[openssh-commits] [openssh] 03/06: upstream: use glob(3) wildcards in AuthorizedKeys/PrincipalsFile
git+noreply at mindrot.org
git+noreply at mindrot.org
Mon Mar 3 18:18:04 AEDT 2025
This is an automated email from the git hooks/post-receive script.
dtucker pushed a commit to branch master
in repository openssh.
commit 197e503b8e4b642ce0f405a5d65da4256fa96431
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Fri Dec 6 16:25:58 2024 +0000
upstream: use glob(3) wildcards in AuthorizedKeys/PrincipalsFile
tests to exercise this feature; ok dtucker
OpenBSD-Regress-ID: 7f7b19c0b05b1862cc6521ce61b2b301a3f9cc3b
---
regress/cert-userkey.sh | 62 ++++++++++++++++++++++++++++---------------------
1 file changed, 36 insertions(+), 26 deletions(-)
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 4ea29b7c..2ab0a1e9 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,12 +1,15 @@
-# $OpenBSD: cert-userkey.sh,v 1.28 2021/09/30 05:26:26 dtucker Exp $
+# $OpenBSD: cert-userkey.sh,v 1.29 2024/12/06 16:25:58 djm Exp $
# Placed in the Public Domain.
tid="certified user keys"
-rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
-cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+rm -f $OBJ/authorized_keys_${USER}* $OBJ/user_ca_key* $OBJ/cert_user_key*
+rm -f $OBJ/authorized_principals*
cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
+grep -v AuthorizedKeysFile $OBJ/sshd_proxy > $OBJ/sshd_proxy_bak
+echo "AuthorizedKeysFile $OBJ/authorized_keys_%u_*" >> $OBJ/sshd_proxy_bak
+
PLAIN_TYPES=`$SSH -Q key-plain | maybe_filter_sk | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
EXTRA_TYPES=""
rsa=""
@@ -63,11 +66,15 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
_prefix="${ktype}"
# Setup for AuthorizedPrincipalsFile
- rm -f $OBJ/authorized_keys_$USER
+ rm -f $OBJ/authorized_keys_${USER}* $OBJ/authorized_principals_${USER}*
+ touch $OBJ/authorized_keys_${USER}_A
+ touch $OBJ/authorized_keys_${USER}_Z
+ touch $OBJ/authorized_principals_${USER}_A
+ touch $OBJ/authorized_principals_${USER}_Z
(
cat $OBJ/sshd_proxy_bak
echo "AuthorizedPrincipalsFile " \
- "$OBJ/authorized_principals_%u"
+ "$OBJ/authorized_principals_%u_*"
echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
echo "PubkeyAcceptedAlgorithms ${t}"
) > $OBJ/sshd_proxy
@@ -78,7 +85,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
# Missing authorized_principals
verbose "$tid: ${_prefix} missing authorized_principals"
- rm -f $OBJ/authorized_principals_$USER
+ rm -f $OBJ/authorized_principals_${USER}_X
${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
@@ -87,7 +94,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
# Empty authorized_principals
verbose "$tid: ${_prefix} empty authorized_principals"
- echo > $OBJ/authorized_principals_$USER
+ echo > $OBJ/authorized_principals_${USER}_X
${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
@@ -96,7 +103,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
# Wrong authorized_principals
verbose "$tid: ${_prefix} wrong authorized_principals"
- echo gregorsamsa > $OBJ/authorized_principals_$USER
+ echo gregorsamsa > $OBJ/authorized_principals_${USER}_X
${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
@@ -105,7 +112,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
# Correct authorized_principals
verbose "$tid: ${_prefix} correct authorized_principals"
- echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+ echo mekmitasdigoat > $OBJ/authorized_principals_${USER}_X
${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -ne 0 ]; then
@@ -114,7 +121,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
# authorized_principals with bad key option
verbose "$tid: ${_prefix} authorized_principals bad key opt"
- echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
+ echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_${USER}_X
${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
@@ -124,7 +131,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
# authorized_principals with command=false
verbose "$tid: ${_prefix} authorized_principals command=false"
echo 'command="false" mekmitasdigoat' > \
- $OBJ/authorized_principals_$USER
+ $OBJ/authorized_principals_${USER}_X
${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
@@ -135,7 +142,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
# authorized_principals with command=true
verbose "$tid: ${_prefix} authorized_principals command=true"
echo 'command="true" mekmitasdigoat' > \
- $OBJ/authorized_principals_$USER
+ $OBJ/authorized_principals_${USER}_X
${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
if [ $? -ne 0 ]; then
@@ -143,7 +150,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
fi
# Setup for principals= key option
- rm -f $OBJ/authorized_principals_$USER
+ rm -f $OBJ/authorized_principals_${USER}_X
(
cat $OBJ/sshd_proxy_bak
echo "PubkeyAcceptedAlgorithms ${t}"
@@ -158,7 +165,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
(
printf 'cert-authority,principals="gregorsamsa" '
cat $OBJ/user_ca_key.pub
- ) > $OBJ/authorized_keys_$USER
+ ) > $OBJ/authorized_keys_${USER}_X
${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
@@ -170,7 +177,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
(
printf 'cert-authority,principals="mekmitasdigoat" '
cat $OBJ/user_ca_key.pub
- ) > $OBJ/authorized_keys_$USER
+ ) > $OBJ/authorized_keys_${USER}_X
${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -ne 0 ]; then
@@ -180,14 +187,17 @@ done
basic_tests() {
auth=$1
+ rm -f $OBJ/authorized_keys_${USER}*
+ touch $OBJ/authorized_keys_${USER}_A
+ touch $OBJ/authorized_keys_${USER}_Z
if test "x$auth" = "xauthorized_keys" ; then
# Add CA to authorized_keys
(
printf 'cert-authority '
cat $OBJ/user_ca_key.pub
- ) > $OBJ/authorized_keys_$USER
+ ) > $OBJ/authorized_keys_${USER}_X
else
- echo > $OBJ/authorized_keys_$USER
+ echo > $OBJ/authorized_keys_${USER}_X
extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
fi
@@ -295,9 +305,9 @@ test_one() {
(
printf "cert-authority${auth_opt} "
cat $OBJ/user_ca_key.pub
- ) > $OBJ/authorized_keys_$USER
+ ) > $OBJ/authorized_keys_${USER}_X
else
- echo > $OBJ/authorized_keys_$USER
+ echo > $OBJ/authorized_keys_${USER}_X
echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
>> $OBJ/sshd_proxy
echo "PubkeyAcceptedAlgorithms ${t}*" \
@@ -346,15 +356,15 @@ test_one "empty principals" failure "" TrustedUserCAKeys
# should always be refused.
# AuthorizedPrincipalsFile
-rm -f $OBJ/authorized_keys_$USER
-echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+rm -f $OBJ/authorized_keys_${USER}_X
+echo mekmitasdigoat > $OBJ/authorized_principals_${USER}_X
test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \
- TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
+ TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u_*"
test_one "AuthorizedPrincipalsFile no principals" failure "" \
- TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
+ TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u_*"
# principals= key option
-rm -f $OBJ/authorized_principals_$USER
+rm -f $OBJ/authorized_principals_${USER}_X
test_one "principals key option principals" success "-n mekmitasdigoat" \
authorized_keys ',principals="mekmitasdigoat"'
test_one "principals key option no principals" failure "" \
@@ -391,6 +401,6 @@ for ktype in $PLAIN_TYPES ; do
fi
done
-rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
-rm -f $OBJ/authorized_principals_$USER
+rm -f $OBJ/authorized_keys_${USER}* $OBJ/user_ca_key* $OBJ/cert_user_key*
+rm -f $OBJ/authorized_principals*
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list