1 # $OpenBSD: cert-file.sh,v 1.5 2017/03/11 23:44:16 djm Exp $ 2 # Placed in the Public Domain. 3 4 tid="ssh with certificates" 5 6 rm -f $OBJ/user_ca_key* $OBJ/user_key* 7 rm -f $OBJ/cert_user_key* 8 9 # Create a CA key 10 ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key1 ||\ 11 fatal "ssh-keygen failed" 12 ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key2 ||\ 13 fatal "ssh-keygen failed" 14 15 # Make some keys and certificates. 16 ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 || \ 17 fatal "ssh-keygen failed" 18 ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key2 || \ 19 fatal "ssh-keygen failed" 20 ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key3 || \ 21 fatal "ssh-keygen failed" 22 ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key4 || \ 23 fatal "ssh-keygen failed" 24 ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key5 || \ 25 fatal "ssh-keygen failed" 26 27 # Move the certificate to a different address to better control 28 # when it is offered. 29 ${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ 30 -z $$ -n ${USER} $OBJ/user_key1 || 31 fatal "couldn't sign user_key1 with user_ca_key1" 32 mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_1.pub 33 ${SSHKEYGEN} -q -s $OBJ/user_ca_key2 -I "regress user key for $USER" \ 34 -z $$ -n ${USER} $OBJ/user_key1 || 35 fatal "couldn't sign user_key1 with user_ca_key2" 36 mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_2.pub 37 ${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ 38 -z $$ -n ${USER} $OBJ/user_key3 || 39 fatal "couldn't sign user_key3 with user_ca_key1" 40 rm $OBJ/user_key3.pub # to test use of private key w/o public half. 41 ${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ 42 -z $$ -n ${USER} $OBJ/user_key4 || 43 fatal "couldn't sign user_key4 with user_ca_key1" 44 rm $OBJ/user_key4 $OBJ/user_key4.pub # to test no matching pub/private key case. 45 46 trace 'try with identity files' 47 opts="-F $OBJ/ssh_proxy -oIdentitiesOnly=yes" 48 opts2="$opts -i $OBJ/user_key1 -i $OBJ/user_key2" 49 echo "cert-authority $(cat $OBJ/user_ca_key1.pub)" > $OBJ/authorized_keys_$USER 50 51 # Make a clean config that doesn't have any pre-added identities. 52 cat $OBJ/ssh_proxy | grep -v IdentityFile > $OBJ/no_identity_config 53 54 # XXX: verify that certificate used was what we expect. Needs exposure of 55 # keys via enviornment variable or similar. 56 57 for p in ${SSH_PROTOCOLS}; do 58 # Key with no .pub should work - finding the equivalent *-cert.pub. 59 verbose "protocol $p: identity cert with no plain public file" 60 ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ 61 -i $OBJ/user_key3 somehost exit 5$p 62 [ $? -ne 5$p ] && fail "ssh failed" 63 64 # CertificateFile matching private key with no .pub file should work. 65 verbose "protocol $p: CertificateFile with no plain public file" 66 ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ 67 -oCertificateFile=$OBJ/user_key3-cert.pub \ 68 -i $OBJ/user_key3 somehost exit 5$p 69 [ $? -ne 5$p ] && fail "ssh failed" 70 71 # Just keys should fail 72 verbose "protocol $p: plain keys" 73 ${SSH} $opts2 somehost exit 5$p 74 r=$? 75 if [ $r -eq 5$p ]; then 76 fail "ssh succeeded with no certs in protocol $p" 77 fi 78 79 # Keys with untrusted cert should fail. 80 verbose "protocol $p: untrusted cert" 81 opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" 82 ${SSH} $opts3 somehost exit 5$p 83 r=$? 84 if [ $r -eq 5$p ]; then 85 fail "ssh succeeded with bad cert in protocol $p" 86 fi 87 88 # Good cert with bad key should fail. 89 verbose "protocol $p: good cert, bad key" 90 opts3="$opts -i $OBJ/user_key2" 91 opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" 92 ${SSH} $opts3 somehost exit 5$p 93 r=$? 94 if [ $r -eq 5$p ]; then 95 fail "ssh succeeded with no matching key in protocol $p" 96 fi 97 98 # Keys with one trusted cert, should succeed. 99 verbose "protocol $p: single trusted" 100 opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" 101 ${SSH} $opts3 somehost exit 5$p 102 r=$? 103 if [ $r -ne 5$p ]; then 104 fail "ssh failed with trusted cert and key in protocol $p" 105 fi 106 107 # Multiple certs and keys, with one trusted cert, should succeed. 108 verbose "protocol $p: multiple trusted" 109 opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" 110 opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" 111 ${SSH} $opts3 somehost exit 5$p 112 r=$? 113 if [ $r -ne 5$p ]; then 114 fail "ssh failed with multiple certs in protocol $p" 115 fi 116 done 117 118 #next, using an agent in combination with the keys 119 SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1 120 if [ $? -ne 2 ]; then 121 fatal "ssh-add -l did not fail with exit code 2" 122 fi 123 124 trace "start agent" 125 eval `${SSHAGENT} -s` > /dev/null 126 r=$? 127 if [ $r -ne 0 ]; then 128 fatal "could not start ssh-agent: exit code $r" 129 fi 130 131 # add private keys to agent 132 ${SSHADD} -k $OBJ/user_key2 > /dev/null 2>&1 133 if [ $? -ne 0 ]; then 134 fatal "ssh-add did not succeed with exit code 0" 135 fi 136 ${SSHADD} -k $OBJ/user_key1 > /dev/null 2>&1 137 if [ $? -ne 0 ]; then 138 fatal "ssh-add did not succeed with exit code 0" 139 fi 140 141 # try ssh with the agent and certificates 142 # note: ssh agent only uses certificates in protocol 2 143 opts="-F $OBJ/ssh_proxy" 144 # with no certificates, shoud fail 145 ${SSH} -2 $opts somehost exit 52 146 if [ $? -eq 52 ]; then 147 fail "ssh connect with agent in protocol 2 succeeded with no cert" 148 fi 149 150 #with an untrusted certificate, should fail 151 opts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub" 152 ${SSH} -2 $opts somehost exit 52 153 if [ $? -eq 52 ]; then 154 fail "ssh connect with agent in protocol 2 succeeded with bad cert" 155 fi 156 157 #with an additional trusted certificate, should succeed 158 opts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub" 159 ${SSH} -2 $opts somehost exit 52 160 if [ $? -ne 52 ]; then 161 fail "ssh connect with agent in protocol 2 failed with good cert" 162 fi 163 164 trace "kill agent" 165 ${SSHAGENT} -k > /dev/null 166 167 #cleanup 168 rm -f $OBJ/user_ca_key* $OBJ/user_key* 169 rm -f $OBJ/cert_user_key* 170
