blob: 9588e0b6b438f5551c3508147ee6d6e21ca41ef2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
# $OpenBSD: cert-userkey.sh,v 1.1 2010/02/26 20:33:21 djm Exp $
# Placed in the Public Domain.
tid="certified user keys"
rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
# Create a CA key and add it to authorized_keys
${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\
fail "ssh-keygen of user_ca_key failed"
(
echon 'cert-authority '
cat $OBJ/user_ca_key.pub
) > $OBJ/authorized_keys_$USER
# Generate and sign user keys
for ktype in rsa dsa ; do
verbose "$tid: sign user ${ktype} cert"
${SSHKEYGEN} -q -N '' -t ${ktype} \
-f $OBJ/cert_user_key_${ktype} || \
fail "ssh-keygen of cert_user_key_${ktype} failed"
${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
"regress user key for $USER" \
-n $USER $OBJ/cert_user_key_${ktype} ||
fail "couldn't sign cert_user_key_${ktype}"
done
# Basic connect tests
for privsep in yes no ; do
for ktype in rsa dsa ; do
verbose "$tid: user ${ktype} cert connect privsep $privsep"
(
cat $OBJ/sshd_proxy_bak
echo "UsePrivilegeSeparation $privsep"
) > $OBJ/sshd_proxy
${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
somehost true
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
fi
done
done
verbose "$tid: ensure CA key does not authenticate user"
${SSH} -2i $OBJ/user_ca_key -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect with CA key succeeded unexpectedly"
fi
test_one() {
ident=$1
result=$2
sign_opts=$3
verbose "$tid: test user cert connect $ident expect $result"
${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
$sign_opts \
$OBJ/cert_user_key_rsa ||
fail "couldn't sign cert_user_key_rsa"
${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
somehost true >/dev/null 2>&1
rc=$?
if [ "x$result" = "xsuccess" ] ; then
if [ $rc -ne 0 ]; then
fail "ssh cert connect $ident failed unexpectedly"
fi
else
if [ $rc -eq 0 ]; then
fail "ssh cert connect $ident succeeded unexpectedly"
fi
fi
cleanup
}
test_one "host-certificate" failure "-h"
test_one "empty principals" success ""
test_one "wrong principals" failure "-n foo"
test_one "cert not yet valid" failure "-V20200101:20300101"
test_one "cert expired" failure "-V19800101:19900101"
test_one "cert valid interval" success "-V-1w:+2w"
test_one "wrong source-address" failure "-Osource-address=10.0.0.0/8"
test_one "force-command" failure "-Oforce-command=false"
rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
|
