openssh/regress/principals-command.sh

#	$OpenBSD: principals-command.sh,v 1.1 2015/05/21 06:44:25 djm Exp $
#	Placed in the Public Domain.

tid="authorized principals command"

rm -f $OBJ/user_ca_key* $OBJ/cert_user_key*
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak

if test -z "$SUDO" ; then
	echo "skipped (SUDO not set)"
	echo "need SUDO to create file in /var/run, test won't work without"
	exit 0
fi

# Establish a AuthorizedPrincipalsCommand in /var/run where it will have
# acceptable directory permissions.
PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}"
cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'"
#!/bin/sh
test "x\$1" != "x${LOGNAME}" && exit 1
test -f "$OBJ/authorized_principals_${LOGNAME}" &&
	exec cat "$OBJ/authorized_principals_${LOGNAME}"
_EOF
test $? -eq 0 || fatal "couldn't prepare principals command"
$SUDO chmod 0755 "$PRINCIPALS_CMD"

if ! $OBJ/check-perm -m keys-command $PRINCIPALS_CMD ; then
	echo "skipping: $PRINCIPALS_CMD is unsuitable as " \
	    "AuthorizedPrincipalsCommand"
	$SUDO rm -f $PRINCIPALS_CMD
	exit 0
fi

# Create a CA key and a user certificate.
${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key || \
	fatal "ssh-keygen of user_ca_key failed"
${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key || \
	fatal "ssh-keygen of cert_user_key failed"
${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
    -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
	fatal "couldn't sign cert_user_key"

if [ -x $PRINCIPALS_CMD ]; then
	# Test explicitly-specified principals
	for privsep in yes no ; do
		_prefix="privsep $privsep"

		# Setup for AuthorizedPrincipalsCommand
		rm -f $OBJ/authorized_keys_$USER
		(
			cat $OBJ/sshd_proxy_bak
			echo "UsePrivilegeSeparation $privsep"
			echo "AuthorizedKeysFile none"
			echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u"
			echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
			echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
		) > $OBJ/sshd_proxy

		# XXX test missing command
		# XXX test failing command

		# Empty authorized_principals
		verbose "$tid: ${_prefix} empty authorized_principals"
		echo > $OBJ/authorized_principals_$USER
		${SSH} -2i $OBJ/cert_user_key \
		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		if [ $? -eq 0 ]; then
			fail "ssh cert connect succeeded unexpectedly"
		fi

		# Wrong authorized_principals
		verbose "$tid: ${_prefix} wrong authorized_principals"
		echo gregorsamsa > $OBJ/authorized_principals_$USER
		${SSH} -2i $OBJ/cert_user_key \
		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		if [ $? -eq 0 ]; then
			fail "ssh cert connect succeeded unexpectedly"
		fi

		# Correct authorized_principals
		verbose "$tid: ${_prefix} correct authorized_principals"
		echo mekmitasdigoat > $OBJ/authorized_principals_$USER
		${SSH} -2i $OBJ/cert_user_key \
		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		if [ $? -ne 0 ]; then
			fail "ssh cert connect failed"
		fi

		# authorized_principals with bad key option
		verbose "$tid: ${_prefix} authorized_principals bad key opt"
		echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
		${SSH} -2i $OBJ/cert_user_key \
		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		if [ $? -eq 0 ]; then
			fail "ssh cert connect succeeded unexpectedly"
		fi

		# authorized_principals with command=false
		verbose "$tid: ${_prefix} authorized_principals command=false"
		echo 'command="false" mekmitasdigoat' > \
		    $OBJ/authorized_principals_$USER
		${SSH} -2i $OBJ/cert_user_key \
		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		if [ $? -eq 0 ]; then
			fail "ssh cert connect succeeded unexpectedly"
		fi

		# authorized_principals with command=true
		verbose "$tid: ${_prefix} authorized_principals command=true"
		echo 'command="true" mekmitasdigoat' > \
		    $OBJ/authorized_principals_$USER
		${SSH} -2i $OBJ/cert_user_key \
		    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
		if [ $? -ne 0 ]; then
			fail "ssh cert connect failed"
		fi

		# Setup for principals= key option
		rm -f $OBJ/authorized_principals_$USER
		(
			cat $OBJ/sshd_proxy_bak
			echo "UsePrivilegeSeparation $privsep"
		) > $OBJ/sshd_proxy

		# Wrong principals list
		verbose "$tid: ${_prefix} wrong principals key option"
		(
			printf 'cert-authority,principals="gregorsamsa" '
			cat $OBJ/user_ca_key.pub
		) > $OBJ/authorized_keys_$USER
		${SSH} -2i $OBJ/cert_user_key \
		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		if [ $? -eq 0 ]; then
			fail "ssh cert connect succeeded unexpectedly"
		fi

		# Correct principals list
		verbose "$tid: ${_prefix} correct principals key option"
		(
			printf 'cert-authority,principals="mekmitasdigoat" '
			cat $OBJ/user_ca_key.pub
		) > $OBJ/authorized_keys_$USER
		${SSH} -2i $OBJ/cert_user_key \
		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		if [ $? -ne 0 ]; then
			fail "ssh cert connect failed"
		fi
	done
else
	echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
	    "(/var/run mounted noexec?)"
fi
upstream commit regress test for AuthorizedPrincipalsCommand Upstream-Regress-ID: c658fbf1ab6b6011dc83b73402322e396f1e1219 2015-05-21 06:44:25 +00:00			`# $OpenBSD: principals-command.sh,v 1.1 2015/05/21 06:44:25 djm Exp $`
			`# Placed in the Public Domain.`

			`tid="authorized principals command"`

			`rm -f $OBJ/user_ca_key* $OBJ/cert_user_key*`
			`cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak`

skip, rather than fatal when run without SUDO set 2015-05-29 08:27:21 +00:00			`if test -z "$SUDO" ; then`
			`echo "skipped (SUDO not set)"`
			`echo "need SUDO to create file in /var/run, test won't work without"`
			`exit 0`
upstream commit regress test for AuthorizedPrincipalsCommand Upstream-Regress-ID: c658fbf1ab6b6011dc83b73402322e396f1e1219 2015-05-21 06:44:25 +00:00			`fi`

			`# Establish a AuthorizedPrincipalsCommand in /var/run where it will have`
			`# acceptable directory permissions.`
let principals-command.sh work for noexec /var/run 2015-08-10 01:13:44 +00:00			`PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}"`
			`cat << _EOF \| $SUDO sh -c "cat > '$PRINCIPALS_CMD'"`
upstream commit regress test for AuthorizedPrincipalsCommand Upstream-Regress-ID: c658fbf1ab6b6011dc83b73402322e396f1e1219 2015-05-21 06:44:25 +00:00			`#!/bin/sh`
			`test "x\$1" != "x${LOGNAME}" && exit 1`
			`test -f "$OBJ/authorized_principals_${LOGNAME}" &&`
			`exec cat "$OBJ/authorized_principals_${LOGNAME}"`
			`_EOF`
			`test $? -eq 0 \|\| fatal "couldn't prepare principals command"`
let principals-command.sh work for noexec /var/run 2015-08-10 01:13:44 +00:00			`$SUDO chmod 0755 "$PRINCIPALS_CMD"`
upstream commit regress test for AuthorizedPrincipalsCommand Upstream-Regress-ID: c658fbf1ab6b6011dc83b73402322e396f1e1219 2015-05-21 06:44:25 +00:00
Disable tests where fs perms are incorrect Some tests have strict requirements on the filesystem permissions for certain files and directories. This adds a regress/check-perm tool that copies the relevant logic from sshd to exactly test the paths in question. This lets us skip tests when the local filesystem doesn't conform to our expectations rather than continuing and failing the test run. ok dtucker@ 2016-02-23 05:12:13 +00:00			`if ! $OBJ/check-perm -m keys-command $PRINCIPALS_CMD ; then`
			`echo "skipping: $PRINCIPALS_CMD is unsuitable as " \`
			`"AuthorizedPrincipalsCommand"`
			`$SUDO rm -f $PRINCIPALS_CMD`
			`exit 0`
			`fi`

upstream commit regress test for AuthorizedPrincipalsCommand Upstream-Regress-ID: c658fbf1ab6b6011dc83b73402322e396f1e1219 2015-05-21 06:44:25 +00:00			`# Create a CA key and a user certificate.`
			`${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key \|\| \`
			`fatal "ssh-keygen of user_ca_key failed"`
			`${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key \|\| \`
			`fatal "ssh-keygen of cert_user_key failed"`
			`${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \`
			`-z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key \|\| \`
			`fatal "couldn't sign cert_user_key"`

let principals-command.sh work for noexec /var/run 2015-08-10 01:13:44 +00:00			`if [ -x $PRINCIPALS_CMD ]; then`
			`# Test explicitly-specified principals`
			`for privsep in yes no ; do`
			`_prefix="privsep $privsep"`

			`# Setup for AuthorizedPrincipalsCommand`
			`rm -f $OBJ/authorized_keys_$USER`
			`(`
			`cat $OBJ/sshd_proxy_bak`
			`echo "UsePrivilegeSeparation $privsep"`
			`echo "AuthorizedKeysFile none"`
			`echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u"`
			`echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"`
			`echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"`
			`) > $OBJ/sshd_proxy`

			`# XXX test missing command`
			`# XXX test failing command`

			`# Empty authorized_principals`
			`verbose "$tid: ${_prefix} empty authorized_principals"`
			`echo > $OBJ/authorized_principals_$USER`
			`${SSH} -2i $OBJ/cert_user_key \`
			`-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1`
			`if [ $? -eq 0 ]; then`
			`fail "ssh cert connect succeeded unexpectedly"`
			`fi`

			`# Wrong authorized_principals`
			`verbose "$tid: ${_prefix} wrong authorized_principals"`
			`echo gregorsamsa > $OBJ/authorized_principals_$USER`
			`${SSH} -2i $OBJ/cert_user_key \`
			`-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1`
			`if [ $? -eq 0 ]; then`
			`fail "ssh cert connect succeeded unexpectedly"`
			`fi`

			`# Correct authorized_principals`
			`verbose "$tid: ${_prefix} correct authorized_principals"`
			`echo mekmitasdigoat > $OBJ/authorized_principals_$USER`
			`${SSH} -2i $OBJ/cert_user_key \`
			`-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1`
			`if [ $? -ne 0 ]; then`
			`fail "ssh cert connect failed"`
			`fi`

			`# authorized_principals with bad key option`
			`verbose "$tid: ${_prefix} authorized_principals bad key opt"`
			`echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER`
			`${SSH} -2i $OBJ/cert_user_key \`
			`-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1`
			`if [ $? -eq 0 ]; then`
			`fail "ssh cert connect succeeded unexpectedly"`
			`fi`

			`# authorized_principals with command=false`
			`verbose "$tid: ${_prefix} authorized_principals command=false"`
			`echo 'command="false" mekmitasdigoat' > \`
			`$OBJ/authorized_principals_$USER`
			`${SSH} -2i $OBJ/cert_user_key \`
			`-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1`
			`if [ $? -eq 0 ]; then`
			`fail "ssh cert connect succeeded unexpectedly"`
			`fi`

			`# authorized_principals with command=true`
			`verbose "$tid: ${_prefix} authorized_principals command=true"`
			`echo 'command="true" mekmitasdigoat' > \`
			`$OBJ/authorized_principals_$USER`
			`${SSH} -2i $OBJ/cert_user_key \`
			`-F $OBJ/ssh_proxy somehost false >/dev/null 2>&1`
			`if [ $? -ne 0 ]; then`
			`fail "ssh cert connect failed"`
			`fi`

			`# Setup for principals= key option`
			`rm -f $OBJ/authorized_principals_$USER`
			`(`
			`cat $OBJ/sshd_proxy_bak`
			`echo "UsePrivilegeSeparation $privsep"`
			`) > $OBJ/sshd_proxy`

			`# Wrong principals list`
			`verbose "$tid: ${_prefix} wrong principals key option"`
			`(`
			`printf 'cert-authority,principals="gregorsamsa" '`
			`cat $OBJ/user_ca_key.pub`
			`) > $OBJ/authorized_keys_$USER`
			`${SSH} -2i $OBJ/cert_user_key \`
			`-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1`
			`if [ $? -eq 0 ]; then`
			`fail "ssh cert connect succeeded unexpectedly"`
			`fi`

			`# Correct principals list`
			`verbose "$tid: ${_prefix} correct principals key option"`
			`(`
			`printf 'cert-authority,principals="mekmitasdigoat" '`
			`cat $OBJ/user_ca_key.pub`
			`) > $OBJ/authorized_keys_$USER`
			`${SSH} -2i $OBJ/cert_user_key \`
			`-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1`
			`if [ $? -ne 0 ]; then`
			`fail "ssh cert connect failed"`
			`fi`
			`done`
			`else`
			`echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \`
			`"(/var/run mounted noexec?)"`
			`fi`