summaryrefslogtreecommitdiffstats
path: root/regress
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2010-05-21 06:48:16 +0200
committerDamien Miller <djm@mindrot.org>2010-05-21 06:48:16 +0200
commit3bcce80b544174b70dfd6e0a4e9f1488ca6fa69b (patch)
tree65bf3f349a07e0ebb2683c904c57d69730c86eea /regress
parent - (djm) [openbsd-compat/openssl-compat.h] Fix build breakage on older (diff)
downloadopenssh-3bcce80b544174b70dfd6e0a4e9f1488ca6fa69b.tar.xz
openssh-3bcce80b544174b70dfd6e0a4e9f1488ca6fa69b.zip
- djm@cvs.openbsd.org 2010/05/07 11:31:26
[regress/Makefile regress/cert-userkey.sh] regress tests for AuthorizedPrincipalsFile and "principals=" key option. feedback and ok markus@
Diffstat (limited to 'regress')
-rw-r--r--regress/Makefile5
-rw-r--r--regress/cert-userkey.sh117
2 files changed, 115 insertions, 7 deletions
diff --git a/regress/Makefile b/regress/Makefile
index d25a64555..6e7b441bf 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.52 2010/02/26 20:33:21 djm Exp $
+# $OpenBSD: Makefile,v 1.53 2010/05/07 11:31:26 djm Exp $
REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec
tests: $(REGRESS_TARGETS)
@@ -69,7 +69,8 @@ CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \
known_hosts-cert host_ca_key* cert_host_key* \
- putty.rsa2 sshd_proxy_orig
+ putty.rsa2 sshd_proxy_orig \
+ authorized_principals_${USER}
# Enable all malloc(3) randomisations and checks
TEST_ENV= "MALLOC_OPTIONS=AFGJPRX"
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 88d6d70a4..8fd1b48db 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: cert-userkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $
+# $OpenBSD: cert-userkey.sh,v 1.5 2010/05/07 11:31:26 djm Exp $
# Placed in the Public Domain.
tid="certified user keys"
@@ -18,16 +18,100 @@ for ktype in rsa dsa ; do
fail "ssh-keygen of cert_user_key_${ktype} failed"
${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
"regress user key for $USER" \
- -n $USER $OBJ/cert_user_key_${ktype} ||
+ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
fail "couldn't sign cert_user_key_${ktype}"
cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
"regress user key for $USER" \
- -n $USER $OBJ/cert_user_key_${ktype}_v00 ||
+ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
fail "couldn't sign cert_user_key_${ktype}_v00"
done
+# Test explicitly-specified principals
+for ktype in rsa dsa rsa_v00 dsa_v00 ; do
+ for privsep in yes no ; do
+ _prefix="${ktype} privsep $privsep"
+
+ # Setup for AuthorizedPrincipalsFile
+ rm -f $OBJ/authorized_keys_$USER
+ (
+ cat $OBJ/sshd_proxy_bak
+ echo "UsePrivilegeSeparation $privsep"
+ echo "AuthorizedPrincipalsFile " \
+ "$OBJ/authorized_principals_%u"
+ echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+ ) > $OBJ/sshd_proxy
+
+ # Missing authorized_principals
+ verbose "$tid: ${_prefix} missing authorized_principals"
+ rm -f $OBJ/authorized_principals_$USER
+ ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpectedly"
+ fi
+
+ # Empty authorized_principals
+ verbose "$tid: ${_prefix} empty authorized_principals"
+ echo > $OBJ/authorized_principals_$USER
+ ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpectedly"
+ fi
+
+ # Wrong authorized_principals
+ verbose "$tid: ${_prefix} wrong authorized_principals"
+ echo gregorsamsa > $OBJ/authorized_principals_$USER
+ ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpectedly"
+ fi
+
+ # Correct authorized_principals
+ verbose "$tid: ${_prefix} correct authorized_principals"
+ echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+ ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -ne 0 ]; then
+ fail "ssh cert connect failed"
+ fi
+
+ # Setup for principals= key option
+ rm -f $OBJ/authorized_principals_$USER
+ (
+ cat $OBJ/sshd_proxy_bak
+ echo "UsePrivilegeSeparation $privsep"
+ ) > $OBJ/sshd_proxy
+
+ # Wrong principals list
+ verbose "$tid: ${_prefix} wrong principals key option"
+ (
+ echon 'cert-authority,principals="gregorsamsa" '
+ cat $OBJ/user_ca_key.pub
+ ) > $OBJ/authorized_keys_$USER
+ ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpectedly"
+ fi
+
+ # Correct principals list
+ verbose "$tid: ${_prefix} correct principals key option"
+ (
+ echon 'cert-authority,principals="mekmitasdigoat" '
+ cat $OBJ/user_ca_key.pub
+ ) > $OBJ/authorized_keys_$USER
+ ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -ne 0 ]; then
+ fail "ssh cert connect failed"
+ fi
+ done
+done
+
basic_tests() {
auth=$1
if test "x$auth" = "xauthorized_keys" ; then
@@ -108,6 +192,7 @@ test_one() {
result=$2
sign_opts=$3
auth_choice=$4
+ auth_opt=$5
if test "x$auth_choice" = "x" ; then
auth_choice="authorized_keys TrustedUserCAKeys"
@@ -119,14 +204,16 @@ test_one() {
if test "x$auth" = "xauthorized_keys" ; then
# Add CA to authorized_keys
(
- echon 'cert-authority '
+ echon "cert-authority${auth_opt} "
cat $OBJ/user_ca_key.pub
) > $OBJ/authorized_keys_$USER
else
echo > $OBJ/authorized_keys_$USER
echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
>> $OBJ/sshd_proxy
-
+ if test "x$auth_opt" != "x" ; then
+ echo $auth_opt >> $OBJ/sshd_proxy
+ fi
fi
verbose "$tid: $ident auth $auth expect $result $ktype"
@@ -165,7 +252,26 @@ test_one "force-command" failure "-n ${USER} -Oforce-command=false"
test_one "empty principals" success "" authorized_keys
test_one "empty principals" failure "" TrustedUserCAKeys
+# Check explicitly-specified principals: an empty principals list in the cert
+# should always be refused.
+
+# AuthorizedPrincipalsFile
+rm -f $OBJ/authorized_keys_$USER
+echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \
+ TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
+test_one "AuthorizedPrincipalsFile no principals" failure "" \
+ TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
+
+# principals= key option
+rm -f $OBJ/authorized_principals_$USER
+test_one "principals key option principals" success "-n mekmitasdigoat" \
+ authorized_keys ',principals="mekmitasdigoat"'
+test_one "principals key option no principals" failure "" \
+ authorized_keys ',principals="mekmitasdigoat"'
+
# Wrong certificate
+cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
for ktype in rsa dsa rsa_v00 dsa_v00 ; do
case $ktype in
*_v00) args="-t v00" ;;
@@ -185,4 +291,5 @@ for ktype in rsa dsa rsa_v00 dsa_v00 ; do
done
rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
+rm -f $OBJ/authorized_principals_$USER