mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-12-24 19:02:06 +00:00
- djm@cvs.openbsd.org 2010/05/07 11:31:26
[regress/Makefile regress/cert-userkey.sh] regress tests for AuthorizedPrincipalsFile and "principals=" key option. feedback and ok markus@
This commit is contained in:
parent
4b1ec8381b
commit
3bcce80b54
@ -1,3 +1,10 @@
|
||||
20100521
|
||||
- (djm) OpenBSD CVS Sync
|
||||
- djm@cvs.openbsd.org 2010/05/07 11:31:26
|
||||
[regress/Makefile regress/cert-userkey.sh]
|
||||
regress tests for AuthorizedPrincipalsFile and "principals=" key option.
|
||||
feedback and ok markus@
|
||||
|
||||
20100511
|
||||
- (dtucker) [Makefile.in] Bug #1770: Link libopenbsd-compat twice to solve
|
||||
circular dependency problem on old or odd platforms. From Tom Lane, ok
|
||||
|
@ -1,4 +1,4 @@
|
||||
# $OpenBSD: Makefile,v 1.52 2010/02/26 20:33:21 djm Exp $
|
||||
# $OpenBSD: Makefile,v 1.53 2010/05/07 11:31:26 djm Exp $
|
||||
|
||||
REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec
|
||||
tests: $(REGRESS_TARGETS)
|
||||
@ -69,7 +69,8 @@ CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
|
||||
scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
|
||||
sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \
|
||||
known_hosts-cert host_ca_key* cert_host_key* \
|
||||
putty.rsa2 sshd_proxy_orig
|
||||
putty.rsa2 sshd_proxy_orig \
|
||||
authorized_principals_${USER}
|
||||
|
||||
# Enable all malloc(3) randomisations and checks
|
||||
TEST_ENV= "MALLOC_OPTIONS=AFGJPRX"
|
||||
|
@ -1,4 +1,4 @@
|
||||
# $OpenBSD: cert-userkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $
|
||||
# $OpenBSD: cert-userkey.sh,v 1.5 2010/05/07 11:31:26 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="certified user keys"
|
||||
@ -18,16 +18,100 @@ for ktype in rsa dsa ; do
|
||||
fail "ssh-keygen of cert_user_key_${ktype} failed"
|
||||
${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
|
||||
"regress user key for $USER" \
|
||||
-n $USER $OBJ/cert_user_key_${ktype} ||
|
||||
-n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
|
||||
fail "couldn't sign cert_user_key_${ktype}"
|
||||
cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
|
||||
cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
|
||||
${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
|
||||
"regress user key for $USER" \
|
||||
-n $USER $OBJ/cert_user_key_${ktype}_v00 ||
|
||||
-n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
|
||||
fail "couldn't sign cert_user_key_${ktype}_v00"
|
||||
done
|
||||
|
||||
# Test explicitly-specified principals
|
||||
for ktype in rsa dsa rsa_v00 dsa_v00 ; do
|
||||
for privsep in yes no ; do
|
||||
_prefix="${ktype} privsep $privsep"
|
||||
|
||||
# Setup for AuthorizedPrincipalsFile
|
||||
rm -f $OBJ/authorized_keys_$USER
|
||||
(
|
||||
cat $OBJ/sshd_proxy_bak
|
||||
echo "UsePrivilegeSeparation $privsep"
|
||||
echo "AuthorizedPrincipalsFile " \
|
||||
"$OBJ/authorized_principals_%u"
|
||||
echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
|
||||
) > $OBJ/sshd_proxy
|
||||
|
||||
# Missing authorized_principals
|
||||
verbose "$tid: ${_prefix} missing authorized_principals"
|
||||
rm -f $OBJ/authorized_principals_$USER
|
||||
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
fail "ssh cert connect succeeded unexpectedly"
|
||||
fi
|
||||
|
||||
# Empty authorized_principals
|
||||
verbose "$tid: ${_prefix} empty authorized_principals"
|
||||
echo > $OBJ/authorized_principals_$USER
|
||||
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
fail "ssh cert connect succeeded unexpectedly"
|
||||
fi
|
||||
|
||||
# Wrong authorized_principals
|
||||
verbose "$tid: ${_prefix} wrong authorized_principals"
|
||||
echo gregorsamsa > $OBJ/authorized_principals_$USER
|
||||
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
fail "ssh cert connect succeeded unexpectedly"
|
||||
fi
|
||||
|
||||
# Correct authorized_principals
|
||||
verbose "$tid: ${_prefix} correct authorized_principals"
|
||||
echo mekmitasdigoat > $OBJ/authorized_principals_$USER
|
||||
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh cert connect failed"
|
||||
fi
|
||||
|
||||
# Setup for principals= key option
|
||||
rm -f $OBJ/authorized_principals_$USER
|
||||
(
|
||||
cat $OBJ/sshd_proxy_bak
|
||||
echo "UsePrivilegeSeparation $privsep"
|
||||
) > $OBJ/sshd_proxy
|
||||
|
||||
# Wrong principals list
|
||||
verbose "$tid: ${_prefix} wrong principals key option"
|
||||
(
|
||||
echon 'cert-authority,principals="gregorsamsa" '
|
||||
cat $OBJ/user_ca_key.pub
|
||||
) > $OBJ/authorized_keys_$USER
|
||||
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
fail "ssh cert connect succeeded unexpectedly"
|
||||
fi
|
||||
|
||||
# Correct principals list
|
||||
verbose "$tid: ${_prefix} correct principals key option"
|
||||
(
|
||||
echon 'cert-authority,principals="mekmitasdigoat" '
|
||||
cat $OBJ/user_ca_key.pub
|
||||
) > $OBJ/authorized_keys_$USER
|
||||
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh cert connect failed"
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
basic_tests() {
|
||||
auth=$1
|
||||
if test "x$auth" = "xauthorized_keys" ; then
|
||||
@ -108,6 +192,7 @@ test_one() {
|
||||
result=$2
|
||||
sign_opts=$3
|
||||
auth_choice=$4
|
||||
auth_opt=$5
|
||||
|
||||
if test "x$auth_choice" = "x" ; then
|
||||
auth_choice="authorized_keys TrustedUserCAKeys"
|
||||
@ -119,14 +204,16 @@ test_one() {
|
||||
if test "x$auth" = "xauthorized_keys" ; then
|
||||
# Add CA to authorized_keys
|
||||
(
|
||||
echon 'cert-authority '
|
||||
echon "cert-authority${auth_opt} "
|
||||
cat $OBJ/user_ca_key.pub
|
||||
) > $OBJ/authorized_keys_$USER
|
||||
else
|
||||
echo > $OBJ/authorized_keys_$USER
|
||||
echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
|
||||
>> $OBJ/sshd_proxy
|
||||
|
||||
if test "x$auth_opt" != "x" ; then
|
||||
echo $auth_opt >> $OBJ/sshd_proxy
|
||||
fi
|
||||
fi
|
||||
|
||||
verbose "$tid: $ident auth $auth expect $result $ktype"
|
||||
@ -165,7 +252,26 @@ test_one "force-command" failure "-n ${USER} -Oforce-command=false"
|
||||
test_one "empty principals" success "" authorized_keys
|
||||
test_one "empty principals" failure "" TrustedUserCAKeys
|
||||
|
||||
# Check explicitly-specified principals: an empty principals list in the cert
|
||||
# should always be refused.
|
||||
|
||||
# AuthorizedPrincipalsFile
|
||||
rm -f $OBJ/authorized_keys_$USER
|
||||
echo mekmitasdigoat > $OBJ/authorized_principals_$USER
|
||||
test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \
|
||||
TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
|
||||
test_one "AuthorizedPrincipalsFile no principals" failure "" \
|
||||
TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
|
||||
|
||||
# principals= key option
|
||||
rm -f $OBJ/authorized_principals_$USER
|
||||
test_one "principals key option principals" success "-n mekmitasdigoat" \
|
||||
authorized_keys ',principals="mekmitasdigoat"'
|
||||
test_one "principals key option no principals" failure "" \
|
||||
authorized_keys ',principals="mekmitasdigoat"'
|
||||
|
||||
# Wrong certificate
|
||||
cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
|
||||
for ktype in rsa dsa rsa_v00 dsa_v00 ; do
|
||||
case $ktype in
|
||||
*_v00) args="-t v00" ;;
|
||||
@ -185,4 +291,5 @@ for ktype in rsa dsa rsa_v00 dsa_v00 ; do
|
||||
done
|
||||
|
||||
rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
|
||||
rm -f $OBJ/authorized_principals_$USER
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user