1# $OpenBSD: cert-file.sh,v 1.5 2017/03/11 23:44:16 djm Exp $ 2# Placed in the Public Domain. 3 4tid="ssh with certificates" 5 6rm -f $OBJ/user_ca_key* $OBJ/user_key* 7rm -f $OBJ/cert_user_key* 8 9# Create a CA key 10${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key1 ||\ 11 fatal "ssh-keygen failed" 12${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key2 ||\ 13 fatal "ssh-keygen failed" 14 15# Make some keys and certificates. 16${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 || \ 17 fatal "ssh-keygen failed" 18${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key2 || \ 19 fatal "ssh-keygen failed" 20${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key3 || \ 21 fatal "ssh-keygen failed" 22${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key4 || \ 23 fatal "ssh-keygen failed" 24${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key5 || \ 25 fatal "ssh-keygen failed" 26 27# Move the certificate to a different address to better control 28# when it is offered. 29${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ 30 -z $$ -n ${USER} $OBJ/user_key1 || 31 fatal "couldn't sign user_key1 with user_ca_key1" 32mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_1.pub 33${SSHKEYGEN} -q -s $OBJ/user_ca_key2 -I "regress user key for $USER" \ 34 -z $$ -n ${USER} $OBJ/user_key1 || 35 fatal "couldn't sign user_key1 with user_ca_key2" 36mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_2.pub 37${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ 38 -z $$ -n ${USER} $OBJ/user_key3 || 39 fatal "couldn't sign user_key3 with user_ca_key1" 40rm $OBJ/user_key3.pub # to test use of private key w/o public half. 41${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ 42 -z $$ -n ${USER} $OBJ/user_key4 || 43 fatal "couldn't sign user_key4 with user_ca_key1" 44rm $OBJ/user_key4 $OBJ/user_key4.pub # to test no matching pub/private key case. 45 46trace 'try with identity files' 47opts="-F $OBJ/ssh_proxy -oIdentitiesOnly=yes" 48opts2="$opts -i $OBJ/user_key1 -i $OBJ/user_key2" 49echo "cert-authority $(cat $OBJ/user_ca_key1.pub)" > $OBJ/authorized_keys_$USER 50 51# Make a clean config that doesn't have any pre-added identities. 52cat $OBJ/ssh_proxy | grep -v IdentityFile > $OBJ/no_identity_config 53 54# XXX: verify that certificate used was what we expect. Needs exposure of 55# keys via enviornment variable or similar. 56 57for p in ${SSH_PROTOCOLS}; do 58 # Key with no .pub should work - finding the equivalent *-cert.pub. 59 verbose "protocol $p: identity cert with no plain public file" 60 ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ 61 -i $OBJ/user_key3 somehost exit 5$p 62 [ $? -ne 5$p ] && fail "ssh failed" 63 64 # CertificateFile matching private key with no .pub file should work. 65 verbose "protocol $p: CertificateFile with no plain public file" 66 ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ 67 -oCertificateFile=$OBJ/user_key3-cert.pub \ 68 -i $OBJ/user_key3 somehost exit 5$p 69 [ $? -ne 5$p ] && fail "ssh failed" 70 71 # Just keys should fail 72 verbose "protocol $p: plain keys" 73 ${SSH} $opts2 somehost exit 5$p 74 r=$? 75 if [ $r -eq 5$p ]; then 76 fail "ssh succeeded with no certs in protocol $p" 77 fi 78 79 # Keys with untrusted cert should fail. 80 verbose "protocol $p: untrusted cert" 81 opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" 82 ${SSH} $opts3 somehost exit 5$p 83 r=$? 84 if [ $r -eq 5$p ]; then 85 fail "ssh succeeded with bad cert in protocol $p" 86 fi 87 88 # Good cert with bad key should fail. 89 verbose "protocol $p: good cert, bad key" 90 opts3="$opts -i $OBJ/user_key2" 91 opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" 92 ${SSH} $opts3 somehost exit 5$p 93 r=$? 94 if [ $r -eq 5$p ]; then 95 fail "ssh succeeded with no matching key in protocol $p" 96 fi 97 98 # Keys with one trusted cert, should succeed. 99 verbose "protocol $p: single trusted" 100 opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" 101 ${SSH} $opts3 somehost exit 5$p 102 r=$? 103 if [ $r -ne 5$p ]; then 104 fail "ssh failed with trusted cert and key in protocol $p" 105 fi 106 107 # Multiple certs and keys, with one trusted cert, should succeed. 108 verbose "protocol $p: multiple trusted" 109 opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" 110 opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" 111 ${SSH} $opts3 somehost exit 5$p 112 r=$? 113 if [ $r -ne 5$p ]; then 114 fail "ssh failed with multiple certs in protocol $p" 115 fi 116done 117 118#next, using an agent in combination with the keys 119SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1 120if [ $? -ne 2 ]; then 121 fatal "ssh-add -l did not fail with exit code 2" 122fi 123 124trace "start agent" 125eval `${SSHAGENT} -s` > /dev/null 126r=$? 127if [ $r -ne 0 ]; then 128 fatal "could not start ssh-agent: exit code $r" 129fi 130 131# add private keys to agent 132${SSHADD} -k $OBJ/user_key2 > /dev/null 2>&1 133if [ $? -ne 0 ]; then 134 fatal "ssh-add did not succeed with exit code 0" 135fi 136${SSHADD} -k $OBJ/user_key1 > /dev/null 2>&1 137if [ $? -ne 0 ]; then 138 fatal "ssh-add did not succeed with exit code 0" 139fi 140 141# try ssh with the agent and certificates 142# note: ssh agent only uses certificates in protocol 2 143opts="-F $OBJ/ssh_proxy" 144# with no certificates, shoud fail 145${SSH} -2 $opts somehost exit 52 146if [ $? -eq 52 ]; then 147 fail "ssh connect with agent in protocol 2 succeeded with no cert" 148fi 149 150#with an untrusted certificate, should fail 151opts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub" 152${SSH} -2 $opts somehost exit 52 153if [ $? -eq 52 ]; then 154 fail "ssh connect with agent in protocol 2 succeeded with bad cert" 155fi 156 157#with an additional trusted certificate, should succeed 158opts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub" 159${SSH} -2 $opts somehost exit 52 160if [ $? -ne 52 ]; then 161 fail "ssh connect with agent in protocol 2 failed with good cert" 162fi 163 164trace "kill agent" 165${SSHAGENT} -k > /dev/null 166 167#cleanup 168rm -f $OBJ/user_ca_key* $OBJ/user_key* 169rm -f $OBJ/cert_user_key* 170