diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2010-05-07 11:31:27 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2010-05-07 11:31:27 +0000 |
| commit | 8907103beeda79f5b8410766045866fa48dd7648 (patch) | |
| tree | 6f3273bda784b9a4d135fe7c97f67c8ecfdd10e0 /regress | |
| parent | 52c11610cb668bb2d16beeab8db488503604b9bc (diff) | |
regress tests for AuthorizedPrincipalsFile and "principals=" key option.
feedback and ok markus@
Diffstat (limited to 'regress')
| -rw-r--r-- | regress/usr.bin/ssh/Makefile | 5 | ||||
| -rw-r--r-- | regress/usr.bin/ssh/cert-userkey.sh | 117 |
2 files changed, 115 insertions, 7 deletions
diff --git a/regress/usr.bin/ssh/Makefile b/regress/usr.bin/ssh/Makefile index 8dee12df83e..9c7f9897456 100644 --- a/regress/usr.bin/ssh/Makefile +++ b/regress/usr.bin/ssh/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.52 2010/02/26 20:33:21 djm Exp $ +# $OpenBSD: Makefile,v 1.53 2010/05/07 11:31:26 djm Exp $ REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 @@ -60,7 +60,8 @@ CLEANFILES+= authorized_keys_${USER} known_hosts pidfile \ ls.copy banner.in banner.out empty.in \ scp-ssh-wrapper.exe ssh_proxy_envpass remote_pid \ sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \ - known_hosts-cert host_ca_key* cert_host_key* + known_hosts-cert host_ca_key* cert_host_key* \ + authorized_principals_${USER} # Enable all malloc(3) randomisations and checks TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" diff --git a/regress/usr.bin/ssh/cert-userkey.sh b/regress/usr.bin/ssh/cert-userkey.sh index 29ec5f48183..102b13ab38b 100644 --- a/regress/usr.bin/ssh/cert-userkey.sh +++ b/regress/usr.bin/ssh/cert-userkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-userkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $ +# $OpenBSD: cert-userkey.sh,v 1.5 2010/05/07 11:31:26 djm Exp $ # Placed in the Public Domain. tid="certified user keys" @@ -18,16 +18,100 @@ for ktype in rsa dsa ; do fail "ssh-keygen of cert_user_key_${ktype} failed" ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \ "regress user key for $USER" \ - -n $USER $OBJ/cert_user_key_${ktype} || + -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || fail "couldn't sign cert_user_key_${ktype}" cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ "regress user key for $USER" \ - -n $USER $OBJ/cert_user_key_${ktype}_v00 || + -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 || fail "couldn't sign cert_user_key_${ktype}_v00" done +# Test explicitly-specified principals +for ktype in rsa dsa rsa_v00 dsa_v00 ; do + for privsep in yes no ; do + _prefix="${ktype} privsep $privsep" + + # Setup for AuthorizedPrincipalsFile + rm -f $OBJ/authorized_keys_$USER + ( + cat $OBJ/sshd_proxy_bak + echo "UsePrivilegeSeparation $privsep" + echo "AuthorizedPrincipalsFile " \ + "$OBJ/authorized_principals_%u" + echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" + ) > $OBJ/sshd_proxy + + # Missing authorized_principals + verbose "$tid: ${_prefix} missing authorized_principals" + rm -f $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Empty authorized_principals + verbose "$tid: ${_prefix} empty authorized_principals" + echo > $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Wrong authorized_principals + verbose "$tid: ${_prefix} wrong authorized_principals" + echo gregorsamsa > $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Correct authorized_principals + verbose "$tid: ${_prefix} correct authorized_principals" + echo mekmitasdigoat > $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi + + # Setup for principals= key option + rm -f $OBJ/authorized_principals_$USER + ( + cat $OBJ/sshd_proxy_bak + echo "UsePrivilegeSeparation $privsep" + ) > $OBJ/sshd_proxy + + # Wrong principals list + verbose "$tid: ${_prefix} wrong principals key option" + ( + echo -n 'cert-authority,principals="gregorsamsa" ' + cat $OBJ/user_ca_key.pub + ) > $OBJ/authorized_keys_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Correct principals list + verbose "$tid: ${_prefix} correct principals key option" + ( + echo -n 'cert-authority,principals="mekmitasdigoat" ' + cat $OBJ/user_ca_key.pub + ) > $OBJ/authorized_keys_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi + done +done + basic_tests() { auth=$1 if test "x$auth" = "xauthorized_keys" ; then @@ -108,6 +192,7 @@ test_one() { result=$2 sign_opts=$3 auth_choice=$4 + auth_opt=$5 if test "x$auth_choice" = "x" ; then auth_choice="authorized_keys TrustedUserCAKeys" @@ -119,14 +204,16 @@ test_one() { if test "x$auth" = "xauthorized_keys" ; then # Add CA to authorized_keys ( - echo -n 'cert-authority ' + echo -n "cert-authority${auth_opt} " cat $OBJ/user_ca_key.pub ) > $OBJ/authorized_keys_$USER else echo > $OBJ/authorized_keys_$USER echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \ >> $OBJ/sshd_proxy - + if test "x$auth_opt" != "x" ; then + echo $auth_opt >> $OBJ/sshd_proxy + fi fi verbose "$tid: $ident auth $auth expect $result $ktype" @@ -165,7 +252,26 @@ test_one "force-command" failure "-n ${USER} -Oforce-command=false" test_one "empty principals" success "" authorized_keys test_one "empty principals" failure "" TrustedUserCAKeys +# Check explicitly-specified principals: an empty principals list in the cert +# should always be refused. + +# AuthorizedPrincipalsFile +rm -f $OBJ/authorized_keys_$USER +echo mekmitasdigoat > $OBJ/authorized_principals_$USER +test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \ + TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u" +test_one "AuthorizedPrincipalsFile no principals" failure "" \ + TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u" + +# principals= key option +rm -f $OBJ/authorized_principals_$USER +test_one "principals key option principals" success "-n mekmitasdigoat" \ + authorized_keys ',principals="mekmitasdigoat"' +test_one "principals key option no principals" failure "" \ + authorized_keys ',principals="mekmitasdigoat"' + # Wrong certificate +cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy for ktype in rsa dsa rsa_v00 dsa_v00 ; do case $ktype in *_v00) args="-t v00" ;; @@ -185,4 +291,5 @@ for ktype in rsa dsa rsa_v00 dsa_v00 ; do done rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* +rm -f $OBJ/authorized_principals_$USER |