1 # $OpenBSD: cert-userkey.sh,v 1.17 2016/11/30 03:01:33 djm Exp $ 2 # Placed in the Public Domain. 3 4 tid="certified user keys" 5 6 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* 7 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 8 cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak 9 10 PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` 11 12 if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then 13 PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" 14 fi 15 16 kname() { 17 case $ktype in 18 rsa-sha2-*) ;; 19 # subshell because some seds will add a newline 20 *) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;; 21 esac 22 echo "$n*,ssh-rsa*,ssh-ed25519*" 23 } 24 25 # Create a CA key 26 ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ 27 fail "ssh-keygen of user_ca_key failed" 28 29 # Generate and sign user keys 30 for ktype in $PLAIN_TYPES $EXTRA_TYPES ; do 31 verbose "$tid: sign user ${ktype} cert" 32 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 33 -f $OBJ/cert_user_key_${ktype} || \ 34 fatal "ssh-keygen of cert_user_key_${ktype} failed" 35 # Generate RSA/SHA2 certs for rsa-sha2* keys. 36 case $ktype in 37 rsa-sha2-*) tflag="-t $ktype" ;; 38 *) tflag="" ;; 39 esac 40 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -z $$ \ 41 -I "regress user key for $USER" \ 42 -n ${USER},mekmitasdigoat $tflag $OBJ/cert_user_key_${ktype} || \ 43 fatal "couldn't sign cert_user_key_${ktype}" 44 done 45 46 # Test explicitly-specified principals 47 for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do 48 t=$(kname $ktype) 49 for privsep in yes no ; do 50 _prefix="${ktype} privsep $privsep" 51 52 # Setup for AuthorizedPrincipalsFile 53 rm -f $OBJ/authorized_keys_$USER 54 ( 55 cat $OBJ/sshd_proxy_bak 56 echo "UsePrivilegeSeparation $privsep" 57 echo "AuthorizedPrincipalsFile " \ 58 "$OBJ/authorized_principals_%u" 59 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" 60 echo "PubkeyAcceptedKeyTypes ${t}" 61 ) > $OBJ/sshd_proxy 62 ( 63 cat $OBJ/ssh_proxy_bak 64 echo "PubkeyAcceptedKeyTypes ${t}" 65 ) > $OBJ/ssh_proxy 66 67 # Missing authorized_principals 68 verbose "$tid: ${_prefix} missing authorized_principals" 69 rm -f $OBJ/authorized_principals_$USER 70 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 71 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 72 if [ $? -eq 0 ]; then 73 fail "ssh cert connect succeeded unexpectedly" 74 fi 75 76 # Empty authorized_principals 77 verbose "$tid: ${_prefix} empty authorized_principals" 78 echo > $OBJ/authorized_principals_$USER 79 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 80 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 81 if [ $? -eq 0 ]; then 82 fail "ssh cert connect succeeded unexpectedly" 83 fi 84 85 # Wrong authorized_principals 86 verbose "$tid: ${_prefix} wrong authorized_principals" 87 echo gregorsamsa > $OBJ/authorized_principals_$USER 88 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 89 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 90 if [ $? -eq 0 ]; then 91 fail "ssh cert connect succeeded unexpectedly" 92 fi 93 94 # Correct authorized_principals 95 verbose "$tid: ${_prefix} correct authorized_principals" 96 echo mekmitasdigoat > $OBJ/authorized_principals_$USER 97 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 98 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 99 if [ $? -ne 0 ]; then 100 fail "ssh cert connect failed" 101 fi 102 103 # authorized_principals with bad key option 104 verbose "$tid: ${_prefix} authorized_principals bad key opt" 105 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER 106 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 107 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 108 if [ $? -eq 0 ]; then 109 fail "ssh cert connect succeeded unexpectedly" 110 fi 111 112 # authorized_principals with command=false 113 verbose "$tid: ${_prefix} authorized_principals command=false" 114 echo 'command="false" mekmitasdigoat' > \ 115 $OBJ/authorized_principals_$USER 116 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 117 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 118 if [ $? -eq 0 ]; then 119 fail "ssh cert connect succeeded unexpectedly" 120 fi 121 122 123 # authorized_principals with command=true 124 verbose "$tid: ${_prefix} authorized_principals command=true" 125 echo 'command="true" mekmitasdigoat' > \ 126 $OBJ/authorized_principals_$USER 127 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 128 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 129 if [ $? -ne 0 ]; then 130 fail "ssh cert connect failed" 131 fi 132 133 # Setup for principals= key option 134 rm -f $OBJ/authorized_principals_$USER 135 ( 136 cat $OBJ/sshd_proxy_bak 137 echo "UsePrivilegeSeparation $privsep" 138 echo "PubkeyAcceptedKeyTypes ${t}" 139 ) > $OBJ/sshd_proxy 140 ( 141 cat $OBJ/ssh_proxy_bak 142 echo "PubkeyAcceptedKeyTypes ${t}" 143 ) > $OBJ/ssh_proxy 144 145 # Wrong principals list 146 verbose "$tid: ${_prefix} wrong principals key option" 147 ( 148 printf 'cert-authority,principals="gregorsamsa" ' 149 cat $OBJ/user_ca_key.pub 150 ) > $OBJ/authorized_keys_$USER 151 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 152 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 153 if [ $? -eq 0 ]; then 154 fail "ssh cert connect succeeded unexpectedly" 155 fi 156 157 # Correct principals list 158 verbose "$tid: ${_prefix} correct principals key option" 159 ( 160 printf 'cert-authority,principals="mekmitasdigoat" ' 161 cat $OBJ/user_ca_key.pub 162 ) > $OBJ/authorized_keys_$USER 163 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 164 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 165 if [ $? -ne 0 ]; then 166 fail "ssh cert connect failed" 167 fi 168 done 169 done 170 171 basic_tests() { 172 auth=$1 173 if test "x$auth" = "xauthorized_keys" ; then 174 # Add CA to authorized_keys 175 ( 176 printf 'cert-authority ' 177 cat $OBJ/user_ca_key.pub 178 ) > $OBJ/authorized_keys_$USER 179 else 180 echo > $OBJ/authorized_keys_$USER 181 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" 182 fi 183 184 for ktype in $PLAIN_TYPES ; do 185 t=$(kname $ktype) 186 for privsep in yes no ; do 187 _prefix="${ktype} privsep $privsep $auth" 188 # Simple connect 189 verbose "$tid: ${_prefix} connect" 190 ( 191 cat $OBJ/sshd_proxy_bak 192 echo "UsePrivilegeSeparation $privsep" 193 echo "PubkeyAcceptedKeyTypes ${t}" 194 echo "$extra_sshd" 195 ) > $OBJ/sshd_proxy 196 ( 197 cat $OBJ/ssh_proxy_bak 198 echo "PubkeyAcceptedKeyTypes ${t}" 199 ) > $OBJ/ssh_proxy 200 201 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 202 -F $OBJ/ssh_proxy somehost true 203 if [ $? -ne 0 ]; then 204 fail "ssh cert connect failed" 205 fi 206 207 # Revoked keys 208 verbose "$tid: ${_prefix} revoked key" 209 ( 210 cat $OBJ/sshd_proxy_bak 211 echo "UsePrivilegeSeparation $privsep" 212 echo "RevokedKeys $OBJ/cert_user_key_revoked" 213 echo "PubkeyAcceptedKeyTypes ${t}" 214 echo "$extra_sshd" 215 ) > $OBJ/sshd_proxy 216 cp $OBJ/cert_user_key_${ktype}.pub \ 217 $OBJ/cert_user_key_revoked 218 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 219 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 220 if [ $? -eq 0 ]; then 221 fail "ssh cert connect succeeded unexpecedly" 222 fi 223 verbose "$tid: ${_prefix} revoked via KRL" 224 rm $OBJ/cert_user_key_revoked 225 ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \ 226 $OBJ/cert_user_key_${ktype}.pub 227 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 228 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 229 if [ $? -eq 0 ]; then 230 fail "ssh cert connect succeeded unexpecedly" 231 fi 232 verbose "$tid: ${_prefix} empty KRL" 233 ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked 234 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 235 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 236 if [ $? -ne 0 ]; then 237 fail "ssh cert connect failed" 238 fi 239 done 240 241 # Revoked CA 242 verbose "$tid: ${ktype} $auth revoked CA key" 243 ( 244 cat $OBJ/sshd_proxy_bak 245 echo "RevokedKeys $OBJ/user_ca_key.pub" 246 echo "PubkeyAcceptedKeyTypes ${t}" 247 echo "$extra_sshd" 248 ) > $OBJ/sshd_proxy 249 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ 250 somehost true >/dev/null 2>&1 251 if [ $? -eq 0 ]; then 252 fail "ssh cert connect succeeded unexpecedly" 253 fi 254 done 255 256 verbose "$tid: $auth CA does not authenticate" 257 ( 258 cat $OBJ/sshd_proxy_bak 259 echo "PubkeyAcceptedKeyTypes ${t}" 260 echo "$extra_sshd" 261 ) > $OBJ/sshd_proxy 262 verbose "$tid: ensure CA key does not authenticate user" 263 ${SSH} -2i $OBJ/user_ca_key \ 264 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 265 if [ $? -eq 0 ]; then 266 fail "ssh cert connect with CA key succeeded unexpectedly" 267 fi 268 } 269 270 basic_tests authorized_keys 271 basic_tests TrustedUserCAKeys 272 273 test_one() { 274 ident=$1 275 result=$2 276 sign_opts=$3 277 auth_choice=$4 278 auth_opt=$5 279 280 if test "x$auth_choice" = "x" ; then 281 auth_choice="authorized_keys TrustedUserCAKeys" 282 fi 283 284 for auth in $auth_choice ; do 285 for ktype in rsa ed25519 ; do 286 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 287 if test "x$auth" = "xauthorized_keys" ; then 288 # Add CA to authorized_keys 289 ( 290 printf "cert-authority${auth_opt} " 291 cat $OBJ/user_ca_key.pub 292 ) > $OBJ/authorized_keys_$USER 293 else 294 echo > $OBJ/authorized_keys_$USER 295 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \ 296 >> $OBJ/sshd_proxy 297 echo "PubkeyAcceptedKeyTypes ${t}*" \ 298 >> $OBJ/sshd_proxy 299 if test "x$auth_opt" != "x" ; then 300 echo $auth_opt >> $OBJ/sshd_proxy 301 fi 302 fi 303 304 verbose "$tid: $ident auth $auth expect $result $ktype" 305 ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ 306 -I "regress user key for $USER" \ 307 $sign_opts $OBJ/cert_user_key_${ktype} || 308 fail "couldn't sign cert_user_key_${ktype}" 309 310 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 311 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 312 rc=$? 313 if [ "x$result" = "xsuccess" ] ; then 314 if [ $rc -ne 0 ]; then 315 fail "$ident failed unexpectedly" 316 fi 317 else 318 if [ $rc -eq 0 ]; then 319 fail "$ident succeeded unexpectedly" 320 fi 321 fi 322 done 323 done 324 } 325 326 test_one "correct principal" success "-n ${USER}" 327 test_one "host-certificate" failure "-n ${USER} -h" 328 test_one "wrong principals" failure "-n foo" 329 test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101" 330 test_one "cert expired" failure "-n ${USER} -V19800101:19900101" 331 test_one "cert valid interval" success "-n ${USER} -V-1w:+2w" 332 test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8" 333 test_one "force-command" failure "-n ${USER} -Oforce-command=false" 334 335 # Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals 336 test_one "empty principals" success "" authorized_keys 337 test_one "empty principals" failure "" TrustedUserCAKeys 338 339 # Check explicitly-specified principals: an empty principals list in the cert 340 # should always be refused. 341 342 # AuthorizedPrincipalsFile 343 rm -f $OBJ/authorized_keys_$USER 344 echo mekmitasdigoat > $OBJ/authorized_principals_$USER 345 test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \ 346 TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u" 347 test_one "AuthorizedPrincipalsFile no principals" failure "" \ 348 TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u" 349 350 # principals= key option 351 rm -f $OBJ/authorized_principals_$USER 352 test_one "principals key option principals" success "-n mekmitasdigoat" \ 353 authorized_keys ',principals="mekmitasdigoat"' 354 test_one "principals key option no principals" failure "" \ 355 authorized_keys ',principals="mekmitasdigoat"' 356 357 # command= options vs. force-command in key 358 test_one "force-command match true" success \ 359 "-n ${USER} -Oforce-command=true" \ 360 authorized_keys ',command="true"' 361 test_one "force-command match true" failure \ 362 "-n ${USER} -Oforce-command=false" \ 363 authorized_keys ',command="false"' 364 test_one "force-command mismatch 1" failure \ 365 "-n ${USER} -Oforce-command=false" \ 366 authorized_keys ',command="true"' 367 test_one "force-command mismatch 2" failure \ 368 "-n ${USER} -Oforce-command=true" \ 369 authorized_keys ',command="false"' 370 371 # Wrong certificate 372 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 373 for ktype in $PLAIN_TYPES ; do 374 t=$(kname $ktype) 375 # Self-sign 376 ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ 377 "regress user key for $USER" \ 378 -n $USER $OBJ/cert_user_key_${ktype} || 379 fatal "couldn't sign cert_user_key_${ktype}" 380 verbose "$tid: user ${ktype} connect wrong cert" 381 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ 382 somehost true >/dev/null 2>&1 383 if [ $? -eq 0 ]; then 384 fail "ssh cert connect $ident succeeded unexpectedly" 385 fi 386 done 387 388 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* 389 rm -f $OBJ/authorized_principals_$USER 390 391
