summaryrefslogtreecommitdiff
path: root/regress
diff options
context:
space:
mode:
Diffstat (limited to 'regress')
-rw-r--r--regress/principals-command.sh222
1 files changed, 113 insertions, 109 deletions
diff --git a/regress/principals-command.sh b/regress/principals-command.sh
index 90064373d..b90a8cf2c 100644
--- a/regress/principals-command.sh
+++ b/regress/principals-command.sh
@@ -14,15 +14,15 @@ fi
14 14
15# Establish a AuthorizedPrincipalsCommand in /var/run where it will have 15# Establish a AuthorizedPrincipalsCommand in /var/run where it will have
16# acceptable directory permissions. 16# acceptable directory permissions.
17PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}" 17PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}"
18cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" 18cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'"
19#!/bin/sh 19#!/bin/sh
20test "x\$1" != "x${LOGNAME}" && exit 1 20test "x\$1" != "x${LOGNAME}" && exit 1
21test -f "$OBJ/authorized_principals_${LOGNAME}" && 21test -f "$OBJ/authorized_principals_${LOGNAME}" &&
22 exec cat "$OBJ/authorized_principals_${LOGNAME}" 22 exec cat "$OBJ/authorized_principals_${LOGNAME}"
23_EOF 23_EOF
24test $? -eq 0 || fatal "couldn't prepare principals command" 24test $? -eq 0 || fatal "couldn't prepare principals command"
25$SUDO chmod 0755 "$PRINCIPALS_COMMAND" 25$SUDO chmod 0755 "$PRINCIPALS_CMD"
26 26
27# Create a CA key and a user certificate. 27# Create a CA key and a user certificate.
28${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ 28${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \
@@ -33,109 +33,113 @@ ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
33 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ 33 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
34 fatal "couldn't sign cert_user_key" 34 fatal "couldn't sign cert_user_key"
35 35
36# Test explicitly-specified principals 36if [ -x $PRINCIPALS_CMD ]; then
37for privsep in yes no ; do 37 # Test explicitly-specified principals
38 _prefix="privsep $privsep" 38 for privsep in yes no ; do
39 39 _prefix="privsep $privsep"
40 # Setup for AuthorizedPrincipalsCommand 40
41 rm -f $OBJ/authorized_keys_$USER 41 # Setup for AuthorizedPrincipalsCommand
42 ( 42 rm -f $OBJ/authorized_keys_$USER
43 cat $OBJ/sshd_proxy_bak 43 (
44 echo "UsePrivilegeSeparation $privsep" 44 cat $OBJ/sshd_proxy_bak
45 echo "AuthorizedKeysFile none" 45 echo "UsePrivilegeSeparation $privsep"
46 echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u" 46 echo "AuthorizedKeysFile none"
47 echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" 47 echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u"
48 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" 48 echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
49 ) > $OBJ/sshd_proxy 49 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
50 50 ) > $OBJ/sshd_proxy
51 # XXX test missing command 51
52 # XXX test failing command 52 # XXX test missing command
53 53 # XXX test failing command
54 # Empty authorized_principals 54
55 verbose "$tid: ${_prefix} empty authorized_principals" 55 # Empty authorized_principals
56 echo > $OBJ/authorized_principals_$USER 56 verbose "$tid: ${_prefix} empty authorized_principals"
57 ${SSH} -2i $OBJ/cert_user_key \ 57 echo > $OBJ/authorized_principals_$USER
58 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 58 ${SSH} -2i $OBJ/cert_user_key \
59 if [ $? -eq 0 ]; then 59 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
60 fail "ssh cert connect succeeded unexpectedly" 60 if [ $? -eq 0 ]; then
61 fi 61 fail "ssh cert connect succeeded unexpectedly"
62 62 fi
63 # Wrong authorized_principals 63
64 verbose "$tid: ${_prefix} wrong authorized_principals" 64 # Wrong authorized_principals
65 echo gregorsamsa > $OBJ/authorized_principals_$USER 65 verbose "$tid: ${_prefix} wrong authorized_principals"
66 ${SSH} -2i $OBJ/cert_user_key \ 66 echo gregorsamsa > $OBJ/authorized_principals_$USER
67 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 67 ${SSH} -2i $OBJ/cert_user_key \
68 if [ $? -eq 0 ]; then 68 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
69 fail "ssh cert connect succeeded unexpectedly" 69 if [ $? -eq 0 ]; then
70 fi 70 fail "ssh cert connect succeeded unexpectedly"
71 71 fi
72 # Correct authorized_principals 72
73 verbose "$tid: ${_prefix} correct authorized_principals" 73 # Correct authorized_principals
74 echo mekmitasdigoat > $OBJ/authorized_principals_$USER 74 verbose "$tid: ${_prefix} correct authorized_principals"
75 ${SSH} -2i $OBJ/cert_user_key \ 75 echo mekmitasdigoat > $OBJ/authorized_principals_$USER
76 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 76 ${SSH} -2i $OBJ/cert_user_key \
77 if [ $? -ne 0 ]; then 77 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
78 fail "ssh cert connect failed" 78 if [ $? -ne 0 ]; then
79 fi 79 fail "ssh cert connect failed"
80 80 fi
81 # authorized_principals with bad key option 81
82 verbose "$tid: ${_prefix} authorized_principals bad key opt" 82 # authorized_principals with bad key option
83 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER 83 verbose "$tid: ${_prefix} authorized_principals bad key opt"
84 ${SSH} -2i $OBJ/cert_user_key \ 84 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
85 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 85 ${SSH} -2i $OBJ/cert_user_key \
86 if [ $? -eq 0 ]; then 86 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
87 fail "ssh cert connect succeeded unexpectedly" 87 if [ $? -eq 0 ]; then
88 fi 88 fail "ssh cert connect succeeded unexpectedly"
89 89 fi
90 # authorized_principals with command=false 90
91 verbose "$tid: ${_prefix} authorized_principals command=false" 91 # authorized_principals with command=false
92 echo 'command="false" mekmitasdigoat' > \ 92 verbose "$tid: ${_prefix} authorized_principals command=false"
93 $OBJ/authorized_principals_$USER 93 echo 'command="false" mekmitasdigoat' > \
94 ${SSH} -2i $OBJ/cert_user_key \ 94 $OBJ/authorized_principals_$USER
95 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 95 ${SSH} -2i $OBJ/cert_user_key \
96 if [ $? -eq 0 ]; then 96 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
97 fail "ssh cert connect succeeded unexpectedly" 97 if [ $? -eq 0 ]; then
98 fi 98 fail "ssh cert connect succeeded unexpectedly"
99 99 fi
100 100
101 # authorized_principals with command=true 101 # authorized_principals with command=true
102 verbose "$tid: ${_prefix} authorized_principals command=true" 102 verbose "$tid: ${_prefix} authorized_principals command=true"
103 echo 'command="true" mekmitasdigoat' > \ 103 echo 'command="true" mekmitasdigoat' > \
104 $OBJ/authorized_principals_$USER 104 $OBJ/authorized_principals_$USER
105 ${SSH} -2i $OBJ/cert_user_key \ 105 ${SSH} -2i $OBJ/cert_user_key \
106 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 106 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
107 if [ $? -ne 0 ]; then 107 if [ $? -ne 0 ]; then
108 fail "ssh cert connect failed" 108 fail "ssh cert connect failed"
109 fi 109 fi
110 110
111 # Setup for principals= key option 111 # Setup for principals= key option
112 rm -f $OBJ/authorized_principals_$USER 112 rm -f $OBJ/authorized_principals_$USER
113 ( 113 (
114 cat $OBJ/sshd_proxy_bak 114 cat $OBJ/sshd_proxy_bak
115 echo "UsePrivilegeSeparation $privsep" 115 echo "UsePrivilegeSeparation $privsep"
116 ) > $OBJ/sshd_proxy 116 ) > $OBJ/sshd_proxy
117 117
118 # Wrong principals list 118 # Wrong principals list
119 verbose "$tid: ${_prefix} wrong principals key option" 119 verbose "$tid: ${_prefix} wrong principals key option"
120 ( 120 (
121 printf 'cert-authority,principals="gregorsamsa" ' 121 printf 'cert-authority,principals="gregorsamsa" '
122 cat $OBJ/user_ca_key.pub 122 cat $OBJ/user_ca_key.pub
123 ) > $OBJ/authorized_keys_$USER 123 ) > $OBJ/authorized_keys_$USER
124 ${SSH} -2i $OBJ/cert_user_key \ 124 ${SSH} -2i $OBJ/cert_user_key \
125 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 125 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
126 if [ $? -eq 0 ]; then 126 if [ $? -eq 0 ]; then
127 fail "ssh cert connect succeeded unexpectedly" 127 fail "ssh cert connect succeeded unexpectedly"
128 fi 128 fi
129 129
130 # Correct principals list 130 # Correct principals list
131 verbose "$tid: ${_prefix} correct principals key option" 131 verbose "$tid: ${_prefix} correct principals key option"
132 ( 132 (
133 printf 'cert-authority,principals="mekmitasdigoat" ' 133 printf 'cert-authority,principals="mekmitasdigoat" '
134 cat $OBJ/user_ca_key.pub 134 cat $OBJ/user_ca_key.pub
135 ) > $OBJ/authorized_keys_$USER 135 ) > $OBJ/authorized_keys_$USER
136 ${SSH} -2i $OBJ/cert_user_key \ 136 ${SSH} -2i $OBJ/cert_user_key \
137 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 137 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
138 if [ $? -ne 0 ]; then 138 if [ $? -ne 0 ]; then
139 fail "ssh cert connect failed" 139 fail "ssh cert connect failed"
140 fi 140 fi
141done 141 done
142else
143 echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
144 "(/var/run mounted noexec?)"
145fi