mirror of git://anongit.mindrot.org/openssh.git
165 lines
4.6 KiB
Bash
165 lines
4.6 KiB
Bash
# $OpenBSD: agent.sh,v 1.17 2019/12/21 02:33:07 djm Exp $
|
|
# Placed in the Public Domain.
|
|
|
|
tid="simple agent test"
|
|
|
|
SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1
|
|
if [ $? -ne 2 ]; then
|
|
fail "ssh-add -l did not fail with exit code 2"
|
|
fi
|
|
|
|
trace "start agent, args ${EXTRA_AGENT_ARGS} -s"
|
|
eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
|
|
r=$?
|
|
if [ $r -ne 0 ]; then
|
|
fatal "could not start ssh-agent: exit code $r"
|
|
fi
|
|
|
|
eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s | sed 's/SSH_/FW_SSH_/g'` > /dev/null
|
|
r=$?
|
|
if [ $r -ne 0 ]; then
|
|
fatal "could not start second ssh-agent: exit code $r"
|
|
fi
|
|
|
|
${SSHADD} -l > /dev/null 2>&1
|
|
if [ $? -ne 1 ]; then
|
|
fail "ssh-add -l did not fail with exit code 1"
|
|
fi
|
|
|
|
rm -f $OBJ/user_ca_key $OBJ/user_ca_key.pub
|
|
${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key \
|
|
|| fatal "ssh-keygen failed"
|
|
|
|
trace "overwrite authorized keys"
|
|
printf '' > $OBJ/authorized_keys_$USER
|
|
|
|
for t in ${SSH_KEYTYPES}; do
|
|
# generate user key for agent
|
|
rm -f $OBJ/$t-agent $OBJ/$t-agent.pub*
|
|
${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\
|
|
fatal "ssh-keygen for $t-agent failed"
|
|
# Make a certificate for each too.
|
|
${SSHKEYGEN} -qs $OBJ/user_ca_key -I "$t cert" \
|
|
-n estragon $OBJ/$t-agent.pub || fatal "ca sign failed"
|
|
|
|
# add to authorized keys
|
|
cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER
|
|
# add private key to agent
|
|
${SSHADD} $OBJ/$t-agent #> /dev/null 2>&1
|
|
if [ $? -ne 0 ]; then
|
|
fail "ssh-add failed exit code $?"
|
|
fi
|
|
# add private key to second agent
|
|
SSH_AUTH_SOCK=$FW_SSH_AUTH_SOCK ${SSHADD} $OBJ/$t-agent #> /dev/null 2>&1
|
|
if [ $? -ne 0 ]; then
|
|
fail "ssh-add failed exit code $?"
|
|
fi
|
|
# Remove private key to ensure that we aren't accidentally using it.
|
|
rm -f $OBJ/$t-agent
|
|
done
|
|
|
|
# Remove explicit identity directives from ssh_proxy
|
|
mv $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
|
|
grep -vi identityfile $OBJ/ssh_proxy_bak > $OBJ/ssh_proxy
|
|
|
|
${SSHADD} -l > /dev/null 2>&1
|
|
r=$?
|
|
if [ $r -ne 0 ]; then
|
|
fail "ssh-add -l failed: exit code $r"
|
|
fi
|
|
# the same for full pubkey output
|
|
${SSHADD} -L > /dev/null 2>&1
|
|
r=$?
|
|
if [ $r -ne 0 ]; then
|
|
fail "ssh-add -L failed: exit code $r"
|
|
fi
|
|
|
|
trace "simple connect via agent"
|
|
${SSH} -F $OBJ/ssh_proxy somehost exit 52
|
|
r=$?
|
|
if [ $r -ne 52 ]; then
|
|
fail "ssh connect with failed (exit code $r)"
|
|
fi
|
|
|
|
for t in ${SSH_KEYTYPES}; do
|
|
trace "connect via agent using $t key"
|
|
if [ "$t" = "ssh-dss" ]; then
|
|
echo "PubkeyAcceptedKeyTypes +ssh-dss" >> $OBJ/ssh_proxy
|
|
echo "PubkeyAcceptedKeyTypes +ssh-dss" >> $OBJ/sshd_proxy
|
|
fi
|
|
${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub -oIdentitiesOnly=yes \
|
|
somehost exit 52
|
|
r=$?
|
|
if [ $r -ne 52 ]; then
|
|
fail "ssh connect with failed (exit code $r)"
|
|
fi
|
|
done
|
|
|
|
trace "agent forwarding"
|
|
${SSH} -A -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
|
|
r=$?
|
|
if [ $r -ne 0 ]; then
|
|
fail "ssh-add -l via agent fwd failed (exit code $r)"
|
|
fi
|
|
${SSH} "-oForwardAgent=$SSH_AUTH_SOCK" -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
|
|
r=$?
|
|
if [ $r -ne 0 ]; then
|
|
fail "ssh-add -l via agent path fwd failed (exit code $r)"
|
|
fi
|
|
${SSH} -A -F $OBJ/ssh_proxy somehost \
|
|
"${SSH} -F $OBJ/ssh_proxy somehost exit 52"
|
|
r=$?
|
|
if [ $r -ne 52 ]; then
|
|
fail "agent fwd failed (exit code $r)"
|
|
fi
|
|
|
|
trace "agent forwarding different agent"
|
|
${SSH} "-oForwardAgent=$FW_SSH_AUTH_SOCK" -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
|
|
r=$?
|
|
if [ $r -ne 0 ]; then
|
|
fail "ssh-add -l via agent path fwd of different agent failed (exit code $r)"
|
|
fi
|
|
${SSH} '-oForwardAgent=$FW_SSH_AUTH_SOCK' -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
|
|
r=$?
|
|
if [ $r -ne 0 ]; then
|
|
fail "ssh-add -l via agent path env fwd of different agent failed (exit code $r)"
|
|
fi
|
|
|
|
# Remove keys from forwarded agent, ssh-add on remote machine should now fail.
|
|
SSH_AUTH_SOCK=$FW_SSH_AUTH_SOCK ${SSHADD} -D > /dev/null 2>&1
|
|
r=$?
|
|
if [ $r -ne 0 ]; then
|
|
fail "ssh-add -D failed: exit code $r"
|
|
fi
|
|
${SSH} '-oForwardAgent=$FW_SSH_AUTH_SOCK' -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
|
|
r=$?
|
|
if [ $r -ne 1 ]; then
|
|
fail "ssh-add -l with different agent did not fail with exit code 1 (exit code $r)"
|
|
fi
|
|
|
|
(printf 'cert-authority,principals="estragon" '; cat $OBJ/user_ca_key.pub) \
|
|
> $OBJ/authorized_keys_$USER
|
|
for t in ${SSH_KEYTYPES}; do
|
|
if [ "$t" != "ssh-dss" ]; then
|
|
trace "connect via agent using $t key"
|
|
${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub \
|
|
-oCertificateFile=$OBJ/$t-agent-cert.pub \
|
|
-oIdentitiesOnly=yes somehost exit 52
|
|
r=$?
|
|
if [ $r -ne 52 ]; then
|
|
fail "ssh connect with failed (exit code $r)"
|
|
fi
|
|
fi
|
|
done
|
|
|
|
trace "delete all agent keys"
|
|
${SSHADD} -D > /dev/null 2>&1
|
|
r=$?
|
|
if [ $r -ne 0 ]; then
|
|
fail "ssh-add -D failed: exit code $r"
|
|
fi
|
|
|
|
trace "kill agent"
|
|
${SSHAGENT} -k > /dev/null
|
|
SSH_AGENT_PID=$FW_SSH_AGENT_PID ${SSHAGENT} -k > /dev/null
|