diff options
| author |   djm <djm@openbsd.org> | 2016-09-21 01:35:12 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2016-09-21 01:35:12 +0000 |
| commit | 2dd3dc362dff150a48e2ecaeafd96bc705d23079 (patch) | |
| tree | 2eaaf4e9dc96d5f63ddee797ef3b4c383c64cd9b | |
| parent | add a way for principals command to get see key ID and serial too (diff) | |
| download | wireguard-openbsd-2dd3dc362dff150a48e2ecaeafd96bc705d23079.tar.xz wireguard-openbsd-2dd3dc362dff150a48e2ecaeafd96bc705d23079.zip | |
test all the AuthorizedPrincipalsCommand % expansions
| -rw-r--r-- | regress/usr.bin/ssh/principals-command.sh | 38 |
1 files changed, 27 insertions, 11 deletions
diff --git a/regress/usr.bin/ssh/principals-command.sh b/regress/usr.bin/ssh/principals-command.sh index c3816e08159..4cbfa659c36 100644 --- a/regress/usr.bin/ssh/principals-command.sh +++ b/regress/usr.bin/ssh/principals-command.sh @@ -1,4 +1,4 @@ -# $OpenBSD: principals-command.sh,v 1.1 2015/05/21 06:44:25 djm Exp $ +# $OpenBSD: principals-command.sh,v 1.2 2016/09/21 01:35:12 djm Exp $ # Placed in the Public Domain. tid="authorized principals command" @@ -10,27 +10,42 @@ if [ -z "$SUDO" ]; then fatal "need SUDO to create file in /var/run, test won't work without" fi +SERIAL=$$ + +# Create a CA key and a user certificate. +${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ + fatal "ssh-keygen of user_ca_key failed" +${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/cert_user_key || \ + fatal "ssh-keygen of cert_user_key failed" +${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "Joanne User" \ + -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ + fatal "couldn't sign cert_user_key" + +CERT_BODY=`cat $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` +CA_BODY=`cat $OBJ/user_ca_key.pub | awk '{ print $2 }'` +CERT_FP=`${SSHKEYGEN} -lf $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` +CA_FP=`${SSHKEYGEN} -lf $OBJ/user_ca_key.pub | awk '{ print $2 }'` + # Establish a AuthorizedPrincipalsCommand in /var/run where it will have # acceptable directory permissions. PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}" cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" #!/bin/sh test "x\$1" != "x${LOGNAME}" && exit 1 +test "x\$2" != "xssh-rsa-cert-v01@openssh.com" && exit 1 +test "x\$3" != "xssh-ed25519" && exit 1 +test "x\$4" != "xJoanne User" && exit 1 +test "x\$5" != "x${SERIAL}" && exit 1 +test "x\$6" != "x${CA_FP}" && exit 1 +test "x\$7" != "x${CERT_FP}" && exit 1 +test "x\$8" != "x${CERT_BODY}" && exit 1 +test "x\$9" != "x${CA_BODY}" && exit 1 test -f "$OBJ/authorized_principals_${LOGNAME}" && exec cat "$OBJ/authorized_principals_${LOGNAME}" _EOF test $? -eq 0 || fatal "couldn't prepare principals command" $SUDO chmod 0755 "$PRINCIPALS_COMMAND" -# Create a CA key and a user certificate. -${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ - fatal "ssh-keygen of user_ca_key failed" -${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key || \ - fatal "ssh-keygen of cert_user_key failed" -${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ - -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ - fatal "couldn't sign cert_user_key" - # Test explicitly-specified principals for privsep in yes no ; do _prefix="privsep $privsep" @@ -41,7 +56,8 @@ for privsep in yes no ; do cat $OBJ/sshd_proxy_bak echo "UsePrivilegeSeparation $privsep" echo "AuthorizedKeysFile none" - echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u" + echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \ + "%u %t %T %i %s %F %f %k %K" echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" ) > $OBJ/sshd_proxy |