2021-09-30 07:26:26 +02:00
|
|
|
# $OpenBSD: principals-command.sh,v 1.14 2021/09/30 05:26:26 dtucker Exp $
|
2015-05-21 08:44:25 +02:00
|
|
|
# Placed in the Public Domain.
|
|
|
|
|
|
|
|
tid="authorized principals command"
|
|
|
|
|
|
|
|
rm -f $OBJ/user_ca_key* $OBJ/cert_user_key*
|
|
|
|
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
|
|
|
|
|
2016-09-26 23:34:38 +02:00
|
|
|
if [ -z "$SUDO" -a ! -w /var/run ]; then
|
2021-09-30 06:22:50 +02:00
|
|
|
skip "need SUDO to create file in /var/run, test won't work without"
|
2015-05-21 08:44:25 +02:00
|
|
|
fi
|
|
|
|
|
2019-12-16 03:39:05 +01:00
|
|
|
case "$SSH_KEYTYPES" in
|
2019-09-06 06:24:06 +02:00
|
|
|
*ssh-rsa*) userkeytype=rsa ;;
|
|
|
|
*) userkeytype=ed25519 ;;
|
|
|
|
esac
|
|
|
|
|
2016-09-21 03:35:12 +02:00
|
|
|
SERIAL=$$
|
|
|
|
|
|
|
|
# Create a CA key and a user certificate.
|
|
|
|
${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \
|
|
|
|
fatal "ssh-keygen of user_ca_key failed"
|
2019-09-06 06:24:06 +02:00
|
|
|
${SSHKEYGEN} -q -N '' -t ${userkeytype} -f $OBJ/cert_user_key || \
|
2016-09-21 03:35:12 +02:00
|
|
|
fatal "ssh-keygen of cert_user_key failed"
|
|
|
|
${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "Joanne User" \
|
|
|
|
-z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
|
|
|
|
fatal "couldn't sign cert_user_key"
|
|
|
|
|
|
|
|
CERT_BODY=`cat $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'`
|
|
|
|
CA_BODY=`cat $OBJ/user_ca_key.pub | awk '{ print $2 }'`
|
|
|
|
CERT_FP=`${SSHKEYGEN} -lf $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'`
|
|
|
|
CA_FP=`${SSHKEYGEN} -lf $OBJ/user_ca_key.pub | awk '{ print $2 }'`
|
|
|
|
|
2015-05-21 08:44:25 +02:00
|
|
|
# Establish a AuthorizedPrincipalsCommand in /var/run where it will have
|
|
|
|
# acceptable directory permissions.
|
2018-11-22 09:48:32 +01:00
|
|
|
PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}.$$"
|
|
|
|
trap "$SUDO rm -f ${PRINCIPALS_COMMAND}" 0
|
2016-10-13 09:53:43 +02:00
|
|
|
cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
|
2015-05-21 08:44:25 +02:00
|
|
|
#!/bin/sh
|
|
|
|
test "x\$1" != "x${LOGNAME}" && exit 1
|
2019-09-06 06:24:06 +02:00
|
|
|
test "x\$2" != "xssh-${userkeytype}-cert-v01@openssh.com" && exit 1
|
2016-09-21 03:35:12 +02:00
|
|
|
test "x\$3" != "xssh-ed25519" && exit 1
|
|
|
|
test "x\$4" != "xJoanne User" && exit 1
|
|
|
|
test "x\$5" != "x${SERIAL}" && exit 1
|
|
|
|
test "x\$6" != "x${CA_FP}" && exit 1
|
|
|
|
test "x\$7" != "x${CERT_FP}" && exit 1
|
|
|
|
test "x\$8" != "x${CERT_BODY}" && exit 1
|
|
|
|
test "x\$9" != "x${CA_BODY}" && exit 1
|
2015-05-21 08:44:25 +02:00
|
|
|
test -f "$OBJ/authorized_principals_${LOGNAME}" &&
|
|
|
|
exec cat "$OBJ/authorized_principals_${LOGNAME}"
|
|
|
|
_EOF
|
|
|
|
test $? -eq 0 || fatal "couldn't prepare principals command"
|
2016-10-13 09:53:43 +02:00
|
|
|
$SUDO chmod 0755 "$PRINCIPALS_COMMAND"
|
2015-05-21 08:44:25 +02:00
|
|
|
|
2016-10-13 09:53:43 +02:00
|
|
|
if ! $OBJ/check-perm -m keys-command $PRINCIPALS_COMMAND ; then
|
|
|
|
echo "skipping: $PRINCIPALS_COMMAND is unsuitable as " \
|
2016-02-23 06:12:13 +01:00
|
|
|
"AuthorizedPrincipalsCommand"
|
2016-10-13 09:53:43 +02:00
|
|
|
$SUDO rm -f $PRINCIPALS_COMMAND
|
2016-02-23 06:12:13 +01:00
|
|
|
exit 0
|
|
|
|
fi
|
|
|
|
|
2021-09-30 07:20:08 +02:00
|
|
|
if [ ! -x $PRINCIPALS_COMMAND ]; then
|
|
|
|
skip "$PRINCIPALS_COMMAND not executable " \
|
2015-08-10 03:13:44 +02:00
|
|
|
"(/var/run mounted noexec?)"
|
|
|
|
fi
|
2021-09-30 07:20:08 +02:00
|
|
|
|
2021-09-30 07:26:26 +02:00
|
|
|
# Test explicitly-specified principals
|
|
|
|
# Setup for AuthorizedPrincipalsCommand
|
|
|
|
rm -f $OBJ/authorized_keys_$USER
|
|
|
|
(
|
|
|
|
cat $OBJ/sshd_proxy_bak
|
|
|
|
echo "AuthorizedKeysFile none"
|
|
|
|
echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
|
|
|
|
"%u %t %T %i %s %F %f %k %K"
|
|
|
|
echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
|
|
|
|
echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
|
|
|
|
) > $OBJ/sshd_proxy
|
|
|
|
|
|
|
|
# XXX test missing command
|
|
|
|
# XXX test failing command
|
|
|
|
|
|
|
|
# Empty authorized_principals
|
|
|
|
verbose "$tid: empty authorized_principals"
|
|
|
|
echo > $OBJ/authorized_principals_$USER
|
|
|
|
${SSH} -i $OBJ/cert_user_key \
|
|
|
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
|
|
|
if [ $? -eq 0 ]; then
|
|
|
|
fail "ssh cert connect succeeded unexpectedly"
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Wrong authorized_principals
|
|
|
|
verbose "$tid: wrong authorized_principals"
|
|
|
|
echo gregorsamsa > $OBJ/authorized_principals_$USER
|
|
|
|
${SSH} -i $OBJ/cert_user_key \
|
|
|
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
|
|
|
if [ $? -eq 0 ]; then
|
|
|
|
fail "ssh cert connect succeeded unexpectedly"
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Correct authorized_principals
|
|
|
|
verbose "$tid: correct authorized_principals"
|
|
|
|
echo mekmitasdigoat > $OBJ/authorized_principals_$USER
|
|
|
|
${SSH} -i $OBJ/cert_user_key \
|
|
|
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
|
|
|
if [ $? -ne 0 ]; then
|
|
|
|
fail "ssh cert connect failed"
|
|
|
|
fi
|
|
|
|
|
|
|
|
# authorized_principals with bad key option
|
|
|
|
verbose "$tid: authorized_principals bad key opt"
|
|
|
|
echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
|
|
|
|
${SSH} -i $OBJ/cert_user_key \
|
|
|
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
|
|
|
if [ $? -eq 0 ]; then
|
|
|
|
fail "ssh cert connect succeeded unexpectedly"
|
|
|
|
fi
|
|
|
|
|
|
|
|
# authorized_principals with command=false
|
|
|
|
verbose "$tid: authorized_principals command=false"
|
|
|
|
echo 'command="false" mekmitasdigoat' > \
|
|
|
|
$OBJ/authorized_principals_$USER
|
|
|
|
${SSH} -i $OBJ/cert_user_key \
|
|
|
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
|
|
|
if [ $? -eq 0 ]; then
|
|
|
|
fail "ssh cert connect succeeded unexpectedly"
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
# authorized_principals with command=true
|
|
|
|
verbose "$tid: authorized_principals command=true"
|
|
|
|
echo 'command="true" mekmitasdigoat' > \
|
|
|
|
$OBJ/authorized_principals_$USER
|
|
|
|
${SSH} -i $OBJ/cert_user_key \
|
|
|
|
-F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
|
|
|
|
if [ $? -ne 0 ]; then
|
|
|
|
fail "ssh cert connect failed"
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Setup for principals= key option
|
|
|
|
# TODO: remove?
|
|
|
|
rm -f $OBJ/authorized_principals_$USER
|
|
|
|
(
|
|
|
|
cat $OBJ/sshd_proxy_bak
|
|
|
|
) > $OBJ/sshd_proxy
|
|
|
|
|
|
|
|
# Wrong principals list
|
|
|
|
verbose "$tid: wrong principals key option"
|
|
|
|
(
|
|
|
|
printf 'cert-authority,principals="gregorsamsa" '
|
|
|
|
cat $OBJ/user_ca_key.pub
|
|
|
|
) > $OBJ/authorized_keys_$USER
|
|
|
|
${SSH} -i $OBJ/cert_user_key \
|
|
|
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
|
|
|
if [ $? -eq 0 ]; then
|
|
|
|
fail "ssh cert connect succeeded unexpectedly"
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Correct principals list
|
|
|
|
verbose "$tid: correct principals key option"
|
|
|
|
(
|
|
|
|
printf 'cert-authority,principals="mekmitasdigoat" '
|
|
|
|
cat $OBJ/user_ca_key.pub
|
|
|
|
) > $OBJ/authorized_keys_$USER
|
|
|
|
${SSH} -i $OBJ/cert_user_key \
|
|
|
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
|
|
|
if [ $? -ne 0 ]; then
|
|
|
|
fail "ssh cert connect failed"
|
|
|
|
fi
|