diff options
Diffstat (limited to 'regress')
-rw-r--r-- | regress/principals-command.sh | 38 |
1 files changed, 27 insertions, 11 deletions
diff --git a/regress/principals-command.sh b/regress/principals-command.sh index c0be7e747..19d7d6c96 100644 --- a/regress/principals-command.sh +++ b/regress/principals-command.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: principals-command.sh,v 1.1 2015/05/21 06:44:25 djm Exp $ | 1 | # $OpenBSD: principals-command.sh,v 1.2 2016/09/21 01:35:12 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="authorized principals command" | 4 | tid="authorized principals command" |
@@ -12,12 +12,36 @@ if test -z "$SUDO" ; then | |||
12 | exit 0 | 12 | exit 0 |
13 | fi | 13 | fi |
14 | 14 | ||
15 | SERIAL=$$ | ||
16 | |||
17 | # Create a CA key and a user certificate. | ||
18 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ | ||
19 | fatal "ssh-keygen of user_ca_key failed" | ||
20 | ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/cert_user_key || \ | ||
21 | fatal "ssh-keygen of cert_user_key failed" | ||
22 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "Joanne User" \ | ||
23 | -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ | ||
24 | fatal "couldn't sign cert_user_key" | ||
25 | |||
26 | CERT_BODY=`cat $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` | ||
27 | CA_BODY=`cat $OBJ/user_ca_key.pub | awk '{ print $2 }'` | ||
28 | CERT_FP=`${SSHKEYGEN} -lf $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` | ||
29 | CA_FP=`${SSHKEYGEN} -lf $OBJ/user_ca_key.pub | awk '{ print $2 }'` | ||
30 | |||
15 | # Establish a AuthorizedPrincipalsCommand in /var/run where it will have | 31 | # Establish a AuthorizedPrincipalsCommand in /var/run where it will have |
16 | # acceptable directory permissions. | 32 | # acceptable directory permissions. |
17 | PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}" | 33 | PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}" |
18 | cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'" | 34 | cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'" |
19 | #!/bin/sh | 35 | #!/bin/sh |
20 | test "x\$1" != "x${LOGNAME}" && exit 1 | 36 | test "x\$1" != "x${LOGNAME}" && exit 1 |
37 | test "x\$2" != "xssh-rsa-cert-v01@openssh.com" && exit 1 | ||
38 | test "x\$3" != "xssh-ed25519" && exit 1 | ||
39 | test "x\$4" != "xJoanne User" && exit 1 | ||
40 | test "x\$5" != "x${SERIAL}" && exit 1 | ||
41 | test "x\$6" != "x${CA_FP}" && exit 1 | ||
42 | test "x\$7" != "x${CERT_FP}" && exit 1 | ||
43 | test "x\$8" != "x${CERT_BODY}" && exit 1 | ||
44 | test "x\$9" != "x${CA_BODY}" && exit 1 | ||
21 | test -f "$OBJ/authorized_principals_${LOGNAME}" && | 45 | test -f "$OBJ/authorized_principals_${LOGNAME}" && |
22 | exec cat "$OBJ/authorized_principals_${LOGNAME}" | 46 | exec cat "$OBJ/authorized_principals_${LOGNAME}" |
23 | _EOF | 47 | _EOF |
@@ -31,15 +55,6 @@ if ! $OBJ/check-perm -m keys-command $PRINCIPALS_CMD ; then | |||
31 | exit 0 | 55 | exit 0 |
32 | fi | 56 | fi |
33 | 57 | ||
34 | # Create a CA key and a user certificate. | ||
35 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ | ||
36 | fatal "ssh-keygen of user_ca_key failed" | ||
37 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key || \ | ||
38 | fatal "ssh-keygen of cert_user_key failed" | ||
39 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ | ||
40 | -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ | ||
41 | fatal "couldn't sign cert_user_key" | ||
42 | |||
43 | if [ -x $PRINCIPALS_CMD ]; then | 58 | if [ -x $PRINCIPALS_CMD ]; then |
44 | # Test explicitly-specified principals | 59 | # Test explicitly-specified principals |
45 | for privsep in yes no ; do | 60 | for privsep in yes no ; do |
@@ -51,7 +66,8 @@ if [ -x $PRINCIPALS_CMD ]; then | |||
51 | cat $OBJ/sshd_proxy_bak | 66 | cat $OBJ/sshd_proxy_bak |
52 | echo "UsePrivilegeSeparation $privsep" | 67 | echo "UsePrivilegeSeparation $privsep" |
53 | echo "AuthorizedKeysFile none" | 68 | echo "AuthorizedKeysFile none" |
54 | echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u" | 69 | echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \ |
70 | "%u %t %T %i %s %F %f %k %K" | ||
55 | echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" | 71 | echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" |
56 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" | 72 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" |
57 | ) > $OBJ/sshd_proxy | 73 | ) > $OBJ/sshd_proxy |