# $OpenBSD: agent.sh,v 1.17 2019/12/21 02:33:07 djm Exp $ # Placed in the Public Domain. tid="simple agent test" SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1 if [ $? -ne 2 ]; then fail "ssh-add -l did not fail with exit code 2" fi trace "start agent, args ${EXTRA_AGENT_ARGS} -s" eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null r=$? if [ $r -ne 0 ]; then fatal "could not start ssh-agent: exit code $r" fi eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s | sed 's/SSH_/FW_SSH_/g'` > /dev/null r=$? if [ $r -ne 0 ]; then fatal "could not start second ssh-agent: exit code $r" fi ${SSHADD} -l > /dev/null 2>&1 if [ $? -ne 1 ]; then fail "ssh-add -l did not fail with exit code 1" fi rm -f $OBJ/user_ca_key $OBJ/user_ca_key.pub ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key \ || fatal "ssh-keygen failed" trace "overwrite authorized keys" printf '' > $OBJ/authorized_keys_$USER for t in ${SSH_KEYTYPES}; do # generate user key for agent rm -f $OBJ/$t-agent $OBJ/$t-agent.pub* ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\ fatal "ssh-keygen for $t-agent failed" # Make a certificate for each too. ${SSHKEYGEN} -qs $OBJ/user_ca_key -I "$t cert" \ -n estragon $OBJ/$t-agent.pub || fatal "ca sign failed" # add to authorized keys cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER # add private key to agent ${SSHADD} $OBJ/$t-agent #> /dev/null 2>&1 if [ $? -ne 0 ]; then fail "ssh-add failed exit code $?" fi # add private key to second agent SSH_AUTH_SOCK=$FW_SSH_AUTH_SOCK ${SSHADD} $OBJ/$t-agent #> /dev/null 2>&1 if [ $? -ne 0 ]; then fail "ssh-add failed exit code $?" fi # Remove private key to ensure that we aren't accidentally using it. rm -f $OBJ/$t-agent done # Remove explicit identity directives from ssh_proxy mv $OBJ/ssh_proxy $OBJ/ssh_proxy_bak grep -vi identityfile $OBJ/ssh_proxy_bak > $OBJ/ssh_proxy ${SSHADD} -l > /dev/null 2>&1 r=$? if [ $r -ne 0 ]; then fail "ssh-add -l failed: exit code $r" fi # the same for full pubkey output ${SSHADD} -L > /dev/null 2>&1 r=$? if [ $r -ne 0 ]; then fail "ssh-add -L failed: exit code $r" fi trace "simple connect via agent" ${SSH} -F $OBJ/ssh_proxy somehost exit 52 r=$? if [ $r -ne 52 ]; then fail "ssh connect with failed (exit code $r)" fi for t in ${SSH_KEYTYPES}; do trace "connect via agent using $t key" if [ "$t" = "ssh-dss" ]; then echo "PubkeyAcceptedKeyTypes +ssh-dss" >> $OBJ/ssh_proxy echo "PubkeyAcceptedKeyTypes +ssh-dss" >> $OBJ/sshd_proxy fi ${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub -oIdentitiesOnly=yes \ somehost exit 52 r=$? if [ $r -ne 52 ]; then fail "ssh connect with failed (exit code $r)" fi done trace "agent forwarding" ${SSH} -A -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 r=$? if [ $r -ne 0 ]; then fail "ssh-add -l via agent fwd failed (exit code $r)" fi ${SSH} "-oForwardAgent=$SSH_AUTH_SOCK" -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 r=$? if [ $r -ne 0 ]; then fail "ssh-add -l via agent path fwd failed (exit code $r)" fi ${SSH} -A -F $OBJ/ssh_proxy somehost \ "${SSH} -F $OBJ/ssh_proxy somehost exit 52" r=$? if [ $r -ne 52 ]; then fail "agent fwd failed (exit code $r)" fi trace "agent forwarding different agent" ${SSH} "-oForwardAgent=$FW_SSH_AUTH_SOCK" -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 r=$? if [ $r -ne 0 ]; then fail "ssh-add -l via agent path fwd of different agent failed (exit code $r)" fi ${SSH} '-oForwardAgent=$FW_SSH_AUTH_SOCK' -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 r=$? if [ $r -ne 0 ]; then fail "ssh-add -l via agent path env fwd of different agent failed (exit code $r)" fi # Remove keys from forwarded agent, ssh-add on remote machine should now fail. SSH_AUTH_SOCK=$FW_SSH_AUTH_SOCK ${SSHADD} -D > /dev/null 2>&1 r=$? if [ $r -ne 0 ]; then fail "ssh-add -D failed: exit code $r" fi ${SSH} '-oForwardAgent=$FW_SSH_AUTH_SOCK' -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 r=$? if [ $r -ne 1 ]; then fail "ssh-add -l with different agent did not fail with exit code 1 (exit code $r)" fi (printf 'cert-authority,principals="estragon" '; cat $OBJ/user_ca_key.pub) \ > $OBJ/authorized_keys_$USER for t in ${SSH_KEYTYPES}; do if [ "$t" != "ssh-dss" ]; then trace "connect via agent using $t key" ${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub \ -oCertificateFile=$OBJ/$t-agent-cert.pub \ -oIdentitiesOnly=yes somehost exit 52 r=$? if [ $r -ne 52 ]; then fail "ssh connect with failed (exit code $r)" fi fi done trace "delete all agent keys" ${SSHADD} -D > /dev/null 2>&1 r=$? if [ $r -ne 0 ]; then fail "ssh-add -D failed: exit code $r" fi trace "kill agent" ${SSHAGENT} -k > /dev/null SSH_AGENT_PID=$FW_SSH_AGENT_PID ${SSHAGENT} -k > /dev/null