Home Explore Help
Sign In
trn
/
j-hpn-ssh
mirror of git://github.com/johnsonjh/j-hpn-ssh
Watch 1
Star 1
Fork 0
Files
Tree: e677f121eb
Branches Tags
j-hpn-ssh
/
regress
/
limit-keytype.sh

limit-keytype.sh 4.7 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139 
  1. #	$OpenBSD: limit-keytype.sh,v 1.9 2019/12/16 02:39:05 djm Exp $
    2. 

  2. #	Placed in the Public Domain.
    3. 

  3. 

  4. tid="restrict pubkey type"
    5. 

  5. 

  6. # XXX sk-* keys aren't actually tested ATM.
    7. 

  7. 

  8. rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/user_key*
    9. 

  9. rm -f $OBJ/authorized_principals_$USER $OBJ/cert_user_key*
    10. 

  10. 

  11. mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
    12. 

  12. mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig
    13. 

  13. 

  14. ktype1=ed25519
    15. 

  15. ktype2=ed25519
    16. 

  16. ktype3=ed25519
    17. 

  17. ktype4=ed25519
    18. 

  18. ktype5=ed25519
    19. 

  19. ktype6=ed25519
    20. 

  20. for t in $SSH_KEYTYPES; do
    21. 

  21. 	case "$t" in
    22. 

  22. 		ssh-rsa) ktype2=rsa ;;
    23. 

  23. 		ecdsa*) ktype3=ecdsa ;; # unused
    24. 

  24. 		ssh-dss) ktype4=dsa ;;
    25. 

  25. 		sk-ssh-ed25519@openssh.com) ktype5=ed25519-sk ;;
    26. 

  26. 		sk-ecdsa-sha2-nistp256@openssh.com) ktype6=ecdsa-sk ;;
    27. 

  27. 	esac
    28. 

  28. done
    29. 

  29. 

  30. # Create a CA key
    31. 

  31. ${SSHKEYGEN} -q -N '' -t $ktype1 -f $OBJ/user_ca_key ||
    32. 

  32. 	fatal "ssh-keygen failed"
    33. 

  33. 

  34. # Make some keys and a certificate.
    35. 

  35. ${SSHKEYGEN} -q -N '' -t $ktype1 -f $OBJ/user_key1 ||
    36. 

  36. 	fatal "ssh-keygen failed"
    37. 

  37. ${SSHKEYGEN} -q -N '' -t $ktype2 -f $OBJ/user_key2 ||
    38. 

  38. 	fatal "ssh-keygen failed"
    39. 

  39. ${SSHKEYGEN} -q -N '' -t $ktype2 -f $OBJ/user_key3 ||
    40. 

  40. 	fatal "ssh-keygen failed"
    41. 

  41. ${SSHKEYGEN} -q -N '' -t $ktype4 -f $OBJ/user_key4 ||
    42. 

  42. 	fatal "ssh-keygen failed"
    43. 

  43. ${SSHKEYGEN} -q -N '' -t $ktype5 -f $OBJ/user_key5 ||
    44. 

  44. 	fatal "ssh-keygen failed"
    45. 

  45. ${SSHKEYGEN} -q -N '' -t $ktype6 -f $OBJ/user_key6 ||
    46. 

  46. 	fatal "ssh-keygen failed"
    47. 

  47. ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
    48. 

  48. 	-z $$ -n ${USER},mekmitasdigoat $OBJ/user_key3 ||
    49. 

  49. 	fatal "couldn't sign user_key1"
    50. 

  50. # Copy the private key alongside the cert to allow better control of when
    51. 

  51. # it is offered.
    52. 

  52. mv $OBJ/user_key3-cert.pub $OBJ/cert_user_key3.pub
    53. 

  53. 

  54. grep -v IdentityFile $OBJ/ssh_proxy.orig > $OBJ/ssh_proxy
    55. 

  55. 

  56. opts="-oProtocol=2 -F $OBJ/ssh_proxy -oIdentitiesOnly=yes"
    57. 

  57. certopts="$opts -i $OBJ/user_key3 -oCertificateFile=$OBJ/cert_user_key3.pub"
    58. 

  58. 

  59. echo mekmitasdigoat > $OBJ/authorized_principals_$USER
    60. 

  60. cat $OBJ/user_key1.pub > $OBJ/authorized_keys_$USER
    61. 

  61. cat $OBJ/user_key2.pub >> $OBJ/authorized_keys_$USER
    62. 

  62. 

  63. prepare_config()
    64. 

  64. {
    65. 

  65. 	(
    66. 

  66. 		grep -v "Protocol" $OBJ/sshd_proxy.orig
    67. 

  67. 		echo "Protocol 2"
    68. 

  68. 		echo "AuthenticationMethods publickey"
    69. 

  69. 		echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
    70. 

  70. 		echo "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
    71. 

  71. 		for x in "$@"; do
    72. 

  72. 			echo "$x"
    73. 

  73. 		done
    74. 

  74. 	) > $OBJ/sshd_proxy
    75. 

  75. }
    76. 

  76. 

  77. # Return the required parameter for PubkeyAcceptedKeyAlgorithms corresponding to
    78. 

  78. # the supplied key type.
    79. 

  79. keytype()
    80. 

  80. {
    81. 

  81. 	case "$1" in
    82. 

  82. 		ecdsa) printf "ecdsa-sha2-*" ;;
    83. 

  83. 		ed25519) printf "ssh-ed25519" ;;
    84. 

  84. 		dsa) printf "ssh-dss" ;;
    85. 

  85. 		rsa) printf "rsa-sha2-256,rsa-sha2-512,ssh-rsa" ;;
    86. 

  86. 		sk-ecdsa) printf "sk-ecdsa-*" ;;
    87. 

  87. 		sk-ssh-ed25519) printf "sk-ssh-ed25519-*" ;;
    88. 

  88. 	esac
    89. 

  89. }
    90. 

  90. 

  91. prepare_config
    92. 

  92. 

  93. # Check we can log in with all key types.
    94. 

  94. ${SSH} $certopts proxy true || fatal "cert failed"
    95. 

  95. ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
    96. 

  96. ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed"
    97. 

  97. 

  98. # Allow plain Ed25519 and RSA. The certificate should fail.
    99. 

  99. verbose "allow $ktype2,$ktype1"
    100. 

  100. prepare_config \
    101. 

  101. 	"PubkeyAcceptedKeyAlgorithms $(keytype $ktype2),$(keytype $ktype1)"
    102. 

  102. ${SSH} $certopts proxy true && fatal "cert succeeded"
    103. 

  103. ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
    104. 

  104. ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed"
    105. 

  105. 

  106. # Allow Ed25519 only.
    107. 

  107. verbose "allow $ktype1"
    108. 

  108. prepare_config "PubkeyAcceptedKeyAlgorithms $(keytype $ktype1)"
    109. 

  109. ${SSH} $certopts proxy true && fatal "cert succeeded"
    110. 

  110. ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
    111. 

  111. if [ "$ktype1" != "$ktype2" ]; then
    112. 

  112. 	${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded"
    113. 

  113. fi
    114. 

  114. 

  115. # Allow all certs. Plain keys should fail.
    116. 

  116. verbose "allow cert only"
    117. 

  117. prepare_config "PubkeyAcceptedKeyAlgorithms *-cert-v01@openssh.com"
    118. 

  118. ${SSH} $certopts proxy true || fatal "cert failed"
    119. 

  119. ${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded"
    120. 

  120. ${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded"
    121. 

  121. 

  122. # Allow RSA in main config, Ed25519 for non-existent user.
    123. 

  123. verbose "match w/ no match"
    124. 

  124. prepare_config "PubkeyAcceptedKeyAlgorithms $(keytype $ktype2)" \
    125. 

  125. 	"Match user x$USER" "PubkeyAcceptedKeyAlgorithms +$(keytype $ktype1)"
    126. 

  126. ${SSH} $certopts proxy true && fatal "cert succeeded"
    127. 

  127. if [ "$ktype1" != "$ktype2" ]; then
    128. 

  128. 	${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded"
    129. 

  129. fi
    130. 

  130. ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed"
    131. 

  131. 

  132. # Allow only DSA in main config, Ed25519 for user.
    133. 

  133. verbose "match w/ matching"
    134. 

  134. prepare_config "PubkeyAcceptedKeyAlgorithms $(keytype $ktype4)" \
    135. 

  135. 	"Match user $USER" "PubkeyAcceptedKeyAlgorithms +$(keytype $ktype1)"
    136. 

  136. ${SSH} $certopts proxy true || fatal "cert failed"
    137. 

  137. ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
    138. 

  138. ${SSH} $opts -i $OBJ/user_key4 proxy true && fatal "key4 succeeded"
    139. 

  139.