upstream commit
regress test for AuthorizedPrincipalsCommand Upstream-Regress-ID: c658fbf1ab6b6011dc83b73402322e396f1e1219
This commit is contained in:
parent
84452c5d03
commit
13640798c7
|
@ -1,4 +1,4 @@
|
||||||
# $OpenBSD: Makefile,v 1.80 2015/04/23 05:01:19 dtucker Exp $
|
# $OpenBSD: Makefile,v 1.81 2015/05/21 06:44:25 djm Exp $
|
||||||
|
|
||||||
REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec
|
REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec
|
||||||
tests: prep $(REGRESS_TARGETS)
|
tests: prep $(REGRESS_TARGETS)
|
||||||
|
@ -73,7 +73,8 @@ LTESTS= connect \
|
||||||
limit-keytype \
|
limit-keytype \
|
||||||
hostkey-agent \
|
hostkey-agent \
|
||||||
keygen-knownhosts \
|
keygen-knownhosts \
|
||||||
hostkey-rotate
|
hostkey-rotate \
|
||||||
|
principals-command
|
||||||
|
|
||||||
|
|
||||||
# dhgex \
|
# dhgex \
|
||||||
|
|
|
@ -0,0 +1,139 @@
|
||||||
|
# $OpenBSD: principals-command.sh,v 1.1 2015/05/21 06:44:25 djm Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="authorized principals command"
|
||||||
|
|
||||||
|
rm -f $OBJ/user_ca_key* $OBJ/cert_user_key*
|
||||||
|
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
|
||||||
|
|
||||||
|
if [ -z "$SUDO" ]; then
|
||||||
|
fatal "need SUDO to create file in /var/run, test won't work without"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Establish a AuthorizedPrincipalsCommand in /var/run where it will have
|
||||||
|
# acceptable directory permissions.
|
||||||
|
PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}"
|
||||||
|
cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
|
||||||
|
#!/bin/sh
|
||||||
|
test "x\$1" != "x${LOGNAME}" && exit 1
|
||||||
|
test -f "$OBJ/authorized_principals_${LOGNAME}" &&
|
||||||
|
exec cat "$OBJ/authorized_principals_${LOGNAME}"
|
||||||
|
_EOF
|
||||||
|
test $? -eq 0 || fatal "couldn't prepare principals command"
|
||||||
|
$SUDO chmod 0755 "$PRINCIPALS_COMMAND"
|
||||||
|
|
||||||
|
# Create a CA key and a user certificate.
|
||||||
|
${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \
|
||||||
|
fatal "ssh-keygen of user_ca_key failed"
|
||||||
|
${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key || \
|
||||||
|
fatal "ssh-keygen of cert_user_key failed"
|
||||||
|
${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
|
||||||
|
-z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
|
||||||
|
fatal "couldn't sign cert_user_key"
|
||||||
|
|
||||||
|
# Test explicitly-specified principals
|
||||||
|
for privsep in yes no ; do
|
||||||
|
_prefix="privsep $privsep"
|
||||||
|
|
||||||
|
# Setup for AuthorizedPrincipalsCommand
|
||||||
|
rm -f $OBJ/authorized_keys_$USER
|
||||||
|
(
|
||||||
|
cat $OBJ/sshd_proxy_bak
|
||||||
|
echo "UsePrivilegeSeparation $privsep"
|
||||||
|
echo "AuthorizedKeysFile none"
|
||||||
|
echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u"
|
||||||
|
echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
|
||||||
|
echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
|
||||||
|
) > $OBJ/sshd_proxy
|
||||||
|
|
||||||
|
# XXX test missing command
|
||||||
|
# XXX test failing command
|
||||||
|
|
||||||
|
# Empty authorized_principals
|
||||||
|
verbose "$tid: ${_prefix} empty authorized_principals"
|
||||||
|
echo > $OBJ/authorized_principals_$USER
|
||||||
|
${SSH} -2i $OBJ/cert_user_key \
|
||||||
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
fail "ssh cert connect succeeded unexpectedly"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Wrong authorized_principals
|
||||||
|
verbose "$tid: ${_prefix} wrong authorized_principals"
|
||||||
|
echo gregorsamsa > $OBJ/authorized_principals_$USER
|
||||||
|
${SSH} -2i $OBJ/cert_user_key \
|
||||||
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
fail "ssh cert connect succeeded unexpectedly"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Correct authorized_principals
|
||||||
|
verbose "$tid: ${_prefix} correct authorized_principals"
|
||||||
|
echo mekmitasdigoat > $OBJ/authorized_principals_$USER
|
||||||
|
${SSH} -2i $OBJ/cert_user_key \
|
||||||
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh cert connect failed"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# authorized_principals with bad key option
|
||||||
|
verbose "$tid: ${_prefix} authorized_principals bad key opt"
|
||||||
|
echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
|
||||||
|
${SSH} -2i $OBJ/cert_user_key \
|
||||||
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
fail "ssh cert connect succeeded unexpectedly"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# authorized_principals with command=false
|
||||||
|
verbose "$tid: ${_prefix} authorized_principals command=false"
|
||||||
|
echo 'command="false" mekmitasdigoat' > \
|
||||||
|
$OBJ/authorized_principals_$USER
|
||||||
|
${SSH} -2i $OBJ/cert_user_key \
|
||||||
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
fail "ssh cert connect succeeded unexpectedly"
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
# authorized_principals with command=true
|
||||||
|
verbose "$tid: ${_prefix} authorized_principals command=true"
|
||||||
|
echo 'command="true" mekmitasdigoat' > \
|
||||||
|
$OBJ/authorized_principals_$USER
|
||||||
|
${SSH} -2i $OBJ/cert_user_key \
|
||||||
|
-F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh cert connect failed"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Setup for principals= key option
|
||||||
|
rm -f $OBJ/authorized_principals_$USER
|
||||||
|
(
|
||||||
|
cat $OBJ/sshd_proxy_bak
|
||||||
|
echo "UsePrivilegeSeparation $privsep"
|
||||||
|
) > $OBJ/sshd_proxy
|
||||||
|
|
||||||
|
# Wrong principals list
|
||||||
|
verbose "$tid: ${_prefix} wrong principals key option"
|
||||||
|
(
|
||||||
|
printf 'cert-authority,principals="gregorsamsa" '
|
||||||
|
cat $OBJ/user_ca_key.pub
|
||||||
|
) > $OBJ/authorized_keys_$USER
|
||||||
|
${SSH} -2i $OBJ/cert_user_key \
|
||||||
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
fail "ssh cert connect succeeded unexpectedly"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Correct principals list
|
||||||
|
verbose "$tid: ${_prefix} correct principals key option"
|
||||||
|
(
|
||||||
|
printf 'cert-authority,principals="mekmitasdigoat" '
|
||||||
|
cat $OBJ/user_ca_key.pub
|
||||||
|
) > $OBJ/authorized_keys_$USER
|
||||||
|
${SSH} -2i $OBJ/cert_user_key \
|
||||||
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh cert connect failed"
|
||||||
|
fi
|
||||||
|
done
|
Loading…
Reference in New Issue