From 3bcce80b544174b70dfd6e0a4e9f1488ca6fa69b Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 21 May 2010 14:48:16 +1000 Subject: - djm@cvs.openbsd.org 2010/05/07 11:31:26 [regress/Makefile regress/cert-userkey.sh] regress tests for AuthorizedPrincipalsFile and "principals=" key option. feedback and ok markus@ --- regress/cert-userkey.sh | 117 +++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 112 insertions(+), 5 deletions(-) (limited to 'regress/cert-userkey.sh') diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 88d6d70a4..8fd1b48db 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-userkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $ +# $OpenBSD: cert-userkey.sh,v 1.5 2010/05/07 11:31:26 djm Exp $ # Placed in the Public Domain. tid="certified user keys" @@ -18,16 +18,100 @@ for ktype in rsa dsa ; do fail "ssh-keygen of cert_user_key_${ktype} failed" ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \ "regress user key for $USER" \ - -n $USER $OBJ/cert_user_key_${ktype} || + -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || fail "couldn't sign cert_user_key_${ktype}" cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ "regress user key for $USER" \ - -n $USER $OBJ/cert_user_key_${ktype}_v00 || + -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 || fail "couldn't sign cert_user_key_${ktype}_v00" done +# Test explicitly-specified principals +for ktype in rsa dsa rsa_v00 dsa_v00 ; do + for privsep in yes no ; do + _prefix="${ktype} privsep $privsep" + + # Setup for AuthorizedPrincipalsFile + rm -f $OBJ/authorized_keys_$USER + ( + cat $OBJ/sshd_proxy_bak + echo "UsePrivilegeSeparation $privsep" + echo "AuthorizedPrincipalsFile " \ + "$OBJ/authorized_principals_%u" + echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" + ) > $OBJ/sshd_proxy + + # Missing authorized_principals + verbose "$tid: ${_prefix} missing authorized_principals" + rm -f $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Empty authorized_principals + verbose "$tid: ${_prefix} empty authorized_principals" + echo > $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Wrong authorized_principals + verbose "$tid: ${_prefix} wrong authorized_principals" + echo gregorsamsa > $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Correct authorized_principals + verbose "$tid: ${_prefix} correct authorized_principals" + echo mekmitasdigoat > $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi + + # Setup for principals= key option + rm -f $OBJ/authorized_principals_$USER + ( + cat $OBJ/sshd_proxy_bak + echo "UsePrivilegeSeparation $privsep" + ) > $OBJ/sshd_proxy + + # Wrong principals list + verbose "$tid: ${_prefix} wrong principals key option" + ( + echon 'cert-authority,principals="gregorsamsa" ' + cat $OBJ/user_ca_key.pub + ) > $OBJ/authorized_keys_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Correct principals list + verbose "$tid: ${_prefix} correct principals key option" + ( + echon 'cert-authority,principals="mekmitasdigoat" ' + cat $OBJ/user_ca_key.pub + ) > $OBJ/authorized_keys_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi + done +done + basic_tests() { auth=$1 if test "x$auth" = "xauthorized_keys" ; then @@ -108,6 +192,7 @@ test_one() { result=$2 sign_opts=$3 auth_choice=$4 + auth_opt=$5 if test "x$auth_choice" = "x" ; then auth_choice="authorized_keys TrustedUserCAKeys" @@ -119,14 +204,16 @@ test_one() { if test "x$auth" = "xauthorized_keys" ; then # Add CA to authorized_keys ( - echon 'cert-authority ' + echon "cert-authority${auth_opt} " cat $OBJ/user_ca_key.pub ) > $OBJ/authorized_keys_$USER else echo > $OBJ/authorized_keys_$USER echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \ >> $OBJ/sshd_proxy - + if test "x$auth_opt" != "x" ; then + echo $auth_opt >> $OBJ/sshd_proxy + fi fi verbose "$tid: $ident auth $auth expect $result $ktype" @@ -165,7 +252,26 @@ test_one "force-command" failure "-n ${USER} -Oforce-command=false" test_one "empty principals" success "" authorized_keys test_one "empty principals" failure "" TrustedUserCAKeys +# Check explicitly-specified principals: an empty principals list in the cert +# should always be refused. + +# AuthorizedPrincipalsFile +rm -f $OBJ/authorized_keys_$USER +echo mekmitasdigoat > $OBJ/authorized_principals_$USER +test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \ + TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u" +test_one "AuthorizedPrincipalsFile no principals" failure "" \ + TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u" + +# principals= key option +rm -f $OBJ/authorized_principals_$USER +test_one "principals key option principals" success "-n mekmitasdigoat" \ + authorized_keys ',principals="mekmitasdigoat"' +test_one "principals key option no principals" failure "" \ + authorized_keys ',principals="mekmitasdigoat"' + # Wrong certificate +cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy for ktype in rsa dsa rsa_v00 dsa_v00 ; do case $ktype in *_v00) args="-t v00" ;; @@ -185,4 +291,5 @@ for ktype in rsa dsa rsa_v00 dsa_v00 ; do done rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* +rm -f $OBJ/authorized_principals_$USER -- cgit v1.2.3