1 files changed, 257 insertions, 0 deletions
diff --git a/debian/patches/backport-regress-principals-command-noexec.patch b/debian/patches/backport-regress-principals-command-noexec.patch
new file mode 100644
index 000000000..5d5f2d16e
--- /dev/null
+++ b/debian/patches/backport-regress-principals-command-noexec.patch
@@ -0,0 +1,257 @@
+From 4c2916a2d9c0445b41e34805ddfbd7e323cbe6ec Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Mon, 10 Aug 2015 11:13:44 +1000
+Subject: let principals-command.sh work for noexec /var/run
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=55b263fb7cfeacb81aaf1c2036e0394c881637da
+Forwarded: not-needed
+Last-Update: 2015-08-20
+Patch-Name: backport-regress-principals-command-noexec.patch
+---
+ regress/principals-command.sh | 222 +++++++++++++++++++++---------------------
+ 1 file changed, 113 insertions(+), 109 deletions(-)
+diff --git a/regress/principals-command.sh b/regress/principals-command.sh
+index 9006437..b90a8cf 100644
+--- a/regress/principals-command.sh
+++ b/regress/principals-command.sh
+@@ -14,15 +14,15 @@ fi
+ 
+ # Establish a AuthorizedPrincipalsCommand in /var/run where it will have
+ # acceptable directory permissions.
+-PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}"
+-cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
+PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}"
+cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'"
+ #!/bin/sh
+ test "x\$1" != "x${LOGNAME}" && exit 1
+ test -f "$OBJ/authorized_principals_${LOGNAME}" &&
+        exec cat "$OBJ/authorized_principals_${LOGNAME}"
+ _EOF
+ test $? -eq 0 || fatal "couldn't prepare principals command"
+-$SUDO chmod 0755 "$PRINCIPALS_COMMAND"
+$SUDO chmod 0755 "$PRINCIPALS_CMD"
+ 
+ # Create a CA key and a user certificate.
+ ${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key || \
+@@ -33,109 +33,113 @@ ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
+     -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
+        fatal "couldn't sign cert_user_key"
+ 
+-# Test explicitly-specified principals
+-for privsep in yes no ; do
+-       _prefix="privsep $privsep"
+-
+-       # Setup for AuthorizedPrincipalsCommand
+-       rm -f $OBJ/authorized_keys_$USER
+-       (
+-               cat $OBJ/sshd_proxy_bak
+-               echo "UsePrivilegeSeparation $privsep"
+-               echo "AuthorizedKeysFile none"
+-               echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u"
+-               echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
+-               echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+-       ) > $OBJ/sshd_proxy
+-
+-       # XXX test missing command
+-       # XXX test failing command
+-
+-       # Empty authorized_principals
+-       verbose "$tid: ${_prefix} empty authorized_principals"
+-       echo > $OBJ/authorized_principals_$USER
+-       ${SSH} -2i $OBJ/cert_user_key \
+-           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+-       if [ $? -eq 0 ]; then
+-               fail "ssh cert connect succeeded unexpectedly"
+-       fi
+-
+-       # Wrong authorized_principals
+-       verbose "$tid: ${_prefix} wrong authorized_principals"
+-       echo gregorsamsa > $OBJ/authorized_principals_$USER
+-       ${SSH} -2i $OBJ/cert_user_key \
+-           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+-       if [ $? -eq 0 ]; then
+-               fail "ssh cert connect succeeded unexpectedly"
+-       fi
+-
+-       # Correct authorized_principals
+-       verbose "$tid: ${_prefix} correct authorized_principals"
+-       echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+-       ${SSH} -2i $OBJ/cert_user_key \
+-           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+-       if [ $? -ne 0 ]; then
+-               fail "ssh cert connect failed"
+-       fi
+-
+-       # authorized_principals with bad key option
+-       verbose "$tid: ${_prefix} authorized_principals bad key opt"
+-       echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
+-       ${SSH} -2i $OBJ/cert_user_key \
+-           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+-       if [ $? -eq 0 ]; then
+-               fail "ssh cert connect succeeded unexpectedly"
+-       fi
+-
+-       # authorized_principals with command=false
+-       verbose "$tid: ${_prefix} authorized_principals command=false"
+-       echo 'command="false" mekmitasdigoat' > \
+-           $OBJ/authorized_principals_$USER
+-       ${SSH} -2i $OBJ/cert_user_key \
+-           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+-       if [ $? -eq 0 ]; then
+-               fail "ssh cert connect succeeded unexpectedly"
+-       fi
+-
+-
+-       # authorized_principals with command=true
+-       verbose "$tid: ${_prefix} authorized_principals command=true"
+-       echo 'command="true" mekmitasdigoat' > \
+-           $OBJ/authorized_principals_$USER
+-       ${SSH} -2i $OBJ/cert_user_key \
+-           -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
+-       if [ $? -ne 0 ]; then
+-               fail "ssh cert connect failed"
+-       fi
+-
+-       # Setup for principals= key option
+-       rm -f $OBJ/authorized_principals_$USER
+-       (
+-               cat $OBJ/sshd_proxy_bak
+-               echo "UsePrivilegeSeparation $privsep"
+-       ) > $OBJ/sshd_proxy
+-
+-       # Wrong principals list
+-       verbose "$tid: ${_prefix} wrong principals key option"
+-       (
+-               printf 'cert-authority,principals="gregorsamsa" '
+-               cat $OBJ/user_ca_key.pub
+-       ) > $OBJ/authorized_keys_$USER
+-       ${SSH} -2i $OBJ/cert_user_key \
+-           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+-       if [ $? -eq 0 ]; then
+-               fail "ssh cert connect succeeded unexpectedly"
+-       fi
+-
+-       # Correct principals list
+-       verbose "$tid: ${_prefix} correct principals key option"
+-       (
+-               printf 'cert-authority,principals="mekmitasdigoat" '
+-               cat $OBJ/user_ca_key.pub
+-       ) > $OBJ/authorized_keys_$USER
+-       ${SSH} -2i $OBJ/cert_user_key \
+-           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+-       if [ $? -ne 0 ]; then
+-               fail "ssh cert connect failed"
+-       fi
+-done
+if [ -x $PRINCIPALS_CMD ]; then
+       # Test explicitly-specified principals
+       for privsep in yes no ; do
+               _prefix="privsep $privsep"
+
+               # Setup for AuthorizedPrincipalsCommand
+               rm -f $OBJ/authorized_keys_$USER
+               (
+                       cat $OBJ/sshd_proxy_bak
+                       echo "UsePrivilegeSeparation $privsep"
+                       echo "AuthorizedKeysFile none"
+                       echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u"
+                       echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
+                       echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+               ) > $OBJ/sshd_proxy
+
+               # XXX test missing command
+               # XXX test failing command
+
+               # Empty authorized_principals
+               verbose "$tid: ${_prefix} empty authorized_principals"
+               echo > $OBJ/authorized_principals_$USER
+               ${SSH} -2i $OBJ/cert_user_key \
+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+               if [ $? -eq 0 ]; then
+                       fail "ssh cert connect succeeded unexpectedly"
+               fi
+
+               # Wrong authorized_principals
+               verbose "$tid: ${_prefix} wrong authorized_principals"
+               echo gregorsamsa > $OBJ/authorized_principals_$USER
+               ${SSH} -2i $OBJ/cert_user_key \
+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+               if [ $? -eq 0 ]; then
+                       fail "ssh cert connect succeeded unexpectedly"
+               fi
+
+               # Correct authorized_principals
+               verbose "$tid: ${_prefix} correct authorized_principals"
+               echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+               ${SSH} -2i $OBJ/cert_user_key \
+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+               if [ $? -ne 0 ]; then
+                       fail "ssh cert connect failed"
+               fi
+
+               # authorized_principals with bad key option
+               verbose "$tid: ${_prefix} authorized_principals bad key opt"
+               echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
+               ${SSH} -2i $OBJ/cert_user_key \
+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+               if [ $? -eq 0 ]; then
+                       fail "ssh cert connect succeeded unexpectedly"
+               fi
+
+               # authorized_principals with command=false
+               verbose "$tid: ${_prefix} authorized_principals command=false"
+               echo 'command="false" mekmitasdigoat' > \
+                   $OBJ/authorized_principals_$USER
+               ${SSH} -2i $OBJ/cert_user_key \
+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+               if [ $? -eq 0 ]; then
+                       fail "ssh cert connect succeeded unexpectedly"
+               fi
+
+               # authorized_principals with command=true
+               verbose "$tid: ${_prefix} authorized_principals command=true"
+               echo 'command="true" mekmitasdigoat' > \
+                   $OBJ/authorized_principals_$USER
+               ${SSH} -2i $OBJ/cert_user_key \
+                   -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
+               if [ $? -ne 0 ]; then
+                       fail "ssh cert connect failed"
+               fi
+
+               # Setup for principals= key option
+               rm -f $OBJ/authorized_principals_$USER
+               (
+                       cat $OBJ/sshd_proxy_bak
+                       echo "UsePrivilegeSeparation $privsep"
+               ) > $OBJ/sshd_proxy
+
+               # Wrong principals list
+               verbose "$tid: ${_prefix} wrong principals key option"
+               (
+                       printf 'cert-authority,principals="gregorsamsa" '
+                       cat $OBJ/user_ca_key.pub
+               ) > $OBJ/authorized_keys_$USER
+               ${SSH} -2i $OBJ/cert_user_key \
+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+               if [ $? -eq 0 ]; then
+                       fail "ssh cert connect succeeded unexpectedly"
+               fi
+
+               # Correct principals list
+               verbose "$tid: ${_prefix} correct principals key option"
+               (
+                       printf 'cert-authority,principals="mekmitasdigoat" '
+                       cat $OBJ/user_ca_key.pub
+               ) > $OBJ/authorized_keys_$USER
+               ${SSH} -2i $OBJ/cert_user_key \
+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+               if [ $? -ne 0 ]; then
+                       fail "ssh cert connect failed"
+               fi
+       done
+else
+       echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
+           "(/var/run mounted noexec?)"
+fi

diff --git a/debian/patches/backport-regress-principals-command-noexec.patch b/debian/patches/backport-regress-principals-command-noexec.patch new file mode 100644 index 000000000..5d5f2d16e --- /dev/null +++ b/debian/patches/backport-regress-principals-command-noexec.patch
@@ -0,0 +1,257 @@
	1	From 4c2916a2d9c0445b41e34805ddfbd7e323cbe6ec Mon Sep 17 00:00:00 2001
	2	From: Damien Miller <djm@mindrot.org>
	3	Date: Mon, 10 Aug 2015 11:13:44 +1000
	4	Subject: let principals-command.sh work for noexec /var/run
	5
	6	Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=55b263fb7cfeacb81aaf1c2036e0394c881637da
	7	Forwarded: not-needed
	8	Last-Update: 2015-08-20
	9
	10	Patch-Name: backport-regress-principals-command-noexec.patch
	11	---
	12	regress/principals-command.sh \| 222 +++++++++++++++++++++---------------------
	13	1 file changed, 113 insertions(+), 109 deletions(-)
	14
	15	diff --git a/regress/principals-command.sh b/regress/principals-command.sh
	16	index 9006437..b90a8cf 100644
	17	--- a/regress/principals-command.sh
	18	+++ b/regress/principals-command.sh
	19	@@ -14,15 +14,15 @@ fi
	20
	21	# Establish a AuthorizedPrincipalsCommand in /var/run where it will have
	22	# acceptable directory permissions.
	23	-PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}"
	24	-cat << _EOF \| $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
	25	+PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}"
	26	+cat << _EOF \| $SUDO sh -c "cat > '$PRINCIPALS_CMD'"
	27	#!/bin/sh
	28	test "x\$1" != "x${LOGNAME}" && exit 1
	29	test -f "$OBJ/authorized_principals_${LOGNAME}" &&
	30	exec cat "$OBJ/authorized_principals_${LOGNAME}"
	31	_EOF
	32	test $? -eq 0 \|\| fatal "couldn't prepare principals command"
	33	-$SUDO chmod 0755 "$PRINCIPALS_COMMAND"
	34	+$SUDO chmod 0755 "$PRINCIPALS_CMD"
	35
	36	# Create a CA key and a user certificate.
	37	${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key \|\| \
	38	@@ -33,109 +33,113 @@ ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
	39	-z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key \|\| \
	40	fatal "couldn't sign cert_user_key"
	41
	42	-# Test explicitly-specified principals
	43	-for privsep in yes no ; do
	44	- _prefix="privsep $privsep"
	45	-
	46	- # Setup for AuthorizedPrincipalsCommand
	47	- rm -f $OBJ/authorized_keys_$USER
	48	- (
	49	- cat $OBJ/sshd_proxy_bak
	50	- echo "UsePrivilegeSeparation $privsep"
	51	- echo "AuthorizedKeysFile none"
	52	- echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u"
	53	- echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
	54	- echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
	55	- ) > $OBJ/sshd_proxy
	56	-
	57	- # XXX test missing command
	58	- # XXX test failing command
	59	-
	60	- # Empty authorized_principals
	61	- verbose "$tid: ${_prefix} empty authorized_principals"
	62	- echo > $OBJ/authorized_principals_$USER
	63	- ${SSH} -2i $OBJ/cert_user_key \
	64	- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	65	- if [ $? -eq 0 ]; then
	66	- fail "ssh cert connect succeeded unexpectedly"
	67	- fi
	68	-
	69	- # Wrong authorized_principals
	70	- verbose "$tid: ${_prefix} wrong authorized_principals"
	71	- echo gregorsamsa > $OBJ/authorized_principals_$USER
	72	- ${SSH} -2i $OBJ/cert_user_key \
	73	- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	74	- if [ $? -eq 0 ]; then
	75	- fail "ssh cert connect succeeded unexpectedly"
	76	- fi
	77	-
	78	- # Correct authorized_principals
	79	- verbose "$tid: ${_prefix} correct authorized_principals"
	80	- echo mekmitasdigoat > $OBJ/authorized_principals_$USER
	81	- ${SSH} -2i $OBJ/cert_user_key \
	82	- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	83	- if [ $? -ne 0 ]; then
	84	- fail "ssh cert connect failed"
	85	- fi
	86	-
	87	- # authorized_principals with bad key option
	88	- verbose "$tid: ${_prefix} authorized_principals bad key opt"
	89	- echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
	90	- ${SSH} -2i $OBJ/cert_user_key \
	91	- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	92	- if [ $? -eq 0 ]; then
	93	- fail "ssh cert connect succeeded unexpectedly"
	94	- fi
	95	-
	96	- # authorized_principals with command=false
	97	- verbose "$tid: ${_prefix} authorized_principals command=false"
	98	- echo 'command="false" mekmitasdigoat' > \
	99	- $OBJ/authorized_principals_$USER
	100	- ${SSH} -2i $OBJ/cert_user_key \
	101	- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	102	- if [ $? -eq 0 ]; then
	103	- fail "ssh cert connect succeeded unexpectedly"
	104	- fi
	105	-
	106	-
	107	- # authorized_principals with command=true
	108	- verbose "$tid: ${_prefix} authorized_principals command=true"
	109	- echo 'command="true" mekmitasdigoat' > \
	110	- $OBJ/authorized_principals_$USER
	111	- ${SSH} -2i $OBJ/cert_user_key \
	112	- -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
	113	- if [ $? -ne 0 ]; then
	114	- fail "ssh cert connect failed"
	115	- fi
	116	-
	117	- # Setup for principals= key option
	118	- rm -f $OBJ/authorized_principals_$USER
	119	- (
	120	- cat $OBJ/sshd_proxy_bak
	121	- echo "UsePrivilegeSeparation $privsep"
	122	- ) > $OBJ/sshd_proxy
	123	-
	124	- # Wrong principals list
	125	- verbose "$tid: ${_prefix} wrong principals key option"
	126	- (
	127	- printf 'cert-authority,principals="gregorsamsa" '
	128	- cat $OBJ/user_ca_key.pub
	129	- ) > $OBJ/authorized_keys_$USER
	130	- ${SSH} -2i $OBJ/cert_user_key \
	131	- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	132	- if [ $? -eq 0 ]; then
	133	- fail "ssh cert connect succeeded unexpectedly"
	134	- fi
	135	-
	136	- # Correct principals list
	137	- verbose "$tid: ${_prefix} correct principals key option"
	138	- (
	139	- printf 'cert-authority,principals="mekmitasdigoat" '
	140	- cat $OBJ/user_ca_key.pub
	141	- ) > $OBJ/authorized_keys_$USER
	142	- ${SSH} -2i $OBJ/cert_user_key \
	143	- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	144	- if [ $? -ne 0 ]; then
	145	- fail "ssh cert connect failed"
	146	- fi
	147	-done
	148	+if [ -x $PRINCIPALS_CMD ]; then
	149	+ # Test explicitly-specified principals
	150	+ for privsep in yes no ; do
	151	+ _prefix="privsep $privsep"
	152	+
	153	+ # Setup for AuthorizedPrincipalsCommand
	154	+ rm -f $OBJ/authorized_keys_$USER
	155	+ (
	156	+ cat $OBJ/sshd_proxy_bak
	157	+ echo "UsePrivilegeSeparation $privsep"
	158	+ echo "AuthorizedKeysFile none"
	159	+ echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u"
	160	+ echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
	161	+ echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
	162	+ ) > $OBJ/sshd_proxy
	163	+
	164	+ # XXX test missing command
	165	+ # XXX test failing command
	166	+
	167	+ # Empty authorized_principals
	168	+ verbose "$tid: ${_prefix} empty authorized_principals"
	169	+ echo > $OBJ/authorized_principals_$USER
	170	+ ${SSH} -2i $OBJ/cert_user_key \
	171	+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	172	+ if [ $? -eq 0 ]; then
	173	+ fail "ssh cert connect succeeded unexpectedly"
	174	+ fi
	175	+
	176	+ # Wrong authorized_principals
	177	+ verbose "$tid: ${_prefix} wrong authorized_principals"
	178	+ echo gregorsamsa > $OBJ/authorized_principals_$USER
	179	+ ${SSH} -2i $OBJ/cert_user_key \
	180	+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	181	+ if [ $? -eq 0 ]; then
	182	+ fail "ssh cert connect succeeded unexpectedly"
	183	+ fi
	184	+
	185	+ # Correct authorized_principals
	186	+ verbose "$tid: ${_prefix} correct authorized_principals"
	187	+ echo mekmitasdigoat > $OBJ/authorized_principals_$USER
	188	+ ${SSH} -2i $OBJ/cert_user_key \
	189	+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	190	+ if [ $? -ne 0 ]; then
	191	+ fail "ssh cert connect failed"
	192	+ fi
	193	+
	194	+ # authorized_principals with bad key option
	195	+ verbose "$tid: ${_prefix} authorized_principals bad key opt"
	196	+ echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
	197	+ ${SSH} -2i $OBJ/cert_user_key \
	198	+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	199	+ if [ $? -eq 0 ]; then
	200	+ fail "ssh cert connect succeeded unexpectedly"
	201	+ fi
	202	+
	203	+ # authorized_principals with command=false
	204	+ verbose "$tid: ${_prefix} authorized_principals command=false"
	205	+ echo 'command="false" mekmitasdigoat' > \
	206	+ $OBJ/authorized_principals_$USER
	207	+ ${SSH} -2i $OBJ/cert_user_key \
	208	+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	209	+ if [ $? -eq 0 ]; then
	210	+ fail "ssh cert connect succeeded unexpectedly"
	211	+ fi
	212	+
	213	+ # authorized_principals with command=true
	214	+ verbose "$tid: ${_prefix} authorized_principals command=true"
	215	+ echo 'command="true" mekmitasdigoat' > \
	216	+ $OBJ/authorized_principals_$USER
	217	+ ${SSH} -2i $OBJ/cert_user_key \
	218	+ -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
	219	+ if [ $? -ne 0 ]; then
	220	+ fail "ssh cert connect failed"
	221	+ fi
	222	+
	223	+ # Setup for principals= key option
	224	+ rm -f $OBJ/authorized_principals_$USER
	225	+ (
	226	+ cat $OBJ/sshd_proxy_bak
	227	+ echo "UsePrivilegeSeparation $privsep"
	228	+ ) > $OBJ/sshd_proxy
	229	+
	230	+ # Wrong principals list
	231	+ verbose "$tid: ${_prefix} wrong principals key option"
	232	+ (
	233	+ printf 'cert-authority,principals="gregorsamsa" '
	234	+ cat $OBJ/user_ca_key.pub
	235	+ ) > $OBJ/authorized_keys_$USER
	236	+ ${SSH} -2i $OBJ/cert_user_key \
	237	+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	238	+ if [ $? -eq 0 ]; then
	239	+ fail "ssh cert connect succeeded unexpectedly"
	240	+ fi
	241	+
	242	+ # Correct principals list
	243	+ verbose "$tid: ${_prefix} correct principals key option"
	244	+ (
	245	+ printf 'cert-authority,principals="mekmitasdigoat" '
	246	+ cat $OBJ/user_ca_key.pub
	247	+ ) > $OBJ/authorized_keys_$USER
	248	+ ${SSH} -2i $OBJ/cert_user_key \
	249	+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	250	+ if [ $? -ne 0 ]; then
	251	+ fail "ssh cert connect failed"
	252	+ fi
	253	+ done
	254	+else
	255	+ echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
	256	+ "(/var/run mounted noexec?)"
	257	+fi