search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
- (dtucker) [Makefile.in] Bug #1770: Link libopenbsd-compat twice to solve
[openssh-git.git] / regress / cert-userkey.sh
blob88d6d70a4b89506a6806ba35434dbedc1ab16fc1
1 # $OpenBSD: cert-userkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $
2 # Placed in the Public Domain.
3
4 tid="certified user keys"
5
6 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
7 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8
9 # Create a CA key
10 ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\
11 fail "ssh-keygen of user_ca_key failed"
12
13 # Generate and sign user keys
14 for ktype in rsa dsa ; do
15 verbose "$tid: sign user ${ktype} cert"
16 ${SSHKEYGEN} -q -N '' -t ${ktype} \
17 -f $OBJ/cert_user_key_${ktype} || \
18 fail "ssh-keygen of cert_user_key_${ktype} failed"
19 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
20 "regress user key for $USER" \
21 -n $USER $OBJ/cert_user_key_${ktype} ||
22 fail "couldn't sign cert_user_key_${ktype}"
23 cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
24 cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
25 ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
26 "regress user key for $USER" \
27 -n $USER $OBJ/cert_user_key_${ktype}_v00 ||
28 fail "couldn't sign cert_user_key_${ktype}_v00"
29 done
30
31 basic_tests() {
32 auth=$1
33 if test "x$auth" = "xauthorized_keys" ; then
34 # Add CA to authorized_keys
35 (
36 echon 'cert-authority '
37 cat $OBJ/user_ca_key.pub
38 ) > $OBJ/authorized_keys_$USER
39 else
40 echo > $OBJ/authorized_keys_$USER
41 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
42 fi
43
44 for ktype in rsa dsa rsa_v00 dsa_v00 ; do
45 for privsep in yes no ; do
46 _prefix="${ktype} privsep $privsep $auth"
47 # Simple connect
48 verbose "$tid: ${_prefix} connect"
49 (
50 cat $OBJ/sshd_proxy_bak
51 echo "UsePrivilegeSeparation $privsep"
52 echo "$extra_sshd"
53 ) > $OBJ/sshd_proxy
54
55 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
56 -F $OBJ/ssh_proxy somehost true
57 if [ $? -ne 0 ]; then
58 fail "ssh cert connect failed"
59 fi
60
61 # Revoked keys
62 verbose "$tid: ${_prefix} revoked key"
63 (
64 cat $OBJ/sshd_proxy_bak
65 echo "UsePrivilegeSeparation $privsep"
66 echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub"
67 echo "$extra_sshd"
68 ) > $OBJ/sshd_proxy
69 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
70 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
71 if [ $? -eq 0 ]; then
72 fail "ssh cert connect succeeded unexpecedly"
73 fi
74 done
75
76 # Revoked CA
77 verbose "$tid: ${ktype} $auth revoked CA key"
78 (
79 cat $OBJ/sshd_proxy_bak
80 echo "RevokedKeys $OBJ/user_ca_key.pub"
81 echo "$extra_sshd"
82 ) > $OBJ/sshd_proxy
83 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
84 somehost true >/dev/null 2>&1
85 if [ $? -eq 0 ]; then
86 fail "ssh cert connect succeeded unexpecedly"
87 fi
88 done
89
90 verbose "$tid: $auth CA does not authenticate"
91 (
92 cat $OBJ/sshd_proxy_bak
93 echo "$extra_sshd"
94 ) > $OBJ/sshd_proxy
95 verbose "$tid: ensure CA key does not authenticate user"
96 ${SSH} -2i $OBJ/user_ca_key \
97 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
98 if [ $? -eq 0 ]; then
99 fail "ssh cert connect with CA key succeeded unexpectedly"
100 fi
101 }
102
103 basic_tests authorized_keys
104 basic_tests TrustedUserCAKeys
105
106 test_one() {
107 ident=$1
108 result=$2
109 sign_opts=$3
110 auth_choice=$4
111
112 if test "x$auth_choice" = "x" ; then
113 auth_choice="authorized_keys TrustedUserCAKeys"
114 fi
115
116 for auth in $auth_choice ; do
117 for ktype in rsa rsa_v00 ; do
118 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
119 if test "x$auth" = "xauthorized_keys" ; then
120 # Add CA to authorized_keys
121 (
122 echon 'cert-authority '
123 cat $OBJ/user_ca_key.pub
124 ) > $OBJ/authorized_keys_$USER
125 else
126 echo > $OBJ/authorized_keys_$USER
127 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
128 >> $OBJ/sshd_proxy
129
130 fi
131
132 verbose "$tid: $ident auth $auth expect $result $ktype"
133 ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
134 -I "regress user key for $USER" \
135 $sign_opts \
136 $OBJ/cert_user_key_${ktype} ||
137 fail "couldn't sign cert_user_key_${ktype}"
138
139 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
140 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
141 rc=$?
142 if [ "x$result" = "xsuccess" ] ; then
143 if [ $rc -ne 0 ]; then
144 fail "$ident failed unexpectedly"
145 fi
146 else
147 if [ $rc -eq 0 ]; then
148 fail "$ident succeeded unexpectedly"
149 fi
150 fi
151 done
152 done
153 }
154
155 test_one "correct principal" success "-n ${USER}"
156 test_one "host-certificate" failure "-n ${USER} -h"
157 test_one "wrong principals" failure "-n foo"
158 test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101"
159 test_one "cert expired" failure "-n ${USER} -V19800101:19900101"
160 test_one "cert valid interval" success "-n ${USER} -V-1w:+2w"
161 test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8"
162 test_one "force-command" failure "-n ${USER} -Oforce-command=false"
163
164 # Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals
165 test_one "empty principals" success "" authorized_keys
166 test_one "empty principals" failure "" TrustedUserCAKeys
167
168 # Wrong certificate
169 for ktype in rsa dsa rsa_v00 dsa_v00 ; do
170 case $ktype in
171 *_v00) args="-t v00" ;;
172 *) args="" ;;
173 esac
174 # Self-sign
175 ${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \
176 "regress user key for $USER" \
177 -n $USER $OBJ/cert_user_key_${ktype} ||
178 fail "couldn't sign cert_user_key_${ktype}"
179 verbose "$tid: user ${ktype} connect wrong cert"
180 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
181 somehost true >/dev/null 2>&1
182 if [ $? -eq 0 ]; then
183 fail "ssh cert connect $ident succeeded unexpectedly"
184 fi
185 done
186
187 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
188
A clone of openssh git repository