summaryrefslogtreecommitdiff
path: root/regress
diff options
context:
space:
mode:
Diffstat (limited to 'regress')
-rw-r--r--regress/Makefile5
-rw-r--r--regress/cert-userkey.sh117
2 files changed, 115 insertions, 7 deletions
diff --git a/regress/Makefile b/regress/Makefile
index d25a64555..6e7b441bf 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.52 2010/02/26 20:33:21 djm Exp $ 1# $OpenBSD: Makefile,v 1.53 2010/05/07 11:31:26 djm Exp $
2 2
3REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec 3REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec
4tests: $(REGRESS_TARGETS) 4tests: $(REGRESS_TARGETS)
@@ -69,7 +69,8 @@ CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
69 scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \ 69 scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
70 sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \ 70 sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \
71 known_hosts-cert host_ca_key* cert_host_key* \ 71 known_hosts-cert host_ca_key* cert_host_key* \
72 putty.rsa2 sshd_proxy_orig 72 putty.rsa2 sshd_proxy_orig \
73 authorized_principals_${USER}
73 74
74# Enable all malloc(3) randomisations and checks 75# Enable all malloc(3) randomisations and checks
75TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" 76TEST_ENV= "MALLOC_OPTIONS=AFGJPRX"
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 88d6d70a4..8fd1b48db 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-userkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $ 1# $OpenBSD: cert-userkey.sh,v 1.5 2010/05/07 11:31:26 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified user keys" 4tid="certified user keys"
@@ -18,16 +18,100 @@ for ktype in rsa dsa ; do
18 fail "ssh-keygen of cert_user_key_${ktype} failed" 18 fail "ssh-keygen of cert_user_key_${ktype} failed"
19 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \ 19 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
20 "regress user key for $USER" \ 20 "regress user key for $USER" \
21 -n $USER $OBJ/cert_user_key_${ktype} || 21 -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
22 fail "couldn't sign cert_user_key_${ktype}" 22 fail "couldn't sign cert_user_key_${ktype}"
23 cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 23 cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
24 cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub 24 cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
25 ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ 25 ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
26 "regress user key for $USER" \ 26 "regress user key for $USER" \
27 -n $USER $OBJ/cert_user_key_${ktype}_v00 || 27 -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
28 fail "couldn't sign cert_user_key_${ktype}_v00" 28 fail "couldn't sign cert_user_key_${ktype}_v00"
29done 29done
30 30
31# Test explicitly-specified principals
32for ktype in rsa dsa rsa_v00 dsa_v00 ; do
33 for privsep in yes no ; do
34 _prefix="${ktype} privsep $privsep"
35
36 # Setup for AuthorizedPrincipalsFile
37 rm -f $OBJ/authorized_keys_$USER
38 (
39 cat $OBJ/sshd_proxy_bak
40 echo "UsePrivilegeSeparation $privsep"
41 echo "AuthorizedPrincipalsFile " \
42 "$OBJ/authorized_principals_%u"
43 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
44 ) > $OBJ/sshd_proxy
45
46 # Missing authorized_principals
47 verbose "$tid: ${_prefix} missing authorized_principals"
48 rm -f $OBJ/authorized_principals_$USER
49 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
50 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
51 if [ $? -eq 0 ]; then
52 fail "ssh cert connect succeeded unexpectedly"
53 fi
54
55 # Empty authorized_principals
56 verbose "$tid: ${_prefix} empty authorized_principals"
57 echo > $OBJ/authorized_principals_$USER
58 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
59 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
60 if [ $? -eq 0 ]; then
61 fail "ssh cert connect succeeded unexpectedly"
62 fi
63
64 # Wrong authorized_principals
65 verbose "$tid: ${_prefix} wrong authorized_principals"
66 echo gregorsamsa > $OBJ/authorized_principals_$USER
67 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
68 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
69 if [ $? -eq 0 ]; then
70 fail "ssh cert connect succeeded unexpectedly"
71 fi
72
73 # Correct authorized_principals
74 verbose "$tid: ${_prefix} correct authorized_principals"
75 echo mekmitasdigoat > $OBJ/authorized_principals_$USER
76 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
77 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
78 if [ $? -ne 0 ]; then
79 fail "ssh cert connect failed"
80 fi
81
82 # Setup for principals= key option
83 rm -f $OBJ/authorized_principals_$USER
84 (
85 cat $OBJ/sshd_proxy_bak
86 echo "UsePrivilegeSeparation $privsep"
87 ) > $OBJ/sshd_proxy
88
89 # Wrong principals list
90 verbose "$tid: ${_prefix} wrong principals key option"
91 (
92 echon 'cert-authority,principals="gregorsamsa" '
93 cat $OBJ/user_ca_key.pub
94 ) > $OBJ/authorized_keys_$USER
95 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
96 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
97 if [ $? -eq 0 ]; then
98 fail "ssh cert connect succeeded unexpectedly"
99 fi
100
101 # Correct principals list
102 verbose "$tid: ${_prefix} correct principals key option"
103 (
104 echon 'cert-authority,principals="mekmitasdigoat" '
105 cat $OBJ/user_ca_key.pub
106 ) > $OBJ/authorized_keys_$USER
107 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
108 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
109 if [ $? -ne 0 ]; then
110 fail "ssh cert connect failed"
111 fi
112 done
113done
114
31basic_tests() { 115basic_tests() {
32 auth=$1 116 auth=$1
33 if test "x$auth" = "xauthorized_keys" ; then 117 if test "x$auth" = "xauthorized_keys" ; then
@@ -108,6 +192,7 @@ test_one() {
108 result=$2 192 result=$2
109 sign_opts=$3 193 sign_opts=$3
110 auth_choice=$4 194 auth_choice=$4
195 auth_opt=$5
111 196
112 if test "x$auth_choice" = "x" ; then 197 if test "x$auth_choice" = "x" ; then
113 auth_choice="authorized_keys TrustedUserCAKeys" 198 auth_choice="authorized_keys TrustedUserCAKeys"
@@ -119,14 +204,16 @@ test_one() {
119 if test "x$auth" = "xauthorized_keys" ; then 204 if test "x$auth" = "xauthorized_keys" ; then
120 # Add CA to authorized_keys 205 # Add CA to authorized_keys
121 ( 206 (
122 echon 'cert-authority ' 207 echon "cert-authority${auth_opt} "
123 cat $OBJ/user_ca_key.pub 208 cat $OBJ/user_ca_key.pub
124 ) > $OBJ/authorized_keys_$USER 209 ) > $OBJ/authorized_keys_$USER
125 else 210 else
126 echo > $OBJ/authorized_keys_$USER 211 echo > $OBJ/authorized_keys_$USER
127 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \ 212 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
128 >> $OBJ/sshd_proxy 213 >> $OBJ/sshd_proxy
129 214 if test "x$auth_opt" != "x" ; then
215 echo $auth_opt >> $OBJ/sshd_proxy
216 fi
130 fi 217 fi
131 218
132 verbose "$tid: $ident auth $auth expect $result $ktype" 219 verbose "$tid: $ident auth $auth expect $result $ktype"
@@ -165,7 +252,26 @@ test_one "force-command" failure "-n ${USER} -Oforce-command=false"
165test_one "empty principals" success "" authorized_keys 252test_one "empty principals" success "" authorized_keys
166test_one "empty principals" failure "" TrustedUserCAKeys 253test_one "empty principals" failure "" TrustedUserCAKeys
167 254
255# Check explicitly-specified principals: an empty principals list in the cert
256# should always be refused.
257
258# AuthorizedPrincipalsFile
259rm -f $OBJ/authorized_keys_$USER
260echo mekmitasdigoat > $OBJ/authorized_principals_$USER
261test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \
262 TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
263test_one "AuthorizedPrincipalsFile no principals" failure "" \
264 TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
265
266# principals= key option
267rm -f $OBJ/authorized_principals_$USER
268test_one "principals key option principals" success "-n mekmitasdigoat" \
269 authorized_keys ',principals="mekmitasdigoat"'
270test_one "principals key option no principals" failure "" \
271 authorized_keys ',principals="mekmitasdigoat"'
272
168# Wrong certificate 273# Wrong certificate
274cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
169for ktype in rsa dsa rsa_v00 dsa_v00 ; do 275for ktype in rsa dsa rsa_v00 dsa_v00 ; do
170 case $ktype in 276 case $ktype in
171 *_v00) args="-t v00" ;; 277 *_v00) args="-t v00" ;;
@@ -185,4 +291,5 @@ for ktype in rsa dsa rsa_v00 dsa_v00 ; do
185done 291done
186 292
187rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* 293rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
294rm -f $OBJ/authorized_principals_$USER
188 295