diff options
Diffstat (limited to 'regress/limit-keytype.sh')
-rw-r--r-- | regress/limit-keytype.sh | 80 |
1 files changed, 80 insertions, 0 deletions
diff --git a/regress/limit-keytype.sh b/regress/limit-keytype.sh new file mode 100644 index 000000000..2de037bd1 --- /dev/null +++ b/regress/limit-keytype.sh | |||
@@ -0,0 +1,80 @@ | |||
1 | # $OpenBSD: limit-keytype.sh,v 1.1 2015/01/13 07:49:49 djm Exp $ | ||
2 | # Placed in the Public Domain. | ||
3 | |||
4 | tid="restrict pubkey type" | ||
5 | |||
6 | rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/user_key* | ||
7 | rm -f $OBJ/authorized_principals_$USER $OBJ/cert_user_key* | ||
8 | |||
9 | mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig | ||
10 | mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig | ||
11 | |||
12 | # Create a CA key | ||
13 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key ||\ | ||
14 | fatal "ssh-keygen failed" | ||
15 | |||
16 | # Make some keys and a certificate. | ||
17 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 || \ | ||
18 | fatal "ssh-keygen failed" | ||
19 | ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_key2 || \ | ||
20 | fatal "ssh-keygen failed" | ||
21 | ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_key3 || \ | ||
22 | fatal "ssh-keygen failed" | ||
23 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ | ||
24 | -z $$ -n ${USER},mekmitasdigoat $OBJ/user_key3 || | ||
25 | fatal "couldn't sign user_key1" | ||
26 | # Copy the private key alongside the cert to allow better control of when | ||
27 | # it is offered. | ||
28 | mv $OBJ/user_key3-cert.pub $OBJ/cert_user_key3.pub | ||
29 | cp -p $OBJ/user_key3 $OBJ/cert_user_key3 | ||
30 | |||
31 | grep -v IdentityFile $OBJ/ssh_proxy.orig > $OBJ/ssh_proxy | ||
32 | |||
33 | opts="-oProtocol=2 -F $OBJ/ssh_proxy -oIdentitiesOnly=yes" | ||
34 | fullopts="$opts -i $OBJ/cert_user_key3 -i $OBJ/user_key1 -i $OBJ/user_key2" | ||
35 | |||
36 | echo mekmitasdigoat > $OBJ/authorized_principals_$USER | ||
37 | cat $OBJ/user_key1.pub > $OBJ/authorized_keys_$USER | ||
38 | cat $OBJ/user_key2.pub >> $OBJ/authorized_keys_$USER | ||
39 | |||
40 | prepare_config() { | ||
41 | ( | ||
42 | grep -v "Protocol" $OBJ/sshd_proxy.orig | ||
43 | echo "Protocol 2" | ||
44 | echo "AuthenticationMethods publickey" | ||
45 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" | ||
46 | echo "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u" | ||
47 | for x in "$@" ; do | ||
48 | echo "$x" | ||
49 | done | ||
50 | ) > $OBJ/sshd_proxy | ||
51 | } | ||
52 | |||
53 | prepare_config | ||
54 | |||
55 | # Check we can log in with all key types. | ||
56 | ${SSH} $opts -i $OBJ/cert_user_key3 proxy true || fatal "cert failed" | ||
57 | ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" | ||
58 | ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" | ||
59 | |||
60 | # Allow plain Ed25519 and RSA. The certificate should fail. | ||
61 | verbose "privsep=$privsep allow rsa,ed25519" | ||
62 | prepare_config "PubkeyAcceptedKeyTypes ssh-rsa,ssh-ed25519" | ||
63 | ${SSH} $opts -i $OBJ/cert_user_key3 proxy true && fatal "cert succeeded" | ||
64 | ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" | ||
65 | ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" | ||
66 | |||
67 | # Allow Ed25519 only. | ||
68 | verbose "privsep=$privsep allow ed25519" | ||
69 | prepare_config "PubkeyAcceptedKeyTypes ssh-ed25519" | ||
70 | ${SSH} $opts -i $OBJ/cert_user_key3 proxy true && fatal "cert succeeded" | ||
71 | ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" | ||
72 | ${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded" | ||
73 | |||
74 | # Allow all certs. Plain keys should fail. | ||
75 | verbose "privsep=$privsep allow cert only" | ||
76 | prepare_config "PubkeyAcceptedKeyTypes ssh-*-cert-v01@openssh.com" | ||
77 | ${SSH} $opts -i $OBJ/cert_user_key3 proxy true || fatal "cert failed" | ||
78 | ${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded" | ||
79 | ${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded" | ||
80 | |||