2 files changed, 115 insertions, 7 deletions
diff --git a/regress/Makefile b/regress/Makefile
index d25a64555..6e7b441bf 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.52 2010/02/26 20:33:21 djm Exp $
+#       $OpenBSD: Makefile,v 1.53 2010/05/07 11:31:26 djm Exp $
 REGRESS_TARGETS=        t1 t2 t3 t4 t5 t6 t7 t-exec
 tests:          $(REGRESS_TARGETS)
@@ -69,7 +69,8 @@ CLEANFILES=	t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
                scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
                sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \
                known_hosts-cert host_ca_key* cert_host_key* \
-                putty.rsa2 sshd_proxy_orig
+                putty.rsa2 sshd_proxy_orig \
+                authorized_principals_${USER}
 # Enable all malloc(3) randomisations and checks
 TEST_ENV=      "MALLOC_OPTIONS=AFGJPRX"
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 88d6d70a4..8fd1b48db 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cert-userkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $
+#       $OpenBSD: cert-userkey.sh,v 1.5 2010/05/07 11:31:26 djm Exp $
 #       Placed in the Public Domain.
 tid="certified user keys"
@@ -18,16 +18,100 @@ for ktype in rsa dsa ; do
                fail "ssh-keygen of cert_user_key_${ktype} failed"
        ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
            "regress user key for $USER" \
-            -n $USER $OBJ/cert_user_key_${ktype} ||
+            -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
                fail "couldn't sign cert_user_key_${ktype}"
        cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
        cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
        ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
            "regress user key for $USER" \
-            -n $USER $OBJ/cert_user_key_${ktype}_v00 ||
+            -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
                fail "couldn't sign cert_user_key_${ktype}_v00"
 done
+# Test explicitly-specified principals
+for ktype in rsa dsa rsa_v00 dsa_v00 ; do 
+        for privsep in yes no ; do
+                _prefix="${ktype} privsep $privsep"
+                # Setup for AuthorizedPrincipalsFile
+                rm -f $OBJ/authorized_keys_$USER
+                (
+                        cat $OBJ/sshd_proxy_bak
+                        echo "UsePrivilegeSeparation $privsep"
+                        echo "AuthorizedPrincipalsFile " \
+                            "$OBJ/authorized_principals_%u"
+                        echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+                ) > $OBJ/sshd_proxy
+                # Missing authorized_principals
+                verbose "$tid: ${_prefix} missing authorized_principals"
+                rm -f $OBJ/authorized_principals_$USER
+                ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+                    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                if [ $? -eq 0 ]; then
+                        fail "ssh cert connect succeeded unexpectedly"
+                fi
+                # Empty authorized_principals
+                verbose "$tid: ${_prefix} empty authorized_principals"
+                echo > $OBJ/authorized_principals_$USER
+                ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+                    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                if [ $? -eq 0 ]; then
+                        fail "ssh cert connect succeeded unexpectedly"
+                fi
+        
+                # Wrong authorized_principals
+                verbose "$tid: ${_prefix} wrong authorized_principals"
+                echo gregorsamsa > $OBJ/authorized_principals_$USER
+                ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+                    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                if [ $? -eq 0 ]; then
+                        fail "ssh cert connect succeeded unexpectedly"
+                fi
+                # Correct authorized_principals
+                verbose "$tid: ${_prefix} correct authorized_principals"
+                echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+                ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+                    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                if [ $? -ne 0 ]; then
+                        fail "ssh cert connect failed"
+                fi
+                # Setup for principals= key option
+                rm -f $OBJ/authorized_principals_$USER
+                (
+                        cat $OBJ/sshd_proxy_bak
+                        echo "UsePrivilegeSeparation $privsep"
+                ) > $OBJ/sshd_proxy
+                # Wrong principals list
+                verbose "$tid: ${_prefix} wrong principals key option"
+                (
+                        echon 'cert-authority,principals="gregorsamsa" '
+                        cat $OBJ/user_ca_key.pub
+                ) > $OBJ/authorized_keys_$USER
+                ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+                    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                if [ $? -eq 0 ]; then
+                        fail "ssh cert connect succeeded unexpectedly"
+                fi
+                # Correct principals list
+                verbose "$tid: ${_prefix} correct principals key option"
+                (
+                        echon 'cert-authority,principals="mekmitasdigoat" '
+                        cat $OBJ/user_ca_key.pub
+                ) > $OBJ/authorized_keys_$USER
+                ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+                    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                if [ $? -ne 0 ]; then
+                        fail "ssh cert connect failed"
+                fi
+        done
+done
 basic_tests() {
        auth=$1
        if test "x$auth" = "xauthorized_keys" ; then
@@ -108,6 +192,7 @@ test_one() {
        result=$2
        sign_opts=$3
        auth_choice=$4
+        auth_opt=$5
        if test "x$auth_choice" = "x" ; then
                auth_choice="authorized_keys TrustedUserCAKeys"
@@ -119,14 +204,16 @@ test_one() {
                        if test "x$auth" = "xauthorized_keys" ; then
                                # Add CA to authorized_keys
                                (
-                                        echon 'cert-authority '
+                                        echon "cert-authority${auth_opt} "
                                        cat $OBJ/user_ca_key.pub
                                ) > $OBJ/authorized_keys_$USER
                        else
                                echo > $OBJ/authorized_keys_$USER
                                echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
                                    >> $OBJ/sshd_proxy
-        
+                                if test "x$auth_opt" != "x" ; then
+                                        echo $auth_opt >> $OBJ/sshd_proxy
+                                fi
                        fi
                        
                        verbose "$tid: $ident auth $auth expect $result $ktype"
@@ -165,7 +252,26 @@ test_one "force-command"	failure "-n ${USER} -Oforce-command=false"
 test_one "empty principals"     success "" authorized_keys
 test_one "empty principals"     failure "" TrustedUserCAKeys
+# Check explicitly-specified principals: an empty principals list in the cert
+# should always be refused.
+# AuthorizedPrincipalsFile
+rm -f $OBJ/authorized_keys_$USER
+echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \
+    TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
+test_one "AuthorizedPrincipalsFile no principals" failure "" \
+    TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
+# principals= key option
+rm -f $OBJ/authorized_principals_$USER
+test_one "principals key option principals" success "-n mekmitasdigoat" \
+    authorized_keys ',principals="mekmitasdigoat"'
+test_one "principals key option no principals" failure "" \
+    authorized_keys ',principals="mekmitasdigoat"'
 # Wrong certificate
+cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
 for ktype in rsa dsa rsa_v00 dsa_v00 ; do 
        case $ktype in
        *_v00) args="-t v00" ;;
@@ -185,4 +291,5 @@ for ktype in rsa dsa rsa_v00 dsa_v00 ; do
 done
 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
+rm -f $OBJ/authorized_principals_$USER

diff --git a/regress/Makefile b/regress/Makefile index d25a64555..6e7b441bf 100644 --- a/regress/Makefile +++ b/regress/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.52 2010/02/26 20:33:21 djm Exp $	1	# $OpenBSD: Makefile,v 1.53 2010/05/07 11:31:26 djm Exp $
2		2
3	REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec	3	REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec
4	tests: $(REGRESS_TARGETS)	4	tests: $(REGRESS_TARGETS)
@@ -69,7 +69,8 @@ CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
69	scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \	69	scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
70	sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \	70	sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \
71	known_hosts-cert host_ca_key* cert_host_key* \	71	known_hosts-cert host_ca_key* cert_host_key* \
72	putty.rsa2 sshd_proxy_orig	72	putty.rsa2 sshd_proxy_orig \
		73	authorized_principals_${USER}
73		74
74	# Enable all malloc(3) randomisations and checks	75	# Enable all malloc(3) randomisations and checks
75	TEST_ENV= "MALLOC_OPTIONS=AFGJPRX"	76	TEST_ENV= "MALLOC_OPTIONS=AFGJPRX"


diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 88d6d70a4..8fd1b48db 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: cert-userkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $	1	# $OpenBSD: cert-userkey.sh,v 1.5 2010/05/07 11:31:26 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="certified user keys"	4	tid="certified user keys"
@@ -18,16 +18,100 @@ for ktype in rsa dsa ; do
18	fail "ssh-keygen of cert_user_key_${ktype} failed"	18	fail "ssh-keygen of cert_user_key_${ktype} failed"
19	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \	19	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
20	"regress user key for $USER" \	20	"regress user key for $USER" \
21	-n $USER $OBJ/cert_user_key_${ktype} \|\|	21	-n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} \|\|
22	fail "couldn't sign cert_user_key_${ktype}"	22	fail "couldn't sign cert_user_key_${ktype}"
23	cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00	23	cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
24	cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub	24	cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
25	${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \	25	${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
26	"regress user key for $USER" \	26	"regress user key for $USER" \
27	-n $USER $OBJ/cert_user_key_${ktype}_v00 \|\|	27	-n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 \|\|
28	fail "couldn't sign cert_user_key_${ktype}_v00"	28	fail "couldn't sign cert_user_key_${ktype}_v00"
29	done	29	done
30		30
		31	# Test explicitly-specified principals
		32	for ktype in rsa dsa rsa_v00 dsa_v00 ; do
		33	for privsep in yes no ; do
		34	_prefix="${ktype} privsep $privsep"
		35
		36	# Setup for AuthorizedPrincipalsFile
		37	rm -f $OBJ/authorized_keys_$USER
		38	(
		39	cat $OBJ/sshd_proxy_bak
		40	echo "UsePrivilegeSeparation $privsep"
		41	echo "AuthorizedPrincipalsFile " \
		42	"$OBJ/authorized_principals_%u"
		43	echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
		44	) > $OBJ/sshd_proxy
		45
		46	# Missing authorized_principals
		47	verbose "$tid: ${_prefix} missing authorized_principals"
		48	rm -f $OBJ/authorized_principals_$USER
		49	${SSH} -2i $OBJ/cert_user_key_${ktype} \
		50	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		51	if [ $? -eq 0 ]; then
		52	fail "ssh cert connect succeeded unexpectedly"
		53	fi
		54
		55	# Empty authorized_principals
		56	verbose "$tid: ${_prefix} empty authorized_principals"
		57	echo > $OBJ/authorized_principals_$USER
		58	${SSH} -2i $OBJ/cert_user_key_${ktype} \
		59	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		60	if [ $? -eq 0 ]; then
		61	fail "ssh cert connect succeeded unexpectedly"
		62	fi
		63
		64	# Wrong authorized_principals
		65	verbose "$tid: ${_prefix} wrong authorized_principals"
		66	echo gregorsamsa > $OBJ/authorized_principals_$USER
		67	${SSH} -2i $OBJ/cert_user_key_${ktype} \
		68	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		69	if [ $? -eq 0 ]; then
		70	fail "ssh cert connect succeeded unexpectedly"
		71	fi
		72
		73	# Correct authorized_principals
		74	verbose "$tid: ${_prefix} correct authorized_principals"
		75	echo mekmitasdigoat > $OBJ/authorized_principals_$USER
		76	${SSH} -2i $OBJ/cert_user_key_${ktype} \
		77	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		78	if [ $? -ne 0 ]; then
		79	fail "ssh cert connect failed"
		80	fi
		81
		82	# Setup for principals= key option
		83	rm -f $OBJ/authorized_principals_$USER
		84	(
		85	cat $OBJ/sshd_proxy_bak
		86	echo "UsePrivilegeSeparation $privsep"
		87	) > $OBJ/sshd_proxy
		88
		89	# Wrong principals list
		90	verbose "$tid: ${_prefix} wrong principals key option"
		91	(
		92	echon 'cert-authority,principals="gregorsamsa" '
		93	cat $OBJ/user_ca_key.pub
		94	) > $OBJ/authorized_keys_$USER
		95	${SSH} -2i $OBJ/cert_user_key_${ktype} \
		96	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		97	if [ $? -eq 0 ]; then
		98	fail "ssh cert connect succeeded unexpectedly"
		99	fi
		100
		101	# Correct principals list
		102	verbose "$tid: ${_prefix} correct principals key option"
		103	(
		104	echon 'cert-authority,principals="mekmitasdigoat" '
		105	cat $OBJ/user_ca_key.pub
		106	) > $OBJ/authorized_keys_$USER
		107	${SSH} -2i $OBJ/cert_user_key_${ktype} \
		108	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		109	if [ $? -ne 0 ]; then
		110	fail "ssh cert connect failed"
		111	fi
		112	done
		113	done
		114
31	basic_tests() {	115	basic_tests() {
32	auth=$1	116	auth=$1
33	if test "x$auth" = "xauthorized_keys" ; then	117	if test "x$auth" = "xauthorized_keys" ; then
@@ -108,6 +192,7 @@ test_one() {
108	result=$2	192	result=$2
109	sign_opts=$3	193	sign_opts=$3
110	auth_choice=$4	194	auth_choice=$4
		195	auth_opt=$5
111		196
112	if test "x$auth_choice" = "x" ; then	197	if test "x$auth_choice" = "x" ; then
113	auth_choice="authorized_keys TrustedUserCAKeys"	198	auth_choice="authorized_keys TrustedUserCAKeys"
@@ -119,14 +204,16 @@ test_one() {
119	if test "x$auth" = "xauthorized_keys" ; then	204	if test "x$auth" = "xauthorized_keys" ; then
120	# Add CA to authorized_keys	205	# Add CA to authorized_keys
121	(	206	(
122	echon 'cert-authority '	207	echon "cert-authority${auth_opt} "
123	cat $OBJ/user_ca_key.pub	208	cat $OBJ/user_ca_key.pub
124	) > $OBJ/authorized_keys_$USER	209	) > $OBJ/authorized_keys_$USER
125	else	210	else
126	echo > $OBJ/authorized_keys_$USER	211	echo > $OBJ/authorized_keys_$USER
127	echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \	212	echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
128	>> $OBJ/sshd_proxy	213	>> $OBJ/sshd_proxy
129		214	if test "x$auth_opt" != "x" ; then
		215	echo $auth_opt >> $OBJ/sshd_proxy
		216	fi
130	fi	217	fi
131		218
132	verbose "$tid: $ident auth $auth expect $result $ktype"	219	verbose "$tid: $ident auth $auth expect $result $ktype"
@@ -165,7 +252,26 @@ test_one "force-command" failure "-n ${USER} -Oforce-command=false"
165	test_one "empty principals" success "" authorized_keys	252	test_one "empty principals" success "" authorized_keys
166	test_one "empty principals" failure "" TrustedUserCAKeys	253	test_one "empty principals" failure "" TrustedUserCAKeys
167		254
		255	# Check explicitly-specified principals: an empty principals list in the cert
		256	# should always be refused.
		257
		258	# AuthorizedPrincipalsFile
		259	rm -f $OBJ/authorized_keys_$USER
		260	echo mekmitasdigoat > $OBJ/authorized_principals_$USER
		261	test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \
		262	TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
		263	test_one "AuthorizedPrincipalsFile no principals" failure "" \
		264	TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
		265
		266	# principals= key option
		267	rm -f $OBJ/authorized_principals_$USER
		268	test_one "principals key option principals" success "-n mekmitasdigoat" \
		269	authorized_keys ',principals="mekmitasdigoat"'
		270	test_one "principals key option no principals" failure "" \
		271	authorized_keys ',principals="mekmitasdigoat"'
		272
168	# Wrong certificate	273	# Wrong certificate
		274	cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
169	for ktype in rsa dsa rsa_v00 dsa_v00 ; do	275	for ktype in rsa dsa rsa_v00 dsa_v00 ; do
170	case $ktype in	276	case $ktype in
171	*_v00) args="-t v00" ;;	277	*_v00) args="-t v00" ;;
@@ -185,4 +291,5 @@ for ktype in rsa dsa rsa_v00 dsa_v00 ; do
185	done	291	done
186		292
187	rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*	293	rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
		294	rm -f $OBJ/authorized_principals_$USER
188		295