diff options
Diffstat (limited to 'regress')
-rw-r--r-- | regress/principals-command.sh | 222 |
1 files changed, 113 insertions, 109 deletions
diff --git a/regress/principals-command.sh b/regress/principals-command.sh index 90064373d..b90a8cf2c 100644 --- a/regress/principals-command.sh +++ b/regress/principals-command.sh | |||
@@ -14,15 +14,15 @@ fi | |||
14 | 14 | ||
15 | # Establish a AuthorizedPrincipalsCommand in /var/run where it will have | 15 | # Establish a AuthorizedPrincipalsCommand in /var/run where it will have |
16 | # acceptable directory permissions. | 16 | # acceptable directory permissions. |
17 | PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}" | 17 | PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}" |
18 | cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" | 18 | cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'" |
19 | #!/bin/sh | 19 | #!/bin/sh |
20 | test "x\$1" != "x${LOGNAME}" && exit 1 | 20 | test "x\$1" != "x${LOGNAME}" && exit 1 |
21 | test -f "$OBJ/authorized_principals_${LOGNAME}" && | 21 | test -f "$OBJ/authorized_principals_${LOGNAME}" && |
22 | exec cat "$OBJ/authorized_principals_${LOGNAME}" | 22 | exec cat "$OBJ/authorized_principals_${LOGNAME}" |
23 | _EOF | 23 | _EOF |
24 | test $? -eq 0 || fatal "couldn't prepare principals command" | 24 | test $? -eq 0 || fatal "couldn't prepare principals command" |
25 | $SUDO chmod 0755 "$PRINCIPALS_COMMAND" | 25 | $SUDO chmod 0755 "$PRINCIPALS_CMD" |
26 | 26 | ||
27 | # Create a CA key and a user certificate. | 27 | # Create a CA key and a user certificate. |
28 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ | 28 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ |
@@ -33,109 +33,113 @@ ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ | |||
33 | -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ | 33 | -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ |
34 | fatal "couldn't sign cert_user_key" | 34 | fatal "couldn't sign cert_user_key" |
35 | 35 | ||
36 | # Test explicitly-specified principals | 36 | if [ -x $PRINCIPALS_CMD ]; then |
37 | for privsep in yes no ; do | 37 | # Test explicitly-specified principals |
38 | _prefix="privsep $privsep" | 38 | for privsep in yes no ; do |
39 | 39 | _prefix="privsep $privsep" | |
40 | # Setup for AuthorizedPrincipalsCommand | 40 | |
41 | rm -f $OBJ/authorized_keys_$USER | 41 | # Setup for AuthorizedPrincipalsCommand |
42 | ( | 42 | rm -f $OBJ/authorized_keys_$USER |
43 | cat $OBJ/sshd_proxy_bak | 43 | ( |
44 | echo "UsePrivilegeSeparation $privsep" | 44 | cat $OBJ/sshd_proxy_bak |
45 | echo "AuthorizedKeysFile none" | 45 | echo "UsePrivilegeSeparation $privsep" |
46 | echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u" | 46 | echo "AuthorizedKeysFile none" |
47 | echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" | 47 | echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u" |
48 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" | 48 | echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" |
49 | ) > $OBJ/sshd_proxy | 49 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" |
50 | 50 | ) > $OBJ/sshd_proxy | |
51 | # XXX test missing command | 51 | |
52 | # XXX test failing command | 52 | # XXX test missing command |
53 | 53 | # XXX test failing command | |
54 | # Empty authorized_principals | 54 | |
55 | verbose "$tid: ${_prefix} empty authorized_principals" | 55 | # Empty authorized_principals |
56 | echo > $OBJ/authorized_principals_$USER | 56 | verbose "$tid: ${_prefix} empty authorized_principals" |
57 | ${SSH} -2i $OBJ/cert_user_key \ | 57 | echo > $OBJ/authorized_principals_$USER |
58 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 58 | ${SSH} -2i $OBJ/cert_user_key \ |
59 | if [ $? -eq 0 ]; then | 59 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
60 | fail "ssh cert connect succeeded unexpectedly" | 60 | if [ $? -eq 0 ]; then |
61 | fi | 61 | fail "ssh cert connect succeeded unexpectedly" |
62 | 62 | fi | |
63 | # Wrong authorized_principals | 63 | |
64 | verbose "$tid: ${_prefix} wrong authorized_principals" | 64 | # Wrong authorized_principals |
65 | echo gregorsamsa > $OBJ/authorized_principals_$USER | 65 | verbose "$tid: ${_prefix} wrong authorized_principals" |
66 | ${SSH} -2i $OBJ/cert_user_key \ | 66 | echo gregorsamsa > $OBJ/authorized_principals_$USER |
67 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 67 | ${SSH} -2i $OBJ/cert_user_key \ |
68 | if [ $? -eq 0 ]; then | 68 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
69 | fail "ssh cert connect succeeded unexpectedly" | 69 | if [ $? -eq 0 ]; then |
70 | fi | 70 | fail "ssh cert connect succeeded unexpectedly" |
71 | 71 | fi | |
72 | # Correct authorized_principals | 72 | |
73 | verbose "$tid: ${_prefix} correct authorized_principals" | 73 | # Correct authorized_principals |
74 | echo mekmitasdigoat > $OBJ/authorized_principals_$USER | 74 | verbose "$tid: ${_prefix} correct authorized_principals" |
75 | ${SSH} -2i $OBJ/cert_user_key \ | 75 | echo mekmitasdigoat > $OBJ/authorized_principals_$USER |
76 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 76 | ${SSH} -2i $OBJ/cert_user_key \ |
77 | if [ $? -ne 0 ]; then | 77 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
78 | fail "ssh cert connect failed" | 78 | if [ $? -ne 0 ]; then |
79 | fi | 79 | fail "ssh cert connect failed" |
80 | 80 | fi | |
81 | # authorized_principals with bad key option | 81 | |
82 | verbose "$tid: ${_prefix} authorized_principals bad key opt" | 82 | # authorized_principals with bad key option |
83 | echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER | 83 | verbose "$tid: ${_prefix} authorized_principals bad key opt" |
84 | ${SSH} -2i $OBJ/cert_user_key \ | 84 | echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER |
85 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 85 | ${SSH} -2i $OBJ/cert_user_key \ |
86 | if [ $? -eq 0 ]; then | 86 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
87 | fail "ssh cert connect succeeded unexpectedly" | 87 | if [ $? -eq 0 ]; then |
88 | fi | 88 | fail "ssh cert connect succeeded unexpectedly" |
89 | 89 | fi | |
90 | # authorized_principals with command=false | 90 | |
91 | verbose "$tid: ${_prefix} authorized_principals command=false" | 91 | # authorized_principals with command=false |
92 | echo 'command="false" mekmitasdigoat' > \ | 92 | verbose "$tid: ${_prefix} authorized_principals command=false" |
93 | $OBJ/authorized_principals_$USER | 93 | echo 'command="false" mekmitasdigoat' > \ |
94 | ${SSH} -2i $OBJ/cert_user_key \ | 94 | $OBJ/authorized_principals_$USER |
95 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 95 | ${SSH} -2i $OBJ/cert_user_key \ |
96 | if [ $? -eq 0 ]; then | 96 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
97 | fail "ssh cert connect succeeded unexpectedly" | 97 | if [ $? -eq 0 ]; then |
98 | fi | 98 | fail "ssh cert connect succeeded unexpectedly" |
99 | 99 | fi | |
100 | 100 | ||
101 | # authorized_principals with command=true | 101 | # authorized_principals with command=true |
102 | verbose "$tid: ${_prefix} authorized_principals command=true" | 102 | verbose "$tid: ${_prefix} authorized_principals command=true" |
103 | echo 'command="true" mekmitasdigoat' > \ | 103 | echo 'command="true" mekmitasdigoat' > \ |
104 | $OBJ/authorized_principals_$USER | 104 | $OBJ/authorized_principals_$USER |
105 | ${SSH} -2i $OBJ/cert_user_key \ | 105 | ${SSH} -2i $OBJ/cert_user_key \ |
106 | -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 | 106 | -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 |
107 | if [ $? -ne 0 ]; then | 107 | if [ $? -ne 0 ]; then |
108 | fail "ssh cert connect failed" | 108 | fail "ssh cert connect failed" |
109 | fi | 109 | fi |
110 | 110 | ||
111 | # Setup for principals= key option | 111 | # Setup for principals= key option |
112 | rm -f $OBJ/authorized_principals_$USER | 112 | rm -f $OBJ/authorized_principals_$USER |
113 | ( | 113 | ( |
114 | cat $OBJ/sshd_proxy_bak | 114 | cat $OBJ/sshd_proxy_bak |
115 | echo "UsePrivilegeSeparation $privsep" | 115 | echo "UsePrivilegeSeparation $privsep" |
116 | ) > $OBJ/sshd_proxy | 116 | ) > $OBJ/sshd_proxy |
117 | 117 | ||
118 | # Wrong principals list | 118 | # Wrong principals list |
119 | verbose "$tid: ${_prefix} wrong principals key option" | 119 | verbose "$tid: ${_prefix} wrong principals key option" |
120 | ( | 120 | ( |
121 | printf 'cert-authority,principals="gregorsamsa" ' | 121 | printf 'cert-authority,principals="gregorsamsa" ' |
122 | cat $OBJ/user_ca_key.pub | 122 | cat $OBJ/user_ca_key.pub |
123 | ) > $OBJ/authorized_keys_$USER | 123 | ) > $OBJ/authorized_keys_$USER |
124 | ${SSH} -2i $OBJ/cert_user_key \ | 124 | ${SSH} -2i $OBJ/cert_user_key \ |
125 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 125 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
126 | if [ $? -eq 0 ]; then | 126 | if [ $? -eq 0 ]; then |
127 | fail "ssh cert connect succeeded unexpectedly" | 127 | fail "ssh cert connect succeeded unexpectedly" |
128 | fi | 128 | fi |
129 | 129 | ||
130 | # Correct principals list | 130 | # Correct principals list |
131 | verbose "$tid: ${_prefix} correct principals key option" | 131 | verbose "$tid: ${_prefix} correct principals key option" |
132 | ( | 132 | ( |
133 | printf 'cert-authority,principals="mekmitasdigoat" ' | 133 | printf 'cert-authority,principals="mekmitasdigoat" ' |
134 | cat $OBJ/user_ca_key.pub | 134 | cat $OBJ/user_ca_key.pub |
135 | ) > $OBJ/authorized_keys_$USER | 135 | ) > $OBJ/authorized_keys_$USER |
136 | ${SSH} -2i $OBJ/cert_user_key \ | 136 | ${SSH} -2i $OBJ/cert_user_key \ |
137 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 137 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
138 | if [ $? -ne 0 ]; then | 138 | if [ $? -ne 0 ]; then |
139 | fail "ssh cert connect failed" | 139 | fail "ssh cert connect failed" |
140 | fi | 140 | fi |
141 | done | 141 | done |
142 | else | ||
143 | echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \ | ||
144 | "(/var/run mounted noexec?)" | ||
145 | fi | ||