diff options
| author | dtucker@openbsd.org <dtucker@openbsd.org> | 2021-09-30 05:26:26 +0000 |
|---|---|---|
| committer | Darren Tucker <dtucker@dtucker.net> | 2021-10-01 14:55:12 +1000 |
| commit | 76a398edfb51951b2d65d522d7b02c72304db300 (patch) | |
| tree | dfcd9b40a2a3f98a6753e94a35026c790fdf2379 | |
| parent | ddcb53b7a7b29be65d57562302b2d5f41733e8dd (diff) | |
upstream: Fix up whitespace left by previous
change removing privsep. No other changes.
OpenBSD-Regress-ID: 87adec225d8afaee4d6a91b2b71203f52bf14b15
| -rw-r--r-- | regress/cert-hostkey.sh | 84 | ||||
| -rw-r--r-- | regress/cert-userkey.sh | 320 | ||||
| -rw-r--r-- | regress/principals-command.sh | 206 |
3 files changed, 305 insertions, 305 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 904dd693..a3414e1a 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-hostkey.sh,v 1.26 2021/09/30 05:20:08 dtucker Exp $ +# $OpenBSD: cert-hostkey.sh,v 1.27 2021/09/30 05:26:26 dtucker Exp $ # Placed in the Public Domain. tid="certified host keys" @@ -131,33 +131,33 @@ attempt_connect() { } # Basic connect and revocation tests. - for ktype in $PLAIN_TYPES ; do - verbose "$tid: host ${ktype} cert connect" - ( - cat $OBJ/sshd_proxy_bak - echo HostKey $OBJ/cert_host_key_${ktype} - echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub - ) > $OBJ/sshd_proxy +for ktype in $PLAIN_TYPES ; do + verbose "$tid: host ${ktype} cert connect" + ( + cat $OBJ/sshd_proxy_bak + echo HostKey $OBJ/cert_host_key_${ktype} + echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub + ) > $OBJ/sshd_proxy - # test name expect success - attempt_connect "$ktype basic connect" "yes" - attempt_connect "$ktype empty KRL" "yes" \ - -oRevokedHostKeys=$OBJ/host_krl_empty - attempt_connect "$ktype KRL w/ plain key revoked" "no" \ - -oRevokedHostKeys=$OBJ/host_krl_plain - attempt_connect "$ktype KRL w/ cert revoked" "no" \ - -oRevokedHostKeys=$OBJ/host_krl_cert - attempt_connect "$ktype KRL w/ CA revoked" "no" \ - -oRevokedHostKeys=$OBJ/host_krl_ca - attempt_connect "$ktype empty plaintext revocation" "yes" \ - -oRevokedHostKeys=$OBJ/host_revoked_empty - attempt_connect "$ktype plain key plaintext revocation" "no" \ - -oRevokedHostKeys=$OBJ/host_revoked_plain - attempt_connect "$ktype cert plaintext revocation" "no" \ - -oRevokedHostKeys=$OBJ/host_revoked_cert - attempt_connect "$ktype CA plaintext revocation" "no" \ - -oRevokedHostKeys=$OBJ/host_revoked_ca - done + # test name expect success + attempt_connect "$ktype basic connect" "yes" + attempt_connect "$ktype empty KRL" "yes" \ + -oRevokedHostKeys=$OBJ/host_krl_empty + attempt_connect "$ktype KRL w/ plain key revoked" "no" \ + -oRevokedHostKeys=$OBJ/host_krl_plain + attempt_connect "$ktype KRL w/ cert revoked" "no" \ + -oRevokedHostKeys=$OBJ/host_krl_cert + attempt_connect "$ktype KRL w/ CA revoked" "no" \ + -oRevokedHostKeys=$OBJ/host_krl_ca + attempt_connect "$ktype empty plaintext revocation" "yes" \ + -oRevokedHostKeys=$OBJ/host_revoked_empty + attempt_connect "$ktype plain key plaintext revocation" "no" \ + -oRevokedHostKeys=$OBJ/host_revoked_plain + attempt_connect "$ktype cert plaintext revocation" "no" \ + -oRevokedHostKeys=$OBJ/host_revoked_cert + attempt_connect "$ktype CA plaintext revocation" "no" \ + -oRevokedHostKeys=$OBJ/host_revoked_ca +done # Revoked certificates with key present kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig @@ -166,22 +166,22 @@ for ktype in $PLAIN_TYPES ; do kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig done cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert - for ktype in $PLAIN_TYPES ; do - verbose "$tid: host ${ktype} revoked cert" - ( - cat $OBJ/sshd_proxy_bak - echo HostKey $OBJ/cert_host_key_${ktype} - echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub - ) > $OBJ/sshd_proxy +for ktype in $PLAIN_TYPES ; do + verbose "$tid: host ${ktype} revoked cert" + ( + cat $OBJ/sshd_proxy_bak + echo HostKey $OBJ/cert_host_key_${ktype} + echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub + ) > $OBJ/sshd_proxy - cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert - ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \ - -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpectedly" - fi - done + cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert + ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \ + -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi +done # Revoked CA kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 53d1951d..4ea29b7c 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-userkey.sh,v 1.27 2021/09/30 05:20:08 dtucker Exp $ +# $OpenBSD: cert-userkey.sh,v 1.28 2021/09/30 05:26:26 dtucker Exp $ # Placed in the Public Domain. tid="certified user keys" @@ -60,122 +60,122 @@ done # Test explicitly-specified principals for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do t=$(kname $ktype) - _prefix="${ktype}" + _prefix="${ktype}" - # Setup for AuthorizedPrincipalsFile - rm -f $OBJ/authorized_keys_$USER - ( - cat $OBJ/sshd_proxy_bak - echo "AuthorizedPrincipalsFile " \ - "$OBJ/authorized_principals_%u" - echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" - echo "PubkeyAcceptedAlgorithms ${t}" - ) > $OBJ/sshd_proxy - ( - cat $OBJ/ssh_proxy_bak - echo "PubkeyAcceptedAlgorithms ${t}" - ) > $OBJ/ssh_proxy + # Setup for AuthorizedPrincipalsFile + rm -f $OBJ/authorized_keys_$USER + ( + cat $OBJ/sshd_proxy_bak + echo "AuthorizedPrincipalsFile " \ + "$OBJ/authorized_principals_%u" + echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" + echo "PubkeyAcceptedAlgorithms ${t}" + ) > $OBJ/sshd_proxy + ( + cat $OBJ/ssh_proxy_bak + echo "PubkeyAcceptedAlgorithms ${t}" + ) > $OBJ/ssh_proxy - # Missing authorized_principals - verbose "$tid: ${_prefix} missing authorized_principals" - rm -f $OBJ/authorized_principals_$USER - ${SSH} -i $OBJ/cert_user_key_${ktype} \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpectedly" - fi + # Missing authorized_principals + verbose "$tid: ${_prefix} missing authorized_principals" + rm -f $OBJ/authorized_principals_$USER + ${SSH} -i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi - # Empty authorized_principals - verbose "$tid: ${_prefix} empty authorized_principals" - echo > $OBJ/authorized_principals_$USER - ${SSH} -i $OBJ/cert_user_key_${ktype} \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpectedly" - fi + # Empty authorized_principals + verbose "$tid: ${_prefix} empty authorized_principals" + echo > $OBJ/authorized_principals_$USER + ${SSH} -i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi - # Wrong authorized_principals - verbose "$tid: ${_prefix} wrong authorized_principals" - echo gregorsamsa > $OBJ/authorized_principals_$USER - ${SSH} -i $OBJ/cert_user_key_${ktype} \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpectedly" - fi + # Wrong authorized_principals + verbose "$tid: ${_prefix} wrong authorized_principals" + echo gregorsamsa > $OBJ/authorized_principals_$USER + ${SSH} -i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi - # Correct authorized_principals - verbose "$tid: ${_prefix} correct authorized_principals" - echo mekmitasdigoat > $OBJ/authorized_principals_$USER - ${SSH} -i $OBJ/cert_user_key_${ktype} \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -ne 0 ]; then - fail "ssh cert connect failed" - fi + # Correct authorized_principals + verbose "$tid: ${_prefix} correct authorized_principals" + echo mekmitasdigoat > $OBJ/authorized_principals_$USER + ${SSH} -i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi - # authorized_principals with bad key option - verbose "$tid: ${_prefix} authorized_principals bad key opt" - echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER - ${SSH} -i $OBJ/cert_user_key_${ktype} \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpectedly" - fi + # authorized_principals with bad key option + verbose "$tid: ${_prefix} authorized_principals bad key opt" + echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER + ${SSH} -i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi - # authorized_principals with command=false - verbose "$tid: ${_prefix} authorized_principals command=false" - echo 'command="false" mekmitasdigoat' > \ - $OBJ/authorized_principals_$USER - ${SSH} -i $OBJ/cert_user_key_${ktype} \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpectedly" - fi + # authorized_principals with command=false + verbose "$tid: ${_prefix} authorized_principals command=false" + echo 'command="false" mekmitasdigoat' > \ + $OBJ/authorized_principals_$USER + ${SSH} -i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi - # authorized_principals with command=true - verbose "$tid: ${_prefix} authorized_principals command=true" - echo 'command="true" mekmitasdigoat' > \ - $OBJ/authorized_principals_$USER - ${SSH} -i $OBJ/cert_user_key_${ktype} \ - -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 - if [ $? -ne 0 ]; then - fail "ssh cert connect failed" - fi + # authorized_principals with command=true + verbose "$tid: ${_prefix} authorized_principals command=true" + echo 'command="true" mekmitasdigoat' > \ + $OBJ/authorized_principals_$USER + ${SSH} -i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi - # Setup for principals= key option - rm -f $OBJ/authorized_principals_$USER - ( - cat $OBJ/sshd_proxy_bak - echo "PubkeyAcceptedAlgorithms ${t}" - ) > $OBJ/sshd_proxy - ( - cat $OBJ/ssh_proxy_bak - echo "PubkeyAcceptedAlgorithms ${t}" - ) > $OBJ/ssh_proxy + # Setup for principals= key option + rm -f $OBJ/authorized_principals_$USER + ( + cat $OBJ/sshd_proxy_bak + echo "PubkeyAcceptedAlgorithms ${t}" + ) > $OBJ/sshd_proxy + ( + cat $OBJ/ssh_proxy_bak + echo "PubkeyAcceptedAlgorithms ${t}" + ) > $OBJ/ssh_proxy - # Wrong principals list - verbose "$tid: ${_prefix} wrong principals key option" - ( - printf 'cert-authority,principals="gregorsamsa" ' - cat $OBJ/user_ca_key.pub - ) > $OBJ/authorized_keys_$USER - ${SSH} -i $OBJ/cert_user_key_${ktype} \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpectedly" - fi + # Wrong principals list + verbose "$tid: ${_prefix} wrong principals key option" + ( + printf 'cert-authority,principals="gregorsamsa" ' + cat $OBJ/user_ca_key.pub + ) > $OBJ/authorized_keys_$USER + ${SSH} -i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi - # Correct principals list - verbose "$tid: ${_prefix} correct principals key option" - ( - printf 'cert-authority,principals="mekmitasdigoat" ' - cat $OBJ/user_ca_key.pub - ) > $OBJ/authorized_keys_$USER - ${SSH} -i $OBJ/cert_user_key_${ktype} \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -ne 0 ]; then - fail "ssh cert connect failed" - fi + # Correct principals list + verbose "$tid: ${_prefix} correct principals key option" + ( + printf 'cert-authority,principals="mekmitasdigoat" ' + cat $OBJ/user_ca_key.pub + ) > $OBJ/authorized_keys_$USER + ${SSH} -i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi done basic_tests() { @@ -193,71 +193,71 @@ basic_tests() { for ktype in $PLAIN_TYPES ; do t=$(kname $ktype) - _prefix="${ktype} $auth" - # Simple connect - verbose "$tid: ${_prefix} connect" - ( - cat $OBJ/sshd_proxy_bak - echo "PubkeyAcceptedAlgorithms ${t}" - echo "$extra_sshd" - ) > $OBJ/sshd_proxy - ( - cat $OBJ/ssh_proxy_bak - echo "PubkeyAcceptedAlgorithms ${t}" - ) > $OBJ/ssh_proxy - - ${SSH} -i $OBJ/cert_user_key_${ktype} \ - -F $OBJ/ssh_proxy somehost true - if [ $? -ne 0 ]; then - fail "ssh cert connect failed" - fi + _prefix="${ktype} $auth" + # Simple connect + verbose "$tid: ${_prefix} connect" + ( + cat $OBJ/sshd_proxy_bak + echo "PubkeyAcceptedAlgorithms ${t}" + echo "$extra_sshd" + ) > $OBJ/sshd_proxy + ( + cat $OBJ/ssh_proxy_bak + echo "PubkeyAcceptedAlgorithms ${t}" + ) > $OBJ/ssh_proxy - # Revoked keys - verbose "$tid: ${_prefix} revoked key" - ( - cat $OBJ/sshd_proxy_bak - echo "RevokedKeys $OBJ/cert_user_key_revoked" - echo "PubkeyAcceptedAlgorithms ${t}" - echo "$extra_sshd" - ) > $OBJ/sshd_proxy - cp $OBJ/cert_user_key_${ktype}.pub \ - $OBJ/cert_user_key_revoked - ${SSH} -i $OBJ/cert_user_key_${ktype} \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpecedly" - fi - verbose "$tid: ${_prefix} revoked via KRL" - rm $OBJ/cert_user_key_revoked - ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \ - $OBJ/cert_user_key_${ktype}.pub - ${SSH} -i $OBJ/cert_user_key_${ktype} \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpecedly" - fi - verbose "$tid: ${_prefix} empty KRL" - ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked - ${SSH} -i $OBJ/cert_user_key_${ktype} \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -ne 0 ]; then - fail "ssh cert connect failed" - fi - done + ${SSH} -i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi - # Revoked CA - verbose "$tid: ${ktype} $auth revoked CA key" + # Revoked keys + verbose "$tid: ${_prefix} revoked key" ( cat $OBJ/sshd_proxy_bak - echo "RevokedKeys $OBJ/user_ca_key.pub" + echo "RevokedKeys $OBJ/cert_user_key_revoked" echo "PubkeyAcceptedAlgorithms ${t}" echo "$extra_sshd" ) > $OBJ/sshd_proxy - ${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ - somehost true >/dev/null 2>&1 + cp $OBJ/cert_user_key_${ktype}.pub \ + $OBJ/cert_user_key_revoked + ${SSH} -i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpecedly" + fi + verbose "$tid: ${_prefix} revoked via KRL" + rm $OBJ/cert_user_key_revoked + ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \ + $OBJ/cert_user_key_${ktype}.pub + ${SSH} -i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 if [ $? -eq 0 ]; then fail "ssh cert connect succeeded unexpecedly" fi + verbose "$tid: ${_prefix} empty KRL" + ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked + ${SSH} -i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi + done + + # Revoked CA + verbose "$tid: ${ktype} $auth revoked CA key" + ( + cat $OBJ/sshd_proxy_bak + echo "RevokedKeys $OBJ/user_ca_key.pub" + echo "PubkeyAcceptedAlgorithms ${t}" + echo "$extra_sshd" + ) > $OBJ/sshd_proxy + ${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ + somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpecedly" + fi verbose "$tid: $auth CA does not authenticate" ( diff --git a/regress/principals-command.sh b/regress/principals-command.sh index 74da09a9..8278711e 100644 --- a/regress/principals-command.sh +++ b/regress/principals-command.sh @@ -1,4 +1,4 @@ -# $OpenBSD: principals-command.sh,v 1.13 2021/09/30 05:20:08 dtucker Exp $ +# $OpenBSD: principals-command.sh,v 1.14 2021/09/30 05:26:26 dtucker Exp $ # Placed in the Public Domain. tid="authorized principals command" @@ -64,105 +64,105 @@ if [ ! -x $PRINCIPALS_COMMAND ]; then "(/var/run mounted noexec?)" fi -#Test explicitly-specified principals - # Setup for AuthorizedPrincipalsCommand - rm -f $OBJ/authorized_keys_$USER - ( - cat $OBJ/sshd_proxy_bak - echo "AuthorizedKeysFile none" - echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \ - "%u %t %T %i %s %F %f %k %K" - echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" - echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" - ) > $OBJ/sshd_proxy - - # XXX test missing command - # XXX test failing command - - # Empty authorized_principals - verbose "$tid: empty authorized_principals" - echo > $OBJ/authorized_principals_$USER - ${SSH} -i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpectedly" - fi - - # Wrong authorized_principals - verbose "$tid: wrong authorized_principals" - echo gregorsamsa > $OBJ/authorized_principals_$USER - ${SSH} -i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpectedly" - fi - - # Correct authorized_principals - verbose "$tid: correct authorized_principals" - echo mekmitasdigoat > $OBJ/authorized_principals_$USER - ${SSH} -i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -ne 0 ]; then - fail "ssh cert connect failed" - fi - - # authorized_principals with bad key option - verbose "$tid: authorized_principals bad key opt" - echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER - ${SSH} -i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpectedly" - fi - - # authorized_principals with command=false - verbose "$tid: authorized_principals command=false" - echo 'command="false" mekmitasdigoat' > \ - $OBJ/authorized_principals_$USER - ${SSH} -i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpectedly" - fi - - - # authorized_principals with command=true - verbose "$tid: authorized_principals command=true" - echo 'command="true" mekmitasdigoat' > \ - $OBJ/authorized_principals_$USER - ${SSH} -i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 - if [ $? -ne 0 ]; then - fail "ssh cert connect failed" - fi - - # Setup for principals= key option - # TODO: remove? - rm -f $OBJ/authorized_principals_$USER - ( - cat $OBJ/sshd_proxy_bak - ) > $OBJ/sshd_proxy - - # Wrong principals list - verbose "$tid: wrong principals key option" - ( - printf 'cert-authority,principals="gregorsamsa" ' - cat $OBJ/user_ca_key.pub - ) > $OBJ/authorized_keys_$USER - ${SSH} -i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpectedly" - fi - - # Correct principals list - verbose "$tid: correct principals key option" - ( - printf 'cert-authority,principals="mekmitasdigoat" ' - cat $OBJ/user_ca_key.pub - ) > $OBJ/authorized_keys_$USER - ${SSH} -i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -ne 0 ]; then - fail "ssh cert connect failed" - fi +# Test explicitly-specified principals +# Setup for AuthorizedPrincipalsCommand +rm -f $OBJ/authorized_keys_$USER +( + cat $OBJ/sshd_proxy_bak + echo "AuthorizedKeysFile none" + echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \ + "%u %t %T %i %s %F %f %k %K" + echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" + echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" +) > $OBJ/sshd_proxy + +# XXX test missing command +# XXX test failing command + +# Empty authorized_principals +verbose "$tid: empty authorized_principals" +echo > $OBJ/authorized_principals_$USER +${SSH} -i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 +if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" +fi + +# Wrong authorized_principals +verbose "$tid: wrong authorized_principals" +echo gregorsamsa > $OBJ/authorized_principals_$USER +${SSH} -i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 +if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" +fi + +# Correct authorized_principals +verbose "$tid: correct authorized_principals" +echo mekmitasdigoat > $OBJ/authorized_principals_$USER +${SSH} -i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 +if [ $? -ne 0 ]; then + fail "ssh cert connect failed" +fi + +# authorized_principals with bad key option +verbose "$tid: authorized_principals bad key opt" +echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER +${SSH} -i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 +if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" +fi + +# authorized_principals with command=false +verbose "$tid: authorized_principals command=false" +echo 'command="false" mekmitasdigoat' > \ + $OBJ/authorized_principals_$USER +${SSH} -i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 +if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" +fi + + +# authorized_principals with command=true +verbose "$tid: authorized_principals command=true" +echo 'command="true" mekmitasdigoat' > \ + $OBJ/authorized_principals_$USER +${SSH} -i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 +if [ $? -ne 0 ]; then + fail "ssh cert connect failed" +fi + +# Setup for principals= key option +# TODO: remove? +rm -f $OBJ/authorized_principals_$USER +( + cat $OBJ/sshd_proxy_bak +) > $OBJ/sshd_proxy + +# Wrong principals list +verbose "$tid: wrong principals key option" +( + printf 'cert-authority,principals="gregorsamsa" ' + cat $OBJ/user_ca_key.pub +) > $OBJ/authorized_keys_$USER +${SSH} -i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 +if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" +fi + +# Correct principals list +verbose "$tid: correct principals key option" +( + printf 'cert-authority,principals="mekmitasdigoat" ' + cat $OBJ/user_ca_key.pub +) > $OBJ/authorized_keys_$USER +${SSH} -i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 +if [ $? -ne 0 ]; then + fail "ssh cert connect failed" +fi |