freebsd-nq/crypto/openssh/regress/cert-userkey.sh

359 lines
11 KiB
Bash
Raw Normal View History

2014-01-30 10:56:49 +00:00
# $OpenBSD: cert-userkey.sh,v 1.12 2013/12/06 13:52:46 markus Exp $
2010-03-08 11:19:52 +00:00
# Placed in the Public Domain.
tid="certified user keys"
rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
2014-01-30 10:56:49 +00:00
PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
type_has_legacy() {
case $1 in
ed25519*|ecdsa*) return 1 ;;
esac
return 0
}
2010-03-08 11:19:52 +00:00
# Create a CA key
${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\
fail "ssh-keygen of user_ca_key failed"
# Generate and sign user keys
2014-01-30 10:56:49 +00:00
for ktype in $PLAIN_TYPES ; do
2010-03-08 11:19:52 +00:00
verbose "$tid: sign user ${ktype} cert"
${SSHKEYGEN} -q -N '' -t ${ktype} \
-f $OBJ/cert_user_key_${ktype} || \
fail "ssh-keygen of cert_user_key_${ktype} failed"
2013-03-22 11:19:48 +00:00
${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
-z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
2010-03-08 11:19:52 +00:00
fail "couldn't sign cert_user_key_${ktype}"
2014-01-30 10:56:49 +00:00
type_has_legacy $ktype || continue
2010-11-08 10:45:44 +00:00
cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
2014-01-30 10:56:49 +00:00
verbose "$tid: sign host ${ktype}_v00 cert"
2010-11-08 10:45:44 +00:00
${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
"regress user key for $USER" \
-n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
2014-01-30 10:56:49 +00:00
fatal "couldn't sign cert_user_key_${ktype}_v00"
2010-11-08 10:45:44 +00:00
done
# Test explicitly-specified principals
2014-01-30 10:56:49 +00:00
for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do
2010-11-08 10:45:44 +00:00
for privsep in yes no ; do
_prefix="${ktype} privsep $privsep"
# Setup for AuthorizedPrincipalsFile
rm -f $OBJ/authorized_keys_$USER
(
cat $OBJ/sshd_proxy_bak
echo "UsePrivilegeSeparation $privsep"
echo "AuthorizedPrincipalsFile " \
"$OBJ/authorized_principals_%u"
echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
) > $OBJ/sshd_proxy
# Missing authorized_principals
verbose "$tid: ${_prefix} missing authorized_principals"
rm -f $OBJ/authorized_principals_$USER
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
fi
# Empty authorized_principals
verbose "$tid: ${_prefix} empty authorized_principals"
echo > $OBJ/authorized_principals_$USER
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
fi
# Wrong authorized_principals
verbose "$tid: ${_prefix} wrong authorized_principals"
echo gregorsamsa > $OBJ/authorized_principals_$USER
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
fi
# Correct authorized_principals
verbose "$tid: ${_prefix} correct authorized_principals"
echo mekmitasdigoat > $OBJ/authorized_principals_$USER
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
fi
# authorized_principals with bad key option
verbose "$tid: ${_prefix} authorized_principals bad key opt"
echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
fi
# authorized_principals with command=false
verbose "$tid: ${_prefix} authorized_principals command=false"
echo 'command="false" mekmitasdigoat' > \
$OBJ/authorized_principals_$USER
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
fi
# authorized_principals with command=true
verbose "$tid: ${_prefix} authorized_principals command=true"
echo 'command="true" mekmitasdigoat' > \
$OBJ/authorized_principals_$USER
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
fi
# Setup for principals= key option
rm -f $OBJ/authorized_principals_$USER
(
cat $OBJ/sshd_proxy_bak
echo "UsePrivilegeSeparation $privsep"
) > $OBJ/sshd_proxy
# Wrong principals list
verbose "$tid: ${_prefix} wrong principals key option"
(
2013-09-18 17:27:38 +00:00
printf 'cert-authority,principals="gregorsamsa" '
2010-11-08 10:45:44 +00:00
cat $OBJ/user_ca_key.pub
) > $OBJ/authorized_keys_$USER
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
fi
# Correct principals list
verbose "$tid: ${_prefix} correct principals key option"
(
2013-09-18 17:27:38 +00:00
printf 'cert-authority,principals="mekmitasdigoat" '
2010-11-08 10:45:44 +00:00
cat $OBJ/user_ca_key.pub
) > $OBJ/authorized_keys_$USER
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
fi
done
2010-03-08 11:19:52 +00:00
done
basic_tests() {
auth=$1
if test "x$auth" = "xauthorized_keys" ; then
# Add CA to authorized_keys
(
2013-09-18 17:27:38 +00:00
printf 'cert-authority '
2010-03-08 11:19:52 +00:00
cat $OBJ/user_ca_key.pub
) > $OBJ/authorized_keys_$USER
else
echo > $OBJ/authorized_keys_$USER
extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
fi
2014-01-30 10:56:49 +00:00
for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do
2010-03-08 11:19:52 +00:00
for privsep in yes no ; do
_prefix="${ktype} privsep $privsep $auth"
# Simple connect
verbose "$tid: ${_prefix} connect"
(
cat $OBJ/sshd_proxy_bak
echo "UsePrivilegeSeparation $privsep"
echo "$extra_sshd"
) > $OBJ/sshd_proxy
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
fi
# Revoked keys
verbose "$tid: ${_prefix} revoked key"
(
cat $OBJ/sshd_proxy_bak
echo "UsePrivilegeSeparation $privsep"
2013-03-22 11:19:48 +00:00
echo "RevokedKeys $OBJ/cert_user_key_revoked"
2010-03-08 11:19:52 +00:00
echo "$extra_sshd"
) > $OBJ/sshd_proxy
2013-03-22 11:19:48 +00:00
cp $OBJ/cert_user_key_${ktype}.pub \
$OBJ/cert_user_key_revoked
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpecedly"
fi
verbose "$tid: ${_prefix} revoked via KRL"
rm $OBJ/cert_user_key_revoked
${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
$OBJ/cert_user_key_${ktype}.pub
2010-03-08 11:19:52 +00:00
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpecedly"
fi
2013-03-22 11:19:48 +00:00
verbose "$tid: ${_prefix} empty KRL"
${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
fi
2010-03-08 11:19:52 +00:00
done
# Revoked CA
verbose "$tid: ${ktype} $auth revoked CA key"
(
cat $OBJ/sshd_proxy_bak
echo "RevokedKeys $OBJ/user_ca_key.pub"
echo "$extra_sshd"
) > $OBJ/sshd_proxy
${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpecedly"
fi
done
verbose "$tid: $auth CA does not authenticate"
(
cat $OBJ/sshd_proxy_bak
echo "$extra_sshd"
) > $OBJ/sshd_proxy
verbose "$tid: ensure CA key does not authenticate user"
${SSH} -2i $OBJ/user_ca_key \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect with CA key succeeded unexpectedly"
fi
}
basic_tests authorized_keys
basic_tests TrustedUserCAKeys
test_one() {
ident=$1
result=$2
sign_opts=$3
auth_choice=$4
2010-11-08 10:45:44 +00:00
auth_opt=$5
2010-03-08 11:19:52 +00:00
if test "x$auth_choice" = "x" ; then
auth_choice="authorized_keys TrustedUserCAKeys"
fi
for auth in $auth_choice ; do
2010-11-08 10:45:44 +00:00
for ktype in rsa rsa_v00 ; do
2011-02-17 11:47:40 +00:00
case $ktype in
*_v00) keyv="-t v00" ;;
*) keyv="" ;;
esac
2010-11-08 10:45:44 +00:00
cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
if test "x$auth" = "xauthorized_keys" ; then
# Add CA to authorized_keys
(
2013-09-18 17:27:38 +00:00
printf "cert-authority${auth_opt} "
2010-11-08 10:45:44 +00:00
cat $OBJ/user_ca_key.pub
) > $OBJ/authorized_keys_$USER
else
echo > $OBJ/authorized_keys_$USER
echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
>> $OBJ/sshd_proxy
if test "x$auth_opt" != "x" ; then
echo $auth_opt >> $OBJ/sshd_proxy
fi
2010-03-08 11:19:52 +00:00
fi
2010-11-08 10:45:44 +00:00
verbose "$tid: $ident auth $auth expect $result $ktype"
${SSHKEYGEN} -q -s $OBJ/user_ca_key \
-I "regress user key for $USER" \
2011-02-17 11:47:40 +00:00
$sign_opts $keyv \
2010-11-08 10:45:44 +00:00
$OBJ/cert_user_key_${ktype} ||
fail "couldn't sign cert_user_key_${ktype}"
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
rc=$?
if [ "x$result" = "xsuccess" ] ; then
if [ $rc -ne 0 ]; then
fail "$ident failed unexpectedly"
fi
else
if [ $rc -eq 0 ]; then
fail "$ident succeeded unexpectedly"
fi
2010-03-08 11:19:52 +00:00
fi
2010-11-08 10:45:44 +00:00
done
2010-03-08 11:19:52 +00:00
done
}
test_one "correct principal" success "-n ${USER}"
test_one "host-certificate" failure "-n ${USER} -h"
test_one "wrong principals" failure "-n foo"
test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101"
test_one "cert expired" failure "-n ${USER} -V19800101:19900101"
test_one "cert valid interval" success "-n ${USER} -V-1w:+2w"
test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8"
test_one "force-command" failure "-n ${USER} -Oforce-command=false"
# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals
test_one "empty principals" success "" authorized_keys
test_one "empty principals" failure "" TrustedUserCAKeys
2010-11-08 10:45:44 +00:00
# Check explicitly-specified principals: an empty principals list in the cert
# should always be refused.
# AuthorizedPrincipalsFile
rm -f $OBJ/authorized_keys_$USER
echo mekmitasdigoat > $OBJ/authorized_principals_$USER
test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \
TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
test_one "AuthorizedPrincipalsFile no principals" failure "" \
TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
# principals= key option
rm -f $OBJ/authorized_principals_$USER
test_one "principals key option principals" success "-n mekmitasdigoat" \
authorized_keys ',principals="mekmitasdigoat"'
test_one "principals key option no principals" failure "" \
authorized_keys ',principals="mekmitasdigoat"'
2010-03-08 11:19:52 +00:00
# Wrong certificate
2010-11-08 10:45:44 +00:00
cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
2014-01-30 10:56:49 +00:00
for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do
2010-11-08 10:45:44 +00:00
case $ktype in
*_v00) args="-t v00" ;;
*) args="" ;;
esac
2010-03-08 11:19:52 +00:00
# Self-sign
2010-11-08 10:45:44 +00:00
${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \
2010-03-08 11:19:52 +00:00
"regress user key for $USER" \
-n $USER $OBJ/cert_user_key_${ktype} ||
fail "couldn't sign cert_user_key_${ktype}"
verbose "$tid: user ${ktype} connect wrong cert"
${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect $ident succeeded unexpectedly"
fi
done
rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
2010-11-08 10:45:44 +00:00
rm -f $OBJ/authorized_principals_$USER
2010-03-08 11:19:52 +00:00