• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#/bin/sh
2
3set -xe
4
5rm -f ca_key ca_key.pub
6rm -f user_key user_key.pub
7rm -f *.cert
8
9ssh-keygen -q -f ca_key -t ed25519 -C CA -N ''
10ssh-keygen -q -f user_key -t ed25519 -C "user key" -N ''
11
12sign() {
13	output=$1
14	shift
15	set -xe
16	ssh-keygen -q -s ca_key -I user -n user \
17	    -V 19990101:19991231 -z 1 "$@" user_key.pub
18	mv user_key-cert.pub "$output"
19}
20
21sign all_permit.cert -Opermit-agent-forwarding -Opermit-port-forwarding \
22    -Opermit-pty -Opermit-user-rc -Opermit-X11-forwarding
23sign no_permit.cert -Oclear
24
25sign no_agentfwd.cert -Ono-agent-forwarding
26sign no_portfwd.cert -Ono-port-forwarding
27sign no_pty.cert -Ono-pty
28sign no_user_rc.cert -Ono-user-rc
29sign no_x11fwd.cert -Ono-X11-forwarding
30
31sign only_agentfwd.cert -Oclear -Opermit-agent-forwarding
32sign only_portfwd.cert -Oclear -Opermit-port-forwarding
33sign only_pty.cert -Oclear -Opermit-pty
34sign only_user_rc.cert -Oclear -Opermit-user-rc
35sign only_x11fwd.cert -Oclear -Opermit-X11-forwarding
36
37sign force_command.cert -Oforce-command="foo"
38sign sourceaddr.cert -Osource-address="127.0.0.1/32,::1/128"
39
40# ssh-keygen won't permit generation of certs with invalid source-address
41# values, so we do it as a custom extension.
42sign bad_sourceaddr.cert -Ocritical:source-address=xxxxx
43
44sign unknown_critical.cert -Ocritical:blah=foo
45
46sign host.cert -h
47
48rm -f user_key ca_key user_key.pub ca_key.pub
49