diff options
Diffstat (limited to 'regress/principals-command.sh')
| -rw-r--r-- | regress/principals-command.sh | 54 |
1 files changed, 35 insertions, 19 deletions
diff --git a/regress/principals-command.sh b/regress/principals-command.sh index c0be7e747..9b38eb105 100644 --- a/regress/principals-command.sh +++ b/regress/principals-command.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: principals-command.sh,v 1.1 2015/05/21 06:44:25 djm Exp $ | 1 | # $OpenBSD: principals-command.sh,v 1.3 2016/09/26 21:34:38 bluhm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="authorized principals command" | 4 | tid="authorized principals command" |
| @@ -6,41 +6,56 @@ tid="authorized principals command" | |||
| 6 | rm -f $OBJ/user_ca_key* $OBJ/cert_user_key* | 6 | rm -f $OBJ/user_ca_key* $OBJ/cert_user_key* |
| 7 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | 7 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak |
| 8 | 8 | ||
| 9 | if test -z "$SUDO" ; then | 9 | if [ -z "$SUDO" -a ! -w /var/run ]; then |
| 10 | echo "skipped (SUDO not set)" | 10 | echo "skipped (SUDO not set)" |
| 11 | echo "need SUDO to create file in /var/run, test won't work without" | 11 | echo "need SUDO to create file in /var/run, test won't work without" |
| 12 | exit 0 | 12 | exit 0 |
| 13 | fi | 13 | fi |
| 14 | 14 | ||
| 15 | SERIAL=$$ | ||
| 16 | |||
| 17 | # Create a CA key and a user certificate. | ||
| 18 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ | ||
| 19 | fatal "ssh-keygen of user_ca_key failed" | ||
| 20 | ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/cert_user_key || \ | ||
| 21 | fatal "ssh-keygen of cert_user_key failed" | ||
| 22 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "Joanne User" \ | ||
| 23 | -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ | ||
| 24 | fatal "couldn't sign cert_user_key" | ||
| 25 | |||
| 26 | CERT_BODY=`cat $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` | ||
| 27 | CA_BODY=`cat $OBJ/user_ca_key.pub | awk '{ print $2 }'` | ||
| 28 | CERT_FP=`${SSHKEYGEN} -lf $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` | ||
| 29 | CA_FP=`${SSHKEYGEN} -lf $OBJ/user_ca_key.pub | awk '{ print $2 }'` | ||
| 30 | |||
| 15 | # Establish a AuthorizedPrincipalsCommand in /var/run where it will have | 31 | # Establish a AuthorizedPrincipalsCommand in /var/run where it will have |
| 16 | # acceptable directory permissions. | 32 | # acceptable directory permissions. |
| 17 | PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}" | 33 | PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}" |
| 18 | cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'" | 34 | cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" |
| 19 | #!/bin/sh | 35 | #!/bin/sh |
| 20 | test "x\$1" != "x${LOGNAME}" && exit 1 | 36 | test "x\$1" != "x${LOGNAME}" && exit 1 |
| 37 | test "x\$2" != "xssh-rsa-cert-v01@openssh.com" && exit 1 | ||
| 38 | test "x\$3" != "xssh-ed25519" && exit 1 | ||
| 39 | test "x\$4" != "xJoanne User" && exit 1 | ||
| 40 | test "x\$5" != "x${SERIAL}" && exit 1 | ||
| 41 | test "x\$6" != "x${CA_FP}" && exit 1 | ||
| 42 | test "x\$7" != "x${CERT_FP}" && exit 1 | ||
| 43 | test "x\$8" != "x${CERT_BODY}" && exit 1 | ||
| 44 | test "x\$9" != "x${CA_BODY}" && exit 1 | ||
| 21 | test -f "$OBJ/authorized_principals_${LOGNAME}" && | 45 | test -f "$OBJ/authorized_principals_${LOGNAME}" && |
| 22 | exec cat "$OBJ/authorized_principals_${LOGNAME}" | 46 | exec cat "$OBJ/authorized_principals_${LOGNAME}" |
| 23 | _EOF | 47 | _EOF |
| 24 | test $? -eq 0 || fatal "couldn't prepare principals command" | 48 | test $? -eq 0 || fatal "couldn't prepare principals command" |
| 25 | $SUDO chmod 0755 "$PRINCIPALS_CMD" | 49 | $SUDO chmod 0755 "$PRINCIPALS_COMMAND" |
| 26 | 50 | ||
| 27 | if ! $OBJ/check-perm -m keys-command $PRINCIPALS_CMD ; then | 51 | if ! $OBJ/check-perm -m keys-command $PRINCIPALS_COMMAND ; then |
| 28 | echo "skipping: $PRINCIPALS_CMD is unsuitable as " \ | 52 | echo "skipping: $PRINCIPALS_COMMAND is unsuitable as " \ |
| 29 | "AuthorizedPrincipalsCommand" | 53 | "AuthorizedPrincipalsCommand" |
| 30 | $SUDO rm -f $PRINCIPALS_CMD | 54 | $SUDO rm -f $PRINCIPALS_COMMAND |
| 31 | exit 0 | 55 | exit 0 |
| 32 | fi | 56 | fi |
| 33 | 57 | ||
| 34 | # Create a CA key and a user certificate. | 58 | if [ -x $PRINCIPALS_COMMAND ]; then |
| 35 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ | ||
| 36 | fatal "ssh-keygen of user_ca_key failed" | ||
| 37 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key || \ | ||
| 38 | fatal "ssh-keygen of cert_user_key failed" | ||
| 39 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ | ||
| 40 | -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ | ||
| 41 | fatal "couldn't sign cert_user_key" | ||
| 42 | |||
| 43 | if [ -x $PRINCIPALS_CMD ]; then | ||
| 44 | # Test explicitly-specified principals | 59 | # Test explicitly-specified principals |
| 45 | for privsep in yes no ; do | 60 | for privsep in yes no ; do |
| 46 | _prefix="privsep $privsep" | 61 | _prefix="privsep $privsep" |
| @@ -51,7 +66,8 @@ if [ -x $PRINCIPALS_CMD ]; then | |||
| 51 | cat $OBJ/sshd_proxy_bak | 66 | cat $OBJ/sshd_proxy_bak |
| 52 | echo "UsePrivilegeSeparation $privsep" | 67 | echo "UsePrivilegeSeparation $privsep" |
| 53 | echo "AuthorizedKeysFile none" | 68 | echo "AuthorizedKeysFile none" |
| 54 | echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u" | 69 | echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \ |
| 70 | "%u %t %T %i %s %F %f %k %K" | ||
| 55 | echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" | 71 | echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" |
| 56 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" | 72 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" |
| 57 | ) > $OBJ/sshd_proxy | 73 | ) > $OBJ/sshd_proxy |