJ/user_ca_key.pub
		121	) > $OBJ/authorized_keys_$USER
		122	${SSH} -2i $OBJ/cert_user_key \
		123	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		124	if [ $? -eq 0 ]; then
		125	fail "ssh cert connect succeeded unexpectedly"
		126	fi
		127
		128	# Correct principals list
		129	verbose "$tid: ${_prefix} correct principals key option"
		130	(
		131	printf 'cert-authority,principals="mekmitasdigoat" '
		132	cat $OBJ/user_ca_key.pub
		133	) > $OBJ/authorized_keys_$USER
		134	${SSH} -2i $OBJ/cert_user_key \
		135	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		136	if [ $? -ne 0 ]; then
		137	fail "ssh cert connect failed"
		138	fi
		139	done