19768ca48f57aaf035f508a473421d210b5145e99Greg Hartman# $OpenBSD: cert-userkey.sh,v 1.17 2016/11/30 03:01:33 djm Exp $ 29768ca48f57aaf035f508a473421d210b5145e99Greg Hartman# Placed in the Public Domain. 39768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 49768ca48f57aaf035f508a473421d210b5145e99Greg Hartmantid="certified user keys" 59768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 69768ca48f57aaf035f508a473421d210b5145e99Greg Hartmanrm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* 79768ca48f57aaf035f508a473421d210b5145e99Greg Hartmancp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 89768ca48f57aaf035f508a473421d210b5145e99Greg Hartmancp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak 99768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 109768ca48f57aaf035f508a473421d210b5145e99Greg HartmanPLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` 119768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 129768ca48f57aaf035f508a473421d210b5145e99Greg Hartmanif echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then 139768ca48f57aaf035f508a473421d210b5145e99Greg Hartman PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" 149768ca48f57aaf035f508a473421d210b5145e99Greg Hartmanfi 159768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 169768ca48f57aaf035f508a473421d210b5145e99Greg Hartmankname() { 179768ca48f57aaf035f508a473421d210b5145e99Greg Hartman case $ktype in 189768ca48f57aaf035f508a473421d210b5145e99Greg Hartman rsa-sha2-*) ;; 199768ca48f57aaf035f508a473421d210b5145e99Greg Hartman # subshell because some seds will add a newline 209768ca48f57aaf035f508a473421d210b5145e99Greg Hartman *) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;; 219768ca48f57aaf035f508a473421d210b5145e99Greg Hartman esac 229768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo "$n*,ssh-rsa*,ssh-ed25519*" 239768ca48f57aaf035f508a473421d210b5145e99Greg Hartman} 249768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 259768ca48f57aaf035f508a473421d210b5145e99Greg Hartman# Create a CA key 269768ca48f57aaf035f508a473421d210b5145e99Greg Hartman${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ 279768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fail "ssh-keygen of user_ca_key failed" 289768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 299768ca48f57aaf035f508a473421d210b5145e99Greg Hartman# Generate and sign user keys 309768ca48f57aaf035f508a473421d210b5145e99Greg Hartmanfor ktype in $PLAIN_TYPES $EXTRA_TYPES ; do 319768ca48f57aaf035f508a473421d210b5145e99Greg Hartman verbose "$tid: sign user ${ktype} cert" 329768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ${SSHKEYGEN} -q -N '' -t ${ktype} \ 339768ca48f57aaf035f508a473421d210b5145e99Greg Hartman -f $OBJ/cert_user_key_${ktype} || \ 349768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fatal "ssh-keygen of cert_user_key_${ktype} failed" 359768ca48f57aaf035f508a473421d210b5145e99Greg Hartman # Generate RSA/SHA2 certs for rsa-sha2* keys. 369768ca48f57aaf035f508a473421d210b5145e99Greg Hartman case $ktype in 379768ca48f57aaf035f508a473421d210b5145e99Greg Hartman rsa-sha2-*) tflag="-t $ktype" ;; 389768ca48f57aaf035f508a473421d210b5145e99Greg Hartman *) tflag="" ;; 399768ca48f57aaf035f508a473421d210b5145e99Greg Hartman esac 409768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ${SSHKEYGEN} -q -s $OBJ/user_ca_key -z $$ \ 419768ca48f57aaf035f508a473421d210b5145e99Greg Hartman -I "regress user key for $USER" \ 429768ca48f57aaf035f508a473421d210b5145e99Greg Hartman -n ${USER},mekmitasdigoat $tflag $OBJ/cert_user_key_${ktype} || \ 439768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fatal "couldn't sign cert_user_key_${ktype}" 449768ca48f57aaf035f508a473421d210b5145e99Greg Hartmandone 459768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 469768ca48f57aaf035f508a473421d210b5145e99Greg Hartman# Test explicitly-specified principals 479768ca48f57aaf035f508a473421d210b5145e99Greg Hartmanfor ktype in $EXTRA_TYPES $PLAIN_TYPES ; do 489768ca48f57aaf035f508a473421d210b5145e99Greg Hartman t=$(kname $ktype) 499768ca48f57aaf035f508a473421d210b5145e99Greg Hartman for privsep in yes no ; do 509768ca48f57aaf035f508a473421d210b5145e99Greg Hartman _prefix="${ktype} privsep $privsep" 519768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 529768ca48f57aaf035f508a473421d210b5145e99Greg Hartman # Setup for AuthorizedPrincipalsFile 539768ca48f57aaf035f508a473421d210b5145e99Greg Hartman rm -f $OBJ/authorized_keys_$USER 549768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ( 559768ca48f57aaf035f508a473421d210b5145e99Greg Hartman cat $OBJ/sshd_proxy_bak 569768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo "UsePrivilegeSeparation $privsep" 579768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo "AuthorizedPrincipalsFile " \ 589768ca48f57aaf035f508a473421d210b5145e99Greg Hartman "$OBJ/authorized_principals_%u" 599768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" 609768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo "PubkeyAcceptedKeyTypes ${t}" 619768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ) > $OBJ/sshd_proxy 629768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ( 639768ca48f57aaf035f508a473421d210b5145e99Greg Hartman cat $OBJ/ssh_proxy_bak 649768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo "PubkeyAcceptedKeyTypes ${t}" 659768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ) > $OBJ/ssh_proxy 669768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 679768ca48f57aaf035f508a473421d210b5145e99Greg Hartman # Missing authorized_principals 689768ca48f57aaf035f508a473421d210b5145e99Greg Hartman verbose "$tid: ${_prefix} missing authorized_principals" 699768ca48f57aaf035f508a473421d210b5145e99Greg Hartman rm -f $OBJ/authorized_principals_$USER 709768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 719768ca48f57aaf035f508a473421d210b5145e99Greg Hartman -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 729768ca48f57aaf035f508a473421d210b5145e99Greg Hartman if [ $? -eq 0 ]; then 739768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fail "ssh cert connect succeeded unexpectedly" 749768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fi 759768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 769768ca48f57aaf035f508a473421d210b5145e99Greg Hartman # Empty authorized_principals 779768ca48f57aaf035f508a473421d210b5145e99Greg Hartman verbose "$tid: ${_prefix} empty authorized_principals" 789768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo > $OBJ/authorized_principals_$USER 799768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 809768ca48f57aaf035f508a473421d210b5145e99Greg Hartman -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 819768ca48f57aaf035f508a473421d210b5145e99Greg Hartman if [ $? -eq 0 ]; then 829768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fail "ssh cert connect succeeded unexpectedly" 839768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fi 849768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 859768ca48f57aaf035f508a473421d210b5145e99Greg Hartman # Wrong authorized_principals 869768ca48f57aaf035f508a473421d210b5145e99Greg Hartman verbose "$tid: ${_prefix} wrong authorized_principals" 879768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo gregorsamsa > $OBJ/authorized_principals_$USER 889768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 899768ca48f57aaf035f508a473421d210b5145e99Greg Hartman -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 909768ca48f57aaf035f508a473421d210b5145e99Greg Hartman if [ $? -eq 0 ]; then 919768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fail "ssh cert connect succeeded unexpectedly" 929768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fi 939768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 949768ca48f57aaf035f508a473421d210b5145e99Greg Hartman # Correct authorized_principals 959768ca48f57aaf035f508a473421d210b5145e99Greg Hartman verbose "$tid: ${_prefix} correct authorized_principals" 969768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo mekmitasdigoat > $OBJ/authorized_principals_$USER 979768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 989768ca48f57aaf035f508a473421d210b5145e99Greg Hartman -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 999768ca48f57aaf035f508a473421d210b5145e99Greg Hartman if [ $? -ne 0 ]; then 1009768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fail "ssh cert connect failed" 1019768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fi 1029768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 1039768ca48f57aaf035f508a473421d210b5145e99Greg Hartman # authorized_principals with bad key option 1049768ca48f57aaf035f508a473421d210b5145e99Greg Hartman verbose "$tid: ${_prefix} authorized_principals bad key opt" 1059768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER 1069768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 1079768ca48f57aaf035f508a473421d210b5145e99Greg Hartman -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 1089768ca48f57aaf035f508a473421d210b5145e99Greg Hartman if [ $? -eq 0 ]; then 1099768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fail "ssh cert connect succeeded unexpectedly" 1109768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fi 1119768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 1129768ca48f57aaf035f508a473421d210b5145e99Greg Hartman # authorized_principals with command=false 1139768ca48f57aaf035f508a473421d210b5145e99Greg Hartman verbose "$tid: ${_prefix} authorized_principals command=false" 1149768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo 'command="false" mekmitasdigoat' > \ 1159768ca48f57aaf035f508a473421d210b5145e99Greg Hartman $OBJ/authorized_principals_$USER 1169768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 1179768ca48f57aaf035f508a473421d210b5145e99Greg Hartman -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 1189768ca48f57aaf035f508a473421d210b5145e99Greg Hartman if [ $? -eq 0 ]; then 1199768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fail "ssh cert connect succeeded unexpectedly" 1209768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fi 1219768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 1229768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 1239768ca48f57aaf035f508a473421d210b5145e99Greg Hartman # authorized_principals with command=true 1249768ca48f57aaf035f508a473421d210b5145e99Greg Hartman verbose "$tid: ${_prefix} authorized_principals command=true" 1259768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo 'command="true" mekmitasdigoat' > \ 1269768ca48f57aaf035f508a473421d210b5145e99Greg Hartman $OBJ/authorized_principals_$USER 1279768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 1289768ca48f57aaf035f508a473421d210b5145e99Greg Hartman -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 1299768ca48f57aaf035f508a473421d210b5145e99Greg Hartman if [ $? -ne 0 ]; then 1309768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fail "ssh cert connect failed" 1319768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fi 1329768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 1339768ca48f57aaf035f508a473421d210b5145e99Greg Hartman # Setup for principals= key option 1349768ca48f57aaf035f508a473421d210b5145e99Greg Hartman rm -f $OBJ/authorized_principals_$USER 1359768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ( 1369768ca48f57aaf035f508a473421d210b5145e99Greg Hartman cat $OBJ/sshd_proxy_bak 1379768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo "UsePrivilegeSeparation $privsep" 1389768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo "PubkeyAcceptedKeyTypes ${t}" 1399768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ) > $OBJ/sshd_proxy 1409768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ( 1419768ca48f57aaf035f508a473421d210b5145e99Greg Hartman cat $OBJ/ssh_proxy_bak 1429768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo "PubkeyAcceptedKeyTypes ${t}" 1439768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ) > $OBJ/ssh_proxy 1449768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 1459768ca48f57aaf035f508a473421d210b5145e99Greg Hartman # Wrong principals list 1469768ca48f57aaf035f508a473421d210b5145e99Greg Hartman verbose "$tid: ${_prefix} wrong principals key option" 1479768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ( 1489768ca48f57aaf035f508a473421d210b5145e99Greg Hartman printf 'cert-authority,principals="gregorsamsa" ' 1499768ca48f57aaf035f508a473421d210b5145e99Greg Hartman cat $OBJ/user_ca_key.pub 1509768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ) > $OBJ/authorized_keys_$USER 1519768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 1529768ca48f57aaf035f508a473421d210b5145e99Greg Hartman -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 1539768ca48f57aaf035f508a473421d210b5145e99Greg Hartman if [ $? -eq 0 ]; then 1549768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fail "ssh cert connect succeeded unexpectedly" 1559768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fi 1569768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 1579768ca48f57aaf035f508a473421d210b5145e99Greg Hartman # Correct principals list 1589768ca48f57aaf035f508a473421d210b5145e99Greg Hartman verbose "$tid: ${_prefix} correct principals key option" 1599768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ( 1609768ca48f57aaf035f508a473421d210b5145e99Greg Hartman printf 'cert-authority,principals="mekmitasdigoat" ' 1619768ca48f57aaf035f508a473421d210b5145e99Greg Hartman cat $OBJ/user_ca_key.pub 1629768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ) > $OBJ/authorized_keys_$USER 1639768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 1649768ca48f57aaf035f508a473421d210b5145e99Greg Hartman -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 1659768ca48f57aaf035f508a473421d210b5145e99Greg Hartman if [ $? -ne 0 ]; then 1669768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fail "ssh cert connect failed" 1679768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fi 1689768ca48f57aaf035f508a473421d210b5145e99Greg Hartman done 1699768ca48f57aaf035f508a473421d210b5145e99Greg Hartmandone 1709768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 1719768ca48f57aaf035f508a473421d210b5145e99Greg Hartmanbasic_tests() { 1729768ca48f57aaf035f508a473421d210b5145e99Greg Hartman auth=$1 1739768ca48f57aaf035f508a473421d210b5145e99Greg Hartman if test "x$auth" = "xauthorized_keys" ; then 1749768ca48f57aaf035f508a473421d210b5145e99Greg Hartman # Add CA to authorized_keys 1759768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ( 1769768ca48f57aaf035f508a473421d210b5145e99Greg Hartman printf 'cert-authority ' 1779768ca48f57aaf035f508a473421d210b5145e99Greg Hartman cat $OBJ/user_ca_key.pub 1789768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ) > $OBJ/authorized_keys_$USER 1799768ca48f57aaf035f508a473421d210b5145e99Greg Hartman else 1809768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo > $OBJ/authorized_keys_$USER 1819768ca48f57aaf035f508a473421d210b5145e99Greg Hartman extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" 1829768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fi 1839768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 1849768ca48f57aaf035f508a473421d210b5145e99Greg Hartman for ktype in $PLAIN_TYPES ; do 1859768ca48f57aaf035f508a473421d210b5145e99Greg Hartman t=$(kname $ktype) 1869768ca48f57aaf035f508a473421d210b5145e99Greg Hartman for privsep in yes no ; do 1879768ca48f57aaf035f508a473421d210b5145e99Greg Hartman _prefix="${ktype} privsep $privsep $auth" 1889768ca48f57aaf035f508a473421d210b5145e99Greg Hartman # Simple connect 1899768ca48f57aaf035f508a473421d210b5145e99Greg Hartman verbose "$tid: ${_prefix} connect" 1909768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ( 1919768ca48f57aaf035f508a473421d210b5145e99Greg Hartman cat $OBJ/sshd_proxy_bak 1929768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo "UsePrivilegeSeparation $privsep" 1939768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo "PubkeyAcceptedKeyTypes ${t}" 1949768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo "$extra_sshd" 1959768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ) > $OBJ/sshd_proxy 1969768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ( 1979768ca48f57aaf035f508a473421d210b5145e99Greg Hartman cat $OBJ/ssh_proxy_bak 1989768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo "PubkeyAcceptedKeyTypes ${t}" 1999768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ) > $OBJ/ssh_proxy 2009768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 2019768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 2029768ca48f57aaf035f508a473421d210b5145e99Greg Hartman -F $OBJ/ssh_proxy somehost true 2039768ca48f57aaf035f508a473421d210b5145e99Greg Hartman if [ $? -ne 0 ]; then 2049768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fail "ssh cert connect failed" 2059768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fi 2069768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 2079768ca48f57aaf035f508a473421d210b5145e99Greg Hartman # Revoked keys 2089768ca48f57aaf035f508a473421d210b5145e99Greg Hartman verbose "$tid: ${_prefix} revoked key" 2099768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ( 2109768ca48f57aaf035f508a473421d210b5145e99Greg Hartman cat $OBJ/sshd_proxy_bak 2119768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo "UsePrivilegeSeparation $privsep" 2129768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo "RevokedKeys $OBJ/cert_user_key_revoked" 2139768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo "PubkeyAcceptedKeyTypes ${t}" 2149768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo "$extra_sshd" 2159768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ) > $OBJ/sshd_proxy 2169768ca48f57aaf035f508a473421d210b5145e99Greg Hartman cp $OBJ/cert_user_key_${ktype}.pub \ 2179768ca48f57aaf035f508a473421d210b5145e99Greg Hartman $OBJ/cert_user_key_revoked 2189768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 2199768ca48f57aaf035f508a473421d210b5145e99Greg Hartman -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 2209768ca48f57aaf035f508a473421d210b5145e99Greg Hartman if [ $? -eq 0 ]; then 2219768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fail "ssh cert connect succeeded unexpecedly" 2229768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fi 2239768ca48f57aaf035f508a473421d210b5145e99Greg Hartman verbose "$tid: ${_prefix} revoked via KRL" 2249768ca48f57aaf035f508a473421d210b5145e99Greg Hartman rm $OBJ/cert_user_key_revoked 2259768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \ 2269768ca48f57aaf035f508a473421d210b5145e99Greg Hartman $OBJ/cert_user_key_${ktype}.pub 2279768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 2289768ca48f57aaf035f508a473421d210b5145e99Greg Hartman -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 2299768ca48f57aaf035f508a473421d210b5145e99Greg Hartman if [ $? -eq 0 ]; then 2309768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fail "ssh cert connect succeeded unexpecedly" 2319768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fi 2329768ca48f57aaf035f508a473421d210b5145e99Greg Hartman verbose "$tid: ${_prefix} empty KRL" 2339768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked 2349768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 2359768ca48f57aaf035f508a473421d210b5145e99Greg Hartman -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 2369768ca48f57aaf035f508a473421d210b5145e99Greg Hartman if [ $? -ne 0 ]; then 2379768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fail "ssh cert connect failed" 2389768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fi 2399768ca48f57aaf035f508a473421d210b5145e99Greg Hartman done 2409768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 2419768ca48f57aaf035f508a473421d210b5145e99Greg Hartman # Revoked CA 2429768ca48f57aaf035f508a473421d210b5145e99Greg Hartman verbose "$tid: ${ktype} $auth revoked CA key" 2439768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ( 2449768ca48f57aaf035f508a473421d210b5145e99Greg Hartman cat $OBJ/sshd_proxy_bak 2459768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo "RevokedKeys $OBJ/user_ca_key.pub" 2469768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo "PubkeyAcceptedKeyTypes ${t}" 2479768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo "$extra_sshd" 2489768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ) > $OBJ/sshd_proxy 2499768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ 2509768ca48f57aaf035f508a473421d210b5145e99Greg Hartman somehost true >/dev/null 2>&1 2519768ca48f57aaf035f508a473421d210b5145e99Greg Hartman if [ $? -eq 0 ]; then 2529768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fail "ssh cert connect succeeded unexpecedly" 2539768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fi 2549768ca48f57aaf035f508a473421d210b5145e99Greg Hartman done 2559768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 2569768ca48f57aaf035f508a473421d210b5145e99Greg Hartman verbose "$tid: $auth CA does not authenticate" 2579768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ( 2589768ca48f57aaf035f508a473421d210b5145e99Greg Hartman cat $OBJ/sshd_proxy_bak 2599768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo "PubkeyAcceptedKeyTypes ${t}" 2609768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo "$extra_sshd" 2619768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ) > $OBJ/sshd_proxy 2629768ca48f57aaf035f508a473421d210b5145e99Greg Hartman verbose "$tid: ensure CA key does not authenticate user" 2639768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ${SSH} -2i $OBJ/user_ca_key \ 2649768ca48f57aaf035f508a473421d210b5145e99Greg Hartman -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 2659768ca48f57aaf035f508a473421d210b5145e99Greg Hartman if [ $? -eq 0 ]; then 2669768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fail "ssh cert connect with CA key succeeded unexpectedly" 2679768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fi 2689768ca48f57aaf035f508a473421d210b5145e99Greg Hartman} 2699768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 2709768ca48f57aaf035f508a473421d210b5145e99Greg Hartmanbasic_tests authorized_keys 2719768ca48f57aaf035f508a473421d210b5145e99Greg Hartmanbasic_tests TrustedUserCAKeys 2729768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 2739768ca48f57aaf035f508a473421d210b5145e99Greg Hartmantest_one() { 2749768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ident=$1 2759768ca48f57aaf035f508a473421d210b5145e99Greg Hartman result=$2 2769768ca48f57aaf035f508a473421d210b5145e99Greg Hartman sign_opts=$3 2779768ca48f57aaf035f508a473421d210b5145e99Greg Hartman auth_choice=$4 2789768ca48f57aaf035f508a473421d210b5145e99Greg Hartman auth_opt=$5 2799768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 2809768ca48f57aaf035f508a473421d210b5145e99Greg Hartman if test "x$auth_choice" = "x" ; then 2819768ca48f57aaf035f508a473421d210b5145e99Greg Hartman auth_choice="authorized_keys TrustedUserCAKeys" 2829768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fi 2839768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 2849768ca48f57aaf035f508a473421d210b5145e99Greg Hartman for auth in $auth_choice ; do 2859768ca48f57aaf035f508a473421d210b5145e99Greg Hartman for ktype in rsa ed25519 ; do 2869768ca48f57aaf035f508a473421d210b5145e99Greg Hartman cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 2879768ca48f57aaf035f508a473421d210b5145e99Greg Hartman if test "x$auth" = "xauthorized_keys" ; then 2889768ca48f57aaf035f508a473421d210b5145e99Greg Hartman # Add CA to authorized_keys 2899768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ( 2909768ca48f57aaf035f508a473421d210b5145e99Greg Hartman printf "cert-authority${auth_opt} " 2919768ca48f57aaf035f508a473421d210b5145e99Greg Hartman cat $OBJ/user_ca_key.pub 2929768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ) > $OBJ/authorized_keys_$USER 2939768ca48f57aaf035f508a473421d210b5145e99Greg Hartman else 2949768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo > $OBJ/authorized_keys_$USER 2959768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \ 2969768ca48f57aaf035f508a473421d210b5145e99Greg Hartman >> $OBJ/sshd_proxy 2979768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo "PubkeyAcceptedKeyTypes ${t}*" \ 2989768ca48f57aaf035f508a473421d210b5145e99Greg Hartman >> $OBJ/sshd_proxy 2999768ca48f57aaf035f508a473421d210b5145e99Greg Hartman if test "x$auth_opt" != "x" ; then 3009768ca48f57aaf035f508a473421d210b5145e99Greg Hartman echo $auth_opt >> $OBJ/sshd_proxy 3019768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fi 3029768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fi 3039768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 3049768ca48f57aaf035f508a473421d210b5145e99Greg Hartman verbose "$tid: $ident auth $auth expect $result $ktype" 3059768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ 3069768ca48f57aaf035f508a473421d210b5145e99Greg Hartman -I "regress user key for $USER" \ 3079768ca48f57aaf035f508a473421d210b5145e99Greg Hartman $sign_opts $OBJ/cert_user_key_${ktype} || 3089768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fail "couldn't sign cert_user_key_${ktype}" 3099768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 3109768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 3119768ca48f57aaf035f508a473421d210b5145e99Greg Hartman -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 3129768ca48f57aaf035f508a473421d210b5145e99Greg Hartman rc=$? 3139768ca48f57aaf035f508a473421d210b5145e99Greg Hartman if [ "x$result" = "xsuccess" ] ; then 3149768ca48f57aaf035f508a473421d210b5145e99Greg Hartman if [ $rc -ne 0 ]; then 3159768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fail "$ident failed unexpectedly" 3169768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fi 3179768ca48f57aaf035f508a473421d210b5145e99Greg Hartman else 3189768ca48f57aaf035f508a473421d210b5145e99Greg Hartman if [ $rc -eq 0 ]; then 3199768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fail "$ident succeeded unexpectedly" 3209768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fi 3219768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fi 3229768ca48f57aaf035f508a473421d210b5145e99Greg Hartman done 3239768ca48f57aaf035f508a473421d210b5145e99Greg Hartman done 3249768ca48f57aaf035f508a473421d210b5145e99Greg Hartman} 3259768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 3269768ca48f57aaf035f508a473421d210b5145e99Greg Hartmantest_one "correct principal" success "-n ${USER}" 3279768ca48f57aaf035f508a473421d210b5145e99Greg Hartmantest_one "host-certificate" failure "-n ${USER} -h" 3289768ca48f57aaf035f508a473421d210b5145e99Greg Hartmantest_one "wrong principals" failure "-n foo" 3299768ca48f57aaf035f508a473421d210b5145e99Greg Hartmantest_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101" 3309768ca48f57aaf035f508a473421d210b5145e99Greg Hartmantest_one "cert expired" failure "-n ${USER} -V19800101:19900101" 3319768ca48f57aaf035f508a473421d210b5145e99Greg Hartmantest_one "cert valid interval" success "-n ${USER} -V-1w:+2w" 3329768ca48f57aaf035f508a473421d210b5145e99Greg Hartmantest_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8" 3339768ca48f57aaf035f508a473421d210b5145e99Greg Hartmantest_one "force-command" failure "-n ${USER} -Oforce-command=false" 3349768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 3359768ca48f57aaf035f508a473421d210b5145e99Greg Hartman# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals 3369768ca48f57aaf035f508a473421d210b5145e99Greg Hartmantest_one "empty principals" success "" authorized_keys 3379768ca48f57aaf035f508a473421d210b5145e99Greg Hartmantest_one "empty principals" failure "" TrustedUserCAKeys 3389768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 3399768ca48f57aaf035f508a473421d210b5145e99Greg Hartman# Check explicitly-specified principals: an empty principals list in the cert 3409768ca48f57aaf035f508a473421d210b5145e99Greg Hartman# should always be refused. 3419768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 3429768ca48f57aaf035f508a473421d210b5145e99Greg Hartman# AuthorizedPrincipalsFile 3439768ca48f57aaf035f508a473421d210b5145e99Greg Hartmanrm -f $OBJ/authorized_keys_$USER 3449768ca48f57aaf035f508a473421d210b5145e99Greg Hartmanecho mekmitasdigoat > $OBJ/authorized_principals_$USER 3459768ca48f57aaf035f508a473421d210b5145e99Greg Hartmantest_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \ 3469768ca48f57aaf035f508a473421d210b5145e99Greg Hartman TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u" 3479768ca48f57aaf035f508a473421d210b5145e99Greg Hartmantest_one "AuthorizedPrincipalsFile no principals" failure "" \ 3489768ca48f57aaf035f508a473421d210b5145e99Greg Hartman TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u" 3499768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 3509768ca48f57aaf035f508a473421d210b5145e99Greg Hartman# principals= key option 3519768ca48f57aaf035f508a473421d210b5145e99Greg Hartmanrm -f $OBJ/authorized_principals_$USER 3529768ca48f57aaf035f508a473421d210b5145e99Greg Hartmantest_one "principals key option principals" success "-n mekmitasdigoat" \ 3539768ca48f57aaf035f508a473421d210b5145e99Greg Hartman authorized_keys ',principals="mekmitasdigoat"' 3549768ca48f57aaf035f508a473421d210b5145e99Greg Hartmantest_one "principals key option no principals" failure "" \ 3559768ca48f57aaf035f508a473421d210b5145e99Greg Hartman authorized_keys ',principals="mekmitasdigoat"' 3569768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 3579768ca48f57aaf035f508a473421d210b5145e99Greg Hartman# command= options vs. force-command in key 3589768ca48f57aaf035f508a473421d210b5145e99Greg Hartmantest_one "force-command match true" success \ 3599768ca48f57aaf035f508a473421d210b5145e99Greg Hartman "-n ${USER} -Oforce-command=true" \ 3609768ca48f57aaf035f508a473421d210b5145e99Greg Hartman authorized_keys ',command="true"' 3619768ca48f57aaf035f508a473421d210b5145e99Greg Hartmantest_one "force-command match true" failure \ 3629768ca48f57aaf035f508a473421d210b5145e99Greg Hartman "-n ${USER} -Oforce-command=false" \ 3639768ca48f57aaf035f508a473421d210b5145e99Greg Hartman authorized_keys ',command="false"' 3649768ca48f57aaf035f508a473421d210b5145e99Greg Hartmantest_one "force-command mismatch 1" failure \ 3659768ca48f57aaf035f508a473421d210b5145e99Greg Hartman "-n ${USER} -Oforce-command=false" \ 3669768ca48f57aaf035f508a473421d210b5145e99Greg Hartman authorized_keys ',command="true"' 3679768ca48f57aaf035f508a473421d210b5145e99Greg Hartmantest_one "force-command mismatch 2" failure \ 3689768ca48f57aaf035f508a473421d210b5145e99Greg Hartman "-n ${USER} -Oforce-command=true" \ 3699768ca48f57aaf035f508a473421d210b5145e99Greg Hartman authorized_keys ',command="false"' 3709768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 3719768ca48f57aaf035f508a473421d210b5145e99Greg Hartman# Wrong certificate 3729768ca48f57aaf035f508a473421d210b5145e99Greg Hartmancat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 3739768ca48f57aaf035f508a473421d210b5145e99Greg Hartmanfor ktype in $PLAIN_TYPES ; do 3749768ca48f57aaf035f508a473421d210b5145e99Greg Hartman t=$(kname $ktype) 3759768ca48f57aaf035f508a473421d210b5145e99Greg Hartman # Self-sign 3769768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ 3779768ca48f57aaf035f508a473421d210b5145e99Greg Hartman "regress user key for $USER" \ 3789768ca48f57aaf035f508a473421d210b5145e99Greg Hartman -n $USER $OBJ/cert_user_key_${ktype} || 3799768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fatal "couldn't sign cert_user_key_${ktype}" 3809768ca48f57aaf035f508a473421d210b5145e99Greg Hartman verbose "$tid: user ${ktype} connect wrong cert" 3819768ca48f57aaf035f508a473421d210b5145e99Greg Hartman ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ 3829768ca48f57aaf035f508a473421d210b5145e99Greg Hartman somehost true >/dev/null 2>&1 3839768ca48f57aaf035f508a473421d210b5145e99Greg Hartman if [ $? -eq 0 ]; then 3849768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fail "ssh cert connect $ident succeeded unexpectedly" 3859768ca48f57aaf035f508a473421d210b5145e99Greg Hartman fi 3869768ca48f57aaf035f508a473421d210b5145e99Greg Hartmandone 3879768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 3889768ca48f57aaf035f508a473421d210b5145e99Greg Hartmanrm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* 3899768ca48f57aaf035f508a473421d210b5145e99Greg Hartmanrm -f $OBJ/authorized_principals_$USER 3909768ca48f57aaf035f508a473421d210b5145e99Greg Hartman 391