summaryrefslogtreecommitdiff
path: root/regress/cert-userkey.sh
diff options
context:
space:
mode:
Diffstat (limited to 'regress/cert-userkey.sh')
-rw-r--r--regress/cert-userkey.sh221
1 files changed, 185 insertions, 36 deletions
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 7a58e7b75..a41a9a9c0 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-userkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $ 1# $OpenBSD: cert-userkey.sh,v 1.6 2010/06/29 23:59:54 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified user keys" 4tid="certified user keys"
@@ -18,8 +18,128 @@ for ktype in rsa dsa ; do
18 fail "ssh-keygen of cert_user_key_${ktype} failed" 18 fail "ssh-keygen of cert_user_key_${ktype} failed"
19 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \ 19 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
20 "regress user key for $USER" \ 20 "regress user key for $USER" \
21 -n $USER $OBJ/cert_user_key_${ktype} || 21 -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
22 fail "couldn't sign cert_user_key_${ktype}" 22 fail "couldn't sign cert_user_key_${ktype}"
23 cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
24 cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
25 ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
26 "regress user key for $USER" \
27 -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
28 fail "couldn't sign cert_user_key_${ktype}_v00"
29done
30
31# Test explicitly-specified principals
32for ktype in rsa dsa rsa_v00 dsa_v00 ; do
33 for privsep in yes no ; do
34 _prefix="${ktype} privsep $privsep"
35
36 # Setup for AuthorizedPrincipalsFile
37 rm -f $OBJ/authorized_keys_$USER
38 (
39 cat $OBJ/sshd_proxy_bak
40 echo "UsePrivilegeSeparation $privsep"
41 echo "AuthorizedPrincipalsFile " \
42 "$OBJ/authorized_principals_%u"
43 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
44 ) > $OBJ/sshd_proxy
45
46 # Missing authorized_principals
47 verbose "$tid: ${_prefix} missing authorized_principals"
48 rm -f $OBJ/authorized_principals_$USER
49 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
50 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
51 if [ $? -eq 0 ]; then
52 fail "ssh cert connect succeeded unexpectedly"
53 fi
54
55 # Empty authorized_principals
56 verbose "$tid: ${_prefix} empty authorized_principals"
57 echo > $OBJ/authorized_principals_$USER
58 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
59 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
60 if [ $? -eq 0 ]; then
61 fail "ssh cert connect succeeded unexpectedly"
62 fi
63
64 # Wrong authorized_principals
65 verbose "$tid: ${_prefix} wrong authorized_principals"
66 echo gregorsamsa > $OBJ/authorized_principals_$USER
67 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
68 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
69 if [ $? -eq 0 ]; then
70 fail "ssh cert connect succeeded unexpectedly"
71 fi
72
73 # Correct authorized_principals
74 verbose "$tid: ${_prefix} correct authorized_principals"
75 echo mekmitasdigoat > $OBJ/authorized_principals_$USER
76 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
77 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
78 if [ $? -ne 0 ]; then
79 fail "ssh cert connect failed"
80 fi
81
82 # authorized_principals with bad key option
83 verbose "$tid: ${_prefix} authorized_principals bad key opt"
84 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
85 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
86 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
87 if [ $? -eq 0 ]; then
88 fail "ssh cert connect succeeded unexpectedly"
89 fi
90
91 # authorized_principals with command=false
92 verbose "$tid: ${_prefix} authorized_principals command=false"
93 echo 'command="false" mekmitasdigoat' > \
94 $OBJ/authorized_principals_$USER
95 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
96 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
97 if [ $? -eq 0 ]; then
98 fail "ssh cert connect succeeded unexpectedly"
99 fi
100
101
102 # authorized_principals with command=true
103 verbose "$tid: ${_prefix} authorized_principals command=true"
104 echo 'command="true" mekmitasdigoat' > \
105 $OBJ/authorized_principals_$USER
106 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
107 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
108 if [ $? -ne 0 ]; then
109 fail "ssh cert connect failed"
110 fi
111
112 # Setup for principals= key option
113 rm -f $OBJ/authorized_principals_$USER
114 (
115 cat $OBJ/sshd_proxy_bak
116 echo "UsePrivilegeSeparation $privsep"
117 ) > $OBJ/sshd_proxy
118
119 # Wrong principals list
120 verbose "$tid: ${_prefix} wrong principals key option"
121 (
122 echon 'cert-authority,principals="gregorsamsa" '
123 cat $OBJ/user_ca_key.pub
124 ) > $OBJ/authorized_keys_$USER
125 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
126 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
127 if [ $? -eq 0 ]; then
128 fail "ssh cert connect succeeded unexpectedly"
129 fi
130
131 # Correct principals list
132 verbose "$tid: ${_prefix} correct principals key option"
133 (
134 echon 'cert-authority,principals="mekmitasdigoat" '
135 cat $OBJ/user_ca_key.pub
136 ) > $OBJ/authorized_keys_$USER
137 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
138 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
139 if [ $? -ne 0 ]; then
140 fail "ssh cert connect failed"
141 fi
142 done
23done 143done
24 144
25basic_tests() { 145basic_tests() {
@@ -35,7 +155,7 @@ basic_tests() {
35 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" 155 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
36 fi 156 fi
37 157
38 for ktype in rsa dsa ; do 158 for ktype in rsa dsa rsa_v00 dsa_v00 ; do
39 for privsep in yes no ; do 159 for privsep in yes no ; do
40 _prefix="${ktype} privsep $privsep $auth" 160 _prefix="${ktype} privsep $privsep $auth"
41 # Simple connect 161 # Simple connect
@@ -102,45 +222,50 @@ test_one() {
102 result=$2 222 result=$2
103 sign_opts=$3 223 sign_opts=$3
104 auth_choice=$4 224 auth_choice=$4
225 auth_opt=$5
105 226
106 if test "x$auth_choice" = "x" ; then 227 if test "x$auth_choice" = "x" ; then
107 auth_choice="authorized_keys TrustedUserCAKeys" 228 auth_choice="authorized_keys TrustedUserCAKeys"
108 fi 229 fi
109 230
110 for auth in $auth_choice ; do 231 for auth in $auth_choice ; do
111 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 232 for ktype in rsa rsa_v00 ; do
112 if test "x$auth" = "xauthorized_keys" ; then 233 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
113 # Add CA to authorized_keys 234 if test "x$auth" = "xauthorized_keys" ; then
114 ( 235 # Add CA to authorized_keys
115 echon 'cert-authority ' 236 (
116 cat $OBJ/user_ca_key.pub 237 echon "cert-authority${auth_opt} "
117 ) > $OBJ/authorized_keys_$USER 238 cat $OBJ/user_ca_key.pub
118 else 239 ) > $OBJ/authorized_keys_$USER
119 echo > $OBJ/authorized_keys_$USER 240 else
120 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" >> \ 241 echo > $OBJ/authorized_keys_$USER
121 $OBJ/sshd_proxy 242 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
122 243 >> $OBJ/sshd_proxy
123 fi 244 if test "x$auth_opt" != "x" ; then
124 245 echo $auth_opt >> $OBJ/sshd_proxy
125 verbose "$tid: $ident auth $auth expect $result" 246 fi
126 ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
127 -I "regress user key for $USER" \
128 $sign_opts \
129 $OBJ/cert_user_key_rsa ||
130 fail "couldn't sign cert_user_key_rsa"
131
132 ${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
133 somehost true >/dev/null 2>&1
134 rc=$?
135 if [ "x$result" = "xsuccess" ] ; then
136 if [ $rc -ne 0 ]; then
137 fail "$ident failed unexpectedly"
138 fi 247 fi
139 else 248
140 if [ $rc -eq 0 ]; then 249 verbose "$tid: $ident auth $auth expect $result $ktype"
141 fail "$ident succeeded unexpectedly" 250 ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
251 -I "regress user key for $USER" \
252 $sign_opts \
253 $OBJ/cert_user_key_${ktype} ||
254 fail "couldn't sign cert_user_key_${ktype}"
255
256 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
257 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
258 rc=$?
259 if [ "x$result" = "xsuccess" ] ; then
260 if [ $rc -ne 0 ]; then
261 fail "$ident failed unexpectedly"
262 fi
263 else
264 if [ $rc -eq 0 ]; then
265 fail "$ident succeeded unexpectedly"
266 fi
142 fi 267 fi
143 fi 268 done
144 done 269 done
145} 270}
146 271
@@ -157,10 +282,33 @@ test_one "force-command" failure "-n ${USER} -Oforce-command=false"
157test_one "empty principals" success "" authorized_keys 282test_one "empty principals" success "" authorized_keys
158test_one "empty principals" failure "" TrustedUserCAKeys 283test_one "empty principals" failure "" TrustedUserCAKeys
159 284
285# Check explicitly-specified principals: an empty principals list in the cert
286# should always be refused.
287
288# AuthorizedPrincipalsFile
289rm -f $OBJ/authorized_keys_$USER
290echo mekmitasdigoat > $OBJ/authorized_principals_$USER
291test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \
292 TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
293test_one "AuthorizedPrincipalsFile no principals" failure "" \
294 TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
295
296# principals= key option
297rm -f $OBJ/authorized_principals_$USER
298test_one "principals key option principals" success "-n mekmitasdigoat" \
299 authorized_keys ',principals="mekmitasdigoat"'
300test_one "principals key option no principals" failure "" \
301 authorized_keys ',principals="mekmitasdigoat"'
302
160# Wrong certificate 303# Wrong certificate
161for ktype in rsa dsa ; do 304cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
305for ktype in rsa dsa rsa_v00 dsa_v00 ; do
306 case $ktype in
307 *_v00) args="-t v00" ;;
308 *) args="" ;;
309 esac
162 # Self-sign 310 # Self-sign
163 ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ 311 ${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \
164 "regress user key for $USER" \ 312 "regress user key for $USER" \
165 -n $USER $OBJ/cert_user_key_${ktype} || 313 -n $USER $OBJ/cert_user_key_${ktype} ||
166 fail "couldn't sign cert_user_key_${ktype}" 314 fail "couldn't sign cert_user_key_${ktype}"
@@ -173,4 +321,5 @@ for ktype in rsa dsa ; do
173done 321done
174 322
175rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* 323rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
324rm -f $OBJ/authorized_principals_$USER
176 325