Attachment #2557 for bug #2081

Lines 7-32 if [ -z "$SUDO" ]; then Link Here

(-)keys-command.sh (-10 / +47 lines)
7	fatal "need SUDO to create file in /var/run, test won't work without"	7	fatal "need SUDO to create file in /var/run, test won't work without"
8	fi	8	fi
9		9
		10	rm -f $OBJ/keys-command-args
		11
		12	touch $OBJ/keys-command-args
		13	chmod a+rw $OBJ/keys-command-args
		14
		15	expected_key_text=`awk '{ print $2 }' < $OBJ/rsa.pub`
		16	expected_key_fp=`$SSHKEYGEN -lf $OBJ/rsa.pub \| awk '{ print $2 }'`
		17
10	# Establish a AuthorizedKeysCommand in /var/run where it will have	18	# Establish a AuthorizedKeysCommand in /var/run where it will have
11	# acceptable directory permissions.	19	# acceptable directory permissions.
12	KEY_COMMAND="/var/run/keycommand_${LOGNAME}"	20	KEY_COMMAND="/var/run/keycommand_${LOGNAME}"
13	cat << _EOF \| $SUDO sh -c "cat > '$KEY_COMMAND'"	21	cat << _EOF \| $SUDO sh -c "rm -f '$KEY_COMMAND' ; cat > '$KEY_COMMAND'"
14	#!/bin/sh	22	#!/bin/sh
		23	echo args: "\$@" >> $OBJ/keys-command-args
		24	echo "$PATH" \| grep -q mekmitasdigoat && exit 7
15	test "x\$1" != "x${LOGNAME}" && exit 1	25	test "x\$1" != "x${LOGNAME}" && exit 1
		26	if test $# -eq 6 ; then
		27	test "x\$2" != "xblah" && exit 2
		28	test "x\$3" != "x${expected_key_text}" && exit 3
		29	test "x\$4" != "xssh-rsa" && exit 4
		30	test "x\$5" != "x${expected_key_fp}" && exit 5
		31	test "x\$6" != "xblah" && exit 6
		32	fi
16	exec cat "$OBJ/authorized_keys_${LOGNAME}"	33	exec cat "$OBJ/authorized_keys_${LOGNAME}"
17	_EOF	34	_EOF
18	$SUDO chmod 0755 "$KEY_COMMAND"	35	$SUDO chmod 0755 "$KEY_COMMAND"
19		36
20	cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
21	(
22	grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
23	echo AuthorizedKeysFile none
24	echo AuthorizedKeysCommand $KEY_COMMAND
25	echo AuthorizedKeysCommandUser ${LOGNAME}
26	) > $OBJ/sshd_proxy
27
28	if [ -x $KEY_COMMAND ]; then	37	if [ -x $KEY_COMMAND ]; then
29	${SSH} -F $OBJ/ssh_proxy somehost true	38	cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
		39
		40	verbose "AuthorizedKeysCommand with arguments"
		41	(
		42	grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
		43	echo AuthorizedKeysFile none
		44	echo AuthorizedKeysCommand $KEY_COMMAND %u blah %k %t %f blah
		45	echo AuthorizedKeysCommandUser ${LOGNAME}
		46	) > $OBJ/sshd_proxy
		47
		48	# Ensure that $PATH is sanitised in sshd
		49	env PATH=$PATH:/sbin/mekmitasdigoat \
		50	${SSH} -F $OBJ/ssh_proxy somehost true
		51	if [ $? -ne 0 ]; then
		52	fail "connect failed"
		53	fi
		54
		55	verbose "AuthorizedKeysCommand without arguments"
		56	# Check legacy behavior of no-args resulting in username being passed.
		57	(
		58	grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
		59	echo AuthorizedKeysFile none
		60	echo AuthorizedKeysCommand $KEY_COMMAND
		61	echo AuthorizedKeysCommandUser ${LOGNAME}
		62	) > $OBJ/sshd_proxy
		63
		64	# Ensure that $PATH is sanitised in sshd
		65	env PATH=$PATH:/sbin/mekmitasdigoat \
		66	${SSH} -F $OBJ/ssh_proxy somehost true
30	if [ $? -ne 0 ]; then	67	if [ $? -ne 0 ]; then
31	fail "connect failed"	68	fail "connect failed"
32	fi	69	fi




#	$OpenBSD$
#	Placed in the Public Domain.

tid="authorized principals command"

rm -f $OBJ/user_ca_key* $OBJ/cert_user_key*
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak

if [ -z "$SUDO" ]; then
	fatal "need SUDO to create file in /var/run, test won't work without"
fi

# Establish a AuthorizedPrincipalsCommand in /var/run where it will have
# acceptable directory permissions.
PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}"
cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
#!/bin/sh
test "x\$1" != "x${LOGNAME}" && exit 1
test -f "$OBJ/authorized_principals_${LOGNAME}" &&
	exec cat "$OBJ/authorized_principals_${LOGNAME}"
_EOF
test $? -eq 0 || fatal "couldn't prepare principals command"
$SUDO chmod 0755 "$PRINCIPALS_COMMAND"

# Create a CA key and a user certificate.
${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key || \
	fatal "ssh-keygen of user_ca_key failed"
${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key || \
	fatal "ssh-keygen of cert_user_key failed"
${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
    -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
	fatal "couldn't sign cert_user_key"

# Test explicitly-specified principals
for privsep in yes no ; do
	_prefix="privsep $privsep"

	# Setup for AuthorizedPrincipalsCommand
	rm -f $OBJ/authorized_keys_$USER
	(
		cat $OBJ/sshd_proxy_bak
		echo "UsePrivilegeSeparation $privsep"
		echo "AuthorizedKeysFile none"
		echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u"
		echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
		echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
	) > $OBJ/sshd_proxy

	# XXX test missing command
	# XXX test failing command

	# Empty authorized_principals
	verbose "$tid: ${_prefix} empty authorized_principals"
	echo > $OBJ/authorized_principals_$USER
	${SSH} -2i $OBJ/cert_user_key \
	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	if [ $? -eq 0 ]; then
		fail "ssh cert connect succeeded unexpectedly"
	fi

	# Wrong authorized_principals
	verbose "$tid: ${_prefix} wrong authorized_principals"
	echo gregorsamsa > $OBJ/authorized_principals_$USER
	${SSH} -2i $OBJ/cert_user_key \
	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	if [ $? -eq 0 ]; then
		fail "ssh cert connect succeeded unexpectedly"
	fi

	# Correct authorized_principals
	verbose "$tid: ${_prefix} correct authorized_principals"
	echo mekmitasdigoat > $OBJ/authorized_principals_$USER
	${SSH} -2i $OBJ/cert_user_key \
	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	if [ $? -ne 0 ]; then
		fail "ssh cert connect failed"
	fi

	# authorized_principals with bad key option
	verbose "$tid: ${_prefix} authorized_principals bad key opt"
	echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
	${SSH} -2i $OBJ/cert_user_key \
	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	if [ $? -eq 0 ]; then
		fail "ssh cert connect succeeded unexpectedly"
	fi

	# authorized_principals with command=false
	verbose "$tid: ${_prefix} authorized_principals command=false"
	echo 'command="false" mekmitasdigoat' > \
	    $OBJ/authorized_principals_$USER
	${SSH} -2i $OBJ/cert_user_key \
	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	if [ $? -eq 0 ]; then
		fail "ssh cert connect succeeded unexpectedly"
	fi


	# authorized_principals with command=true
	verbose "$tid: ${_prefix} authorized_principals command=true"
	echo 'command="true" mekmitasdigoat' > \
	    $OBJ/authorized_principals_$USER
	${SSH} -2i $OBJ/cert_user_key \
	    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
	if [ $? -ne 0 ]; then
		fail "ssh cert connect failed"
	fi

	# Setup for principals= key option
	rm -f $OBJ/authorized_principals_$USER
	(
		cat $OBJ/sshd_proxy_bak
		echo "UsePrivilegeSeparation $privsep"
	) > $OBJ/sshd_proxy

	# Wrong principals list
	verbose "$tid: ${_prefix} wrong principals key option"
	(
		printf 'cert-authority,principals="gregorsamsa" '
		cat $OBJ/user_ca_key.pub
	) > $OBJ/authorized_keys_$USER
	${SSH} -2i $OBJ/cert_user_key \
	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	if [ $? -eq 0 ]; then
		fail "ssh cert connect succeeded unexpectedly"
	fi

	# Correct principals list
	verbose "$tid: ${_prefix} correct principals key option"
	(
		printf 'cert-authority,principals="mekmitasdigoat" '
		cat $OBJ/user_ca_key.pub
	) > $OBJ/authorized_keys_$USER
	${SSH} -2i $OBJ/cert_user_key \
	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	if [ $? -ne 0 ]; then
		fail "ssh cert connect failed"
	fi
done

Return to bug 2081

Added Link Here

(-)principals-command.sh (+139 lines)
1	# $OpenBSD$
2	# Placed in the Public Domain.
3
4	tid="authorized principals command"
5
6	rm -f $OBJ/user_ca_key* $OBJ/cert_user_key*
7	cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8
9	if [ -z "$SUDO" ]; then
10	fatal "need SUDO to create file in /var/run, test won't work without"
11	fi
12
13	# Establish a AuthorizedPrincipalsCommand in /var/run where it will have
14	# acceptable directory permissions.
15	PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}"
16	cat << _EOF \| $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
17	#!/bin/sh
18	test "x\$1" != "x${LOGNAME}" && exit 1
19	test -f "$OBJ/authorized_principals_${LOGNAME}" &&
20	exec cat "$OBJ/authorized_principals_${LOGNAME}"
21	_EOF
22	test $? -eq 0 \|\| fatal "couldn't prepare principals command"
23	$SUDO chmod 0755 "$PRINCIPALS_COMMAND"
24
25	# Create a CA key and a user certificate.
26	${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key \|\| \
27	fatal "ssh-keygen of user_ca_key failed"
28	${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key \|\| \
29	fatal "ssh-keygen of cert_user_key failed"
30	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
31	-z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key \|\| \
32	fatal "couldn't sign cert_user_key"
33
34	# Test explicitly-specified principals
35	for privsep in yes no ; do
36	_prefix="privsep $privsep"
37
38	# Setup for AuthorizedPrincipalsCommand
39	rm -f $OBJ/authorized_keys_$USER
40	(
41	cat $OBJ/sshd_proxy_bak
42	echo "UsePrivilegeSeparation $privsep"
43	echo "AuthorizedKeysFile none"
44	echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u"
45	echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
46	echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
47	) > $OBJ/sshd_proxy
48
49	# XXX test missing command
50	# XXX test failing command
51
52	# Empty authorized_principals
53	verbose "$tid: ${_prefix} empty authorized_principals"
54	echo > $OBJ/authorized_principals_$USER
55	${SSH} -2i $OBJ/cert_user_key \
56	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
57	if [ $? -eq 0 ]; then
58	fail "ssh cert connect succeeded unexpectedly"
59	fi
60
61	# Wrong authorized_principals
62	verbose "$tid: ${_prefix} wrong authorized_principals"
63	echo gregorsamsa > $OBJ/authorized_principals_$USER
64	${SSH} -2i $OBJ/cert_user_key \
65	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
66	if [ $? -eq 0 ]; then
67	fail "ssh cert connect succeeded unexpectedly"
68	fi
69
70	# Correct authorized_principals
71	verbose "$tid: ${_prefix} correct authorized_principals"
72	echo mekmitasdigoat > $OBJ/authorized_principals_$USER
73	${SSH} -2i $OBJ/cert_user_key \
74	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
75	if [ $? -ne 0 ]; then
76	fail "ssh cert connect failed"
77	fi
78
79	# authorized_principals with bad key option
80	verbose "$tid: ${_prefix} authorized_principals bad key opt"
81	echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
82	${SSH} -2i $OBJ/cert_user_key \
83	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
84	if [ $? -eq 0 ]; then
85	fail "ssh cert connect succeeded unexpectedly"
86	fi
87
88	# authorized_principals with command=false
89	verbose "$tid: ${_prefix} authorized_principals command=false"
90	echo 'command="false" mekmitasdigoat' > \
91	$OBJ/authorized_principals_$USER
92	${SSH} -2i $OBJ/cert_user_key \
93	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
94	if [ $? -eq 0 ]; then
95	fail "ssh cert connect succeeded unexpectedly"
96	fi
97
98
99	# authorized_principals with command=true
100	verbose "$tid: ${_prefix} authorized_principals command=true"
101	echo 'command="true" mekmitasdigoat' > \
102	$OBJ/authorized_principals_$USER
103	${SSH} -2i $OBJ/cert_user_key \
104	-F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
105	if [ $? -ne 0 ]; then
106	fail "ssh cert connect failed"
107	fi
108
109	# Setup for principals= key option
110	rm -f $OBJ/authorized_principals_$USER
111	(
112	cat $OBJ/sshd_proxy_bak
113	echo "UsePrivilegeSeparation $privsep"
114	) > $OBJ/sshd_proxy
115
116	# Wrong principals list
117	verbose "$tid: ${_prefix} wrong principals key option"
118	(
119	printf 'cert-authority,principals="gregorsamsa" '
120	cat $OBJ/user_ca_key.pub
121	) > $OBJ/authorized_keys_$USER
122	${SSH} -2i $OBJ/cert_user_key \
123	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
124	if [ $? -eq 0 ]; then
125	fail "ssh cert connect succeeded unexpectedly"
126	fi
127
128	# Correct principals list
129	verbose "$tid: ${_prefix} correct principals key option"
130	(
131	printf 'cert-authority,principals="mekmitasdigoat" '
132	cat $OBJ/user_ca_key.pub
133	) > $OBJ/authorized_keys_$USER
134	${SSH} -2i $OBJ/cert_user_key \
135	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
136	if [ $? -ne 0 ]; then
137	fail "ssh cert connect failed"
138	fi
139	done