regress/cert-userkey.sh - security/openssh-library - Rivoreo Source Code Repositories

 #	$OpenBSD: cert-userkey.sh,v 1.1 2010/02/26 20:33:21 djm Exp $
 #	Placed in the Public Domain.

 tid="certified user keys"

 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak

 # Create a CA key and add it to authorized_keys
 ${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/user_ca_key ||\
 	fail "ssh-keygen of user_ca_key failed"
 (
 	echon 'cert-authority '
 	cat $OBJ/user_ca_key.pub
 ) > $OBJ/authorized_keys_$USER

 # Generate and sign user keys
 for ktype in rsa dsa ; do
 	verbose "$tid: sign user ${ktype} cert"
 	${SSHKEYGEN} -q -N '' -t ${ktype} \
 	    -f $OBJ/cert_user_key_${ktype} || \
 		fail "ssh-keygen of cert_user_key_${ktype} failed"
 	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
 	    "regress user key for $USER" \
 	    -n $USER $OBJ/cert_user_key_${ktype} ||
 		fail "couldn't sign cert_user_key_${ktype}"

 done

 # Basic connect tests
 for privsep in yes no ; do
 	for ktype in rsa dsa ; do
 		verbose "$tid: user ${ktype} cert connect privsep $privsep"
 		(
 			cat $OBJ/sshd_proxy_bak
 			echo "UsePrivilegeSeparation $privsep"
 		) > $OBJ/sshd_proxy

 		${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
 		    somehost true
 		if [ $? -ne 0 ]; then
 			fail "ssh cert connect failed"
 		fi
 	done
 done

 verbose "$tid: ensure CA key does not authenticate user"
 ${SSH} -2i $OBJ/user_ca_key -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 if [ $? -eq 0 ]; then
 	fail "ssh cert connect with CA key succeeded unexpectedly"
 fi

 test_one() {
 	ident=$1
 	result=$2
 	sign_opts=$3

 	verbose "$tid: test user cert connect $ident expect $result"

 	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
 	    $sign_opts \
 	    $OBJ/cert_user_key_rsa ||
 		fail "couldn't sign cert_user_key_rsa"

 	${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
 	    somehost true >/dev/null 2>&1
 	rc=$?
 	if [ "x$result" = "xsuccess" ] ; then
 		if [ $rc -ne 0 ]; then
 			fail "ssh cert connect $ident failed unexpectedly"
 		fi
 	else
 		if [ $rc -eq 0 ]; then
 			fail "ssh cert connect $ident succeeded unexpectedly"
 		fi
 	fi
 	cleanup
 }

 test_one "host-certificate"	failure "-h"
 test_one "empty principals"	success ""
 test_one "wrong principals"	failure "-n foo"
 test_one "cert not yet valid"	failure "-V20200101:20300101"
 test_one "cert expired"		failure "-V19800101:19900101"
 test_one "cert valid interval"	success "-V-1w:+2w"
 test_one "wrong source-address"	failure "-Osource-address=10.0.0.0/8"
 test_one "force-command"	failure "-Oforce-command=false"

 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
	# $OpenBSD: cert-userkey.sh,v 1.1 2010/02/26 20:33:21 djm Exp $
	# Placed in the Public Domain.

	tid="certified user keys"

	rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
	cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak

	# Create a CA key and add it to authorized_keys
	${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key \|\|\
	fail "ssh-keygen of user_ca_key failed"
	(
	echon 'cert-authority '
	cat $OBJ/user_ca_key.pub
	) > $OBJ/authorized_keys_$USER

	# Generate and sign user keys
	for ktype in rsa dsa ; do
	verbose "$tid: sign user ${ktype} cert"
	${SSHKEYGEN} -q -N '' -t ${ktype} \
	-f $OBJ/cert_user_key_${ktype} \|\| \
	fail "ssh-keygen of cert_user_key_${ktype} failed"
	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
	"regress user key for $USER" \
	-n $USER $OBJ/cert_user_key_${ktype} \|\|
	fail "couldn't sign cert_user_key_${ktype}"

	done

	# Basic connect tests
	for privsep in yes no ; do
	for ktype in rsa dsa ; do
	verbose "$tid: user ${ktype} cert connect privsep $privsep"
	(
	cat $OBJ/sshd_proxy_bak
	echo "UsePrivilegeSeparation $privsep"
	) > $OBJ/sshd_proxy

	${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
	somehost true
	if [ $? -ne 0 ]; then
	fail "ssh cert connect failed"
	fi
	done
	done

	verbose "$tid: ensure CA key does not authenticate user"
	${SSH} -2i $OBJ/user_ca_key -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	if [ $? -eq 0 ]; then
	fail "ssh cert connect with CA key succeeded unexpectedly"
	fi

	test_one() {
	ident=$1
	result=$2
	sign_opts=$3

	verbose "$tid: test user cert connect $ident expect $result"

	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
	$sign_opts \
	$OBJ/cert_user_key_rsa \|\|
	fail "couldn't sign cert_user_key_rsa"

	${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
	somehost true >/dev/null 2>&1
	rc=$?
	if [ "x$result" = "xsuccess" ] ; then
	if [ $rc -ne 0 ]; then
	fail "ssh cert connect $ident failed unexpectedly"
	fi
	else
	if [ $rc -eq 0 ]; then
	fail "ssh cert connect $ident succeeded unexpectedly"
	fi
	fi
	cleanup
	}

	test_one "host-certificate" failure "-h"
	test_one "empty principals" success ""
	test_one "wrong principals" failure "-n foo"
	test_one "cert not yet valid" failure "-V20200101:20300101"
	test_one "cert expired" failure "-V19800101:19900101"
	test_one "cert valid interval" success "-V-1w:+2w"
	test_one "wrong source-address" failure "-Osource-address=10.0.0.0/8"
	test_one "force-command" failure "-Oforce-command=false"

	rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*