summaryrefslogtreecommitdiff
path: root/regress/cert-userkey.sh
diff options
context:
space:
mode:
Diffstat (limited to 'regress/cert-userkey.sh')
-rw-r--r--regress/cert-userkey.sh161
1 files changed, 117 insertions, 44 deletions
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 874915205..7a58e7b75 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-userkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $ 1# $OpenBSD: cert-userkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified user keys" 4tid="certified user keys"
@@ -6,13 +6,9 @@ tid="certified user keys"
6rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* 6rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8 8
9# Create a CA key and add it to authorized_keys 9# Create a CA key
10${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ 10${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\
11 fail "ssh-keygen of user_ca_key failed" 11 fail "ssh-keygen of user_ca_key failed"
12(
13 echon 'cert-authority '
14 cat $OBJ/user_ca_key.pub
15) > $OBJ/authorized_keys_$USER
16 12
17# Generate and sign user keys 13# Generate and sign user keys
18for ktype in rsa dsa ; do 14for ktype in rsa dsa ; do
@@ -26,64 +22,140 @@ for ktype in rsa dsa ; do
26 fail "couldn't sign cert_user_key_${ktype}" 22 fail "couldn't sign cert_user_key_${ktype}"
27done 23done
28 24
29# Basic connect tests 25basic_tests() {
30for privsep in yes no ; do 26 auth=$1
27 if test "x$auth" = "xauthorized_keys" ; then
28 # Add CA to authorized_keys
29 (
30 echon 'cert-authority '
31 cat $OBJ/user_ca_key.pub
32 ) > $OBJ/authorized_keys_$USER
33 else
34 echo > $OBJ/authorized_keys_$USER
35 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
36 fi
37
31 for ktype in rsa dsa ; do 38 for ktype in rsa dsa ; do
32 verbose "$tid: user ${ktype} cert connect privsep $privsep" 39 for privsep in yes no ; do
40 _prefix="${ktype} privsep $privsep $auth"
41 # Simple connect
42 verbose "$tid: ${_prefix} connect"
43 (
44 cat $OBJ/sshd_proxy_bak
45 echo "UsePrivilegeSeparation $privsep"
46 echo "$extra_sshd"
47 ) > $OBJ/sshd_proxy
48
49 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
50 -F $OBJ/ssh_proxy somehost true
51 if [ $? -ne 0 ]; then
52 fail "ssh cert connect failed"
53 fi
54
55 # Revoked keys
56 verbose "$tid: ${_prefix} revoked key"
57 (
58 cat $OBJ/sshd_proxy_bak
59 echo "UsePrivilegeSeparation $privsep"
60 echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub"
61 echo "$extra_sshd"
62 ) > $OBJ/sshd_proxy
63 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
64 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
65 if [ $? -eq 0 ]; then
66 fail "ssh cert connect succeeded unexpecedly"
67 fi
68 done
69
70 # Revoked CA
71 verbose "$tid: ${ktype} $auth revoked CA key"
33 ( 72 (
34 cat $OBJ/sshd_proxy_bak 73 cat $OBJ/sshd_proxy_bak
35 echo "UsePrivilegeSeparation $privsep" 74 echo "RevokedKeys $OBJ/user_ca_key.pub"
75 echo "$extra_sshd"
36 ) > $OBJ/sshd_proxy 76 ) > $OBJ/sshd_proxy
37
38 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ 77 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
39 somehost true 78 somehost true >/dev/null 2>&1
40 if [ $? -ne 0 ]; then 79 if [ $? -eq 0 ]; then
41 fail "ssh cert connect failed" 80 fail "ssh cert connect succeeded unexpecedly"
42 fi 81 fi
43 done 82 done
44done 83
84 verbose "$tid: $auth CA does not authenticate"
85 (
86 cat $OBJ/sshd_proxy_bak
87 echo "$extra_sshd"
88 ) > $OBJ/sshd_proxy
89 verbose "$tid: ensure CA key does not authenticate user"
90 ${SSH} -2i $OBJ/user_ca_key \
91 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
92 if [ $? -eq 0 ]; then
93 fail "ssh cert connect with CA key succeeded unexpectedly"
94 fi
95}
45 96
46verbose "$tid: ensure CA key does not authenticate user" 97basic_tests authorized_keys
47${SSH} -2i $OBJ/user_ca_key -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 98basic_tests TrustedUserCAKeys
48if [ $? -eq 0 ]; then
49 fail "ssh cert connect with CA key succeeded unexpectedly"
50fi
51 99
52test_one() { 100test_one() {
53 ident=$1 101 ident=$1
54 result=$2 102 result=$2
55 sign_opts=$3 103 sign_opts=$3
56 104 auth_choice=$4
57 verbose "$tid: test user cert connect $ident expect $result" 105
106 if test "x$auth_choice" = "x" ; then
107 auth_choice="authorized_keys TrustedUserCAKeys"
108 fi
58 109
59 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ 110 for auth in $auth_choice ; do
60 $sign_opts \ 111 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
61 $OBJ/cert_user_key_rsa || 112 if test "x$auth" = "xauthorized_keys" ; then
62 fail "couldn't sign cert_user_key_rsa" 113 # Add CA to authorized_keys
114 (
115 echon 'cert-authority '
116 cat $OBJ/user_ca_key.pub
117 ) > $OBJ/authorized_keys_$USER
118 else
119 echo > $OBJ/authorized_keys_$USER
120 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" >> \
121 $OBJ/sshd_proxy
63 122
64 ${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
65 somehost true >/dev/null 2>&1
66 rc=$?
67 if [ "x$result" = "xsuccess" ] ; then
68 if [ $rc -ne 0 ]; then
69 fail "ssh cert connect $ident failed unexpectedly"
70 fi 123 fi
71 else 124
72 if [ $rc -eq 0 ]; then 125 verbose "$tid: $ident auth $auth expect $result"
73 fail "ssh cert connect $ident succeeded unexpectedly" 126 ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
127 -I "regress user key for $USER" \
128 $sign_opts \
129 $OBJ/cert_user_key_rsa ||
130 fail "couldn't sign cert_user_key_rsa"
131
132 ${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
133 somehost true >/dev/null 2>&1
134 rc=$?
135 if [ "x$result" = "xsuccess" ] ; then
136 if [ $rc -ne 0 ]; then
137 fail "$ident failed unexpectedly"
138 fi
139 else
140 if [ $rc -eq 0 ]; then
141 fail "$ident succeeded unexpectedly"
142 fi
74 fi 143 fi
75 fi 144 done
76 cleanup
77} 145}
78 146
79test_one "host-certificate" failure "-h" 147test_one "correct principal" success "-n ${USER}"
80test_one "empty principals" success "" 148test_one "host-certificate" failure "-n ${USER} -h"
81test_one "wrong principals" failure "-n foo" 149test_one "wrong principals" failure "-n foo"
82test_one "cert not yet valid" failure "-V20200101:20300101" 150test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101"
83test_one "cert expired" failure "-V19800101:19900101" 151test_one "cert expired" failure "-n ${USER} -V19800101:19900101"
84test_one "cert valid interval" success "-V-1w:+2w" 152test_one "cert valid interval" success "-n ${USER} -V-1w:+2w"
85test_one "wrong source-address" failure "-Osource-address=10.0.0.0/8" 153test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8"
86test_one "force-command" failure "-Oforce-command=false" 154test_one "force-command" failure "-n ${USER} -Oforce-command=false"
155
156# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals
157test_one "empty principals" success "" authorized_keys
158test_one "empty principals" failure "" TrustedUserCAKeys
87 159
88# Wrong certificate 160# Wrong certificate
89for ktype in rsa dsa ; do 161for ktype in rsa dsa ; do
@@ -101,3 +173,4 @@ for ktype in rsa dsa ; do
101done 173done
102 174
103rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* 175rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
176