1 # $OpenBSD: principals-command.sh,v 1.3 2016/09/26 21:34:38 bluhm Exp $ 2 # Placed in the Public Domain. 3 4 tid="authorized principals command" 5 6 rm -f $OBJ/user_ca_key* $OBJ/cert_user_key* 7 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 8 9 if [ -z "$SUDO" -a ! -w /var/run ]; then 10 echo "skipped (SUDO not set)" 11 echo "need SUDO to create file in /var/run, test won't work without" 12 exit 0 13 fi 14 15 SERIAL=$$ 16 17 # Create a CA key and a user certificate. 18 ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ 19 fatal "ssh-keygen of user_ca_key failed" 20 ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/cert_user_key || \ 21 fatal "ssh-keygen of cert_user_key failed" 22 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "Joanne User" \ 23 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ 24 fatal "couldn't sign cert_user_key" 25 26 CERT_BODY=`cat $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` 27 CA_BODY=`cat $OBJ/user_ca_key.pub | awk '{ print $2 }'` 28 CERT_FP=`${SSHKEYGEN} -lf $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` 29 CA_FP=`${SSHKEYGEN} -lf $OBJ/user_ca_key.pub | awk '{ print $2 }'` 30 31 # Establish a AuthorizedPrincipalsCommand in /var/run where it will have 32 # acceptable directory permissions. 33 PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}" 34 cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" 35 #!/bin/sh 36 test "x\$1" != "x${LOGNAME}" && exit 1 37 test "x\$2" != "xssh-rsa-cert-v01 (at] openssh.com" && exit 1 38 test "x\$3" != "xssh-ed25519" && exit 1 39 test "x\$4" != "xJoanne User" && exit 1 40 test "x\$5" != "x${SERIAL}" && exit 1 41 test "x\$6" != "x${CA_FP}" && exit 1 42 test "x\$7" != "x${CERT_FP}" && exit 1 43 test "x\$8" != "x${CERT_BODY}" && exit 1 44 test "x\$9" != "x${CA_BODY}" && exit 1 45 test -f "$OBJ/authorized_principals_${LOGNAME}" && 46 exec cat "$OBJ/authorized_principals_${LOGNAME}" 47 _EOF 48 test $? -eq 0 || fatal "couldn't prepare principals command" 49 $SUDO chmod 0755 "$PRINCIPALS_COMMAND" 50 51 if ! $OBJ/check-perm -m keys-command $PRINCIPALS_COMMAND ; then 52 echo "skipping: $PRINCIPALS_COMMAND is unsuitable as " \ 53 "AuthorizedPrincipalsCommand" 54 $SUDO rm -f $PRINCIPALS_COMMAND 55 exit 0 56 fi 57 58 if [ -x $PRINCIPALS_COMMAND ]; then 59 # Test explicitly-specified principals 60 for privsep in yes no ; do 61 _prefix="privsep $privsep" 62 63 # Setup for AuthorizedPrincipalsCommand 64 rm -f $OBJ/authorized_keys_$USER 65 ( 66 cat $OBJ/sshd_proxy_bak 67 echo "UsePrivilegeSeparation $privsep" 68 echo "AuthorizedKeysFile none" 69 echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \ 70 "%u %t %T %i %s %F %f %k %K" 71 echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" 72 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" 73 ) > $OBJ/sshd_proxy 74 75 # XXX test missing command 76 # XXX test failing command 77 78 # Empty authorized_principals 79 verbose "$tid: ${_prefix} empty authorized_principals" 80 echo > $OBJ/authorized_principals_$USER 81 ${SSH} -2i $OBJ/cert_user_key \ 82 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 83 if [ $? -eq 0 ]; then 84 fail "ssh cert connect succeeded unexpectedly" 85 fi 86 87 # Wrong authorized_principals 88 verbose "$tid: ${_prefix} wrong authorized_principals" 89 echo gregorsamsa > $OBJ/authorized_principals_$USER 90 ${SSH} -2i $OBJ/cert_user_key \ 91 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 92 if [ $? -eq 0 ]; then 93 fail "ssh cert connect succeeded unexpectedly" 94 fi 95 96 # Correct authorized_principals 97 verbose "$tid: ${_prefix} correct authorized_principals" 98 echo mekmitasdigoat > $OBJ/authorized_principals_$USER 99 ${SSH} -2i $OBJ/cert_user_key \ 100 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 101 if [ $? -ne 0 ]; then 102 fail "ssh cert connect failed" 103 fi 104 105 # authorized_principals with bad key option 106 verbose "$tid: ${_prefix} authorized_principals bad key opt" 107 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER 108 ${SSH} -2i $OBJ/cert_user_key \ 109 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 110 if [ $? -eq 0 ]; then 111 fail "ssh cert connect succeeded unexpectedly" 112 fi 113 114 # authorized_principals with command=false 115 verbose "$tid: ${_prefix} authorized_principals command=false" 116 echo 'command="false" mekmitasdigoat' > \ 117 $OBJ/authorized_principals_$USER 118 ${SSH} -2i $OBJ/cert_user_key \ 119 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 120 if [ $? -eq 0 ]; then 121 fail "ssh cert connect succeeded unexpectedly" 122 fi 123 124 # authorized_principals with command=true 125 verbose "$tid: ${_prefix} authorized_principals command=true" 126 echo 'command="true" mekmitasdigoat' > \ 127 $OBJ/authorized_principals_$USER 128 ${SSH} -2i $OBJ/cert_user_key \ 129 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 130 if [ $? -ne 0 ]; then 131 fail "ssh cert connect failed" 132 fi 133 134 # Setup for principals= key option 135 rm -f $OBJ/authorized_principals_$USER 136 ( 137 cat $OBJ/sshd_proxy_bak 138 echo "UsePrivilegeSeparation $privsep" 139 ) > $OBJ/sshd_proxy 140 141 # Wrong principals list 142 verbose "$tid: ${_prefix} wrong principals key option" 143 ( 144 printf 'cert-authority,principals="gregorsamsa" ' 145 cat $OBJ/user_ca_key.pub 146 ) > $OBJ/authorized_keys_$USER 147 ${SSH} -2i $OBJ/cert_user_key \ 148 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 149 if [ $? -eq 0 ]; then 150 fail "ssh cert connect succeeded unexpectedly" 151 fi 152 153 # Correct principals list 154 verbose "$tid: ${_prefix} correct principals key option" 155 ( 156 printf 'cert-authority,principals="mekmitasdigoat" ' 157 cat $OBJ/user_ca_key.pub 158 ) > $OBJ/authorized_keys_$USER 159 ${SSH} -2i $OBJ/cert_user_key \ 160 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 161 if [ $? -ne 0 ]; then 162 fail "ssh cert connect failed" 163 fi 164 done 165 else 166 echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \ 167 "(/var/run mounted noexec?)" 168 fi 169
