Tree - rpms/openssh - CentOS Git server

rpms / openssh

Blame fb87_080_logging_certificates.patch

Blob History Raw

Vishal Mishra	7bfe72	`Index: openssh-9.9p1/auth2-pubkey.c`
Vishal Mishra	7bfe72	`===================================================================`
Vishal Mishra	7bfe72	`--- openssh-9.9p1.orig/auth2-pubkey.c`
Vishal Mishra	7bfe72	`+++ openssh-9.9p1/auth2-pubkey.c`
Vishal Mishra	7bfe72	`@@ -524,11 +524,16 @@ user_cert_trusted_ca(struct passwd *pw,`
Vishal Mishra	7bfe72	`options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)`
Vishal Mishra	7bfe72	`return 0;`
Vishal Mishra	7bfe72
Vishal Mishra	7bfe72	`+`
Vishal Mishra	7bfe72	`+`
Vishal Mishra	7bfe72	`if ((r = sshkey_in_file(key->cert->signature_key,`
Vishal Mishra	7bfe72	`options.trusted_user_ca_keys, 1, 0)) != 0) {`
Vishal Mishra	7bfe72	`debug2_fr(r, "CA %s %s is not listed in %s",`
Vishal Mishra	7bfe72	`sshkey_type(key->cert->signature_key), ca_fp,`
Vishal Mishra	7bfe72	`options.trusted_user_ca_keys);`
Vishal Mishra	7bfe72	`+ verbose("CA %s %s is not listed in %s",`
Vishal Mishra	7bfe72	`+ sshkey_type(key->cert->signature_key), ca_fp,`
Vishal Mishra	7bfe72	`+ options.trusted_user_ca_keys);`
Vishal Mishra	7bfe72	`goto out;`
Vishal Mishra	7bfe72	`}`
Vishal Mishra	7bfe72	`/*`
Vishal Mishra	7bfe72	`@@ -540,6 +545,9 @@ user_cert_trusted_ca(struct passwd *pw,`
Vishal Mishra	7bfe72	`if (match_principals_file(pw, principals_file,`
Vishal Mishra	7bfe72	`key->cert, &principals_opts))`
Vishal Mishra	7bfe72	`found_principal = 1;`
Vishal Mishra	7bfe72	`+ else {`
Vishal Mishra	7bfe72	`+ verbose("Did not match any principals from auth_principals_* files");`
Vishal Mishra	7bfe72	`+ }`
Vishal Mishra	7bfe72	`}`
Vishal Mishra	7bfe72	`/* Try querying command if specified */`
Vishal Mishra	7bfe72	`if (!found_principal && match_principals_command(pw, key,`
Vishal Mishra	7bfe72	`@@ -580,6 +588,11 @@ user_cert_trusted_ca(struct passwd *pw,`
Vishal Mishra	7bfe72	`if ((final_opts = sshauthopt_merge(principals_opts,`
Vishal Mishra	7bfe72	`cert_opts, &reason)) == NULL) {`
Vishal Mishra	7bfe72	`fail_reason:`
Vishal Mishra	7bfe72	`+ verbose("Rejected cert ID \"%s\" with signature "`
Vishal Mishra	7bfe72	`+ "%s signed by %s CA %s via %s",`
Vishal Mishra	7bfe72	`+ key->cert->key_id, ca_fp,`
Vishal Mishra	7bfe72	`+ sshkey_type(key->cert->signature_key), ca_fp,`
Vishal Mishra	7bfe72	`+ options.trusted_user_ca_keys);`
Vishal Mishra	7bfe72	`error("%s", reason);`
Vishal Mishra	7bfe72	`auth_debug_add("%s", reason);`
Vishal Mishra	7bfe72	`goto out;`
Vishal Mishra	7bfe72	`@@ -587,7 +600,7 @@ user_cert_trusted_ca(struct passwd *pw,`
Vishal Mishra	7bfe72	`}`
Vishal Mishra	7bfe72	`slog_set_cert_serial((unsigned long long)key->cert->serial);`
Vishal Mishra	7bfe72	`/* Success */`
Vishal Mishra	7bfe72	`- verbose("Accepted certificate ID \"%s\" (serial %llu) signed by "`
Vishal Mishra	7bfe72	`+ verbose("Accepted cert ID \"%s\" (serial %llu) signed by "`
Vishal Mishra	7bfe72	`"%s CA %s via %s", key->cert->key_id,`
Vishal Mishra	7bfe72	`(unsigned long long)key->cert->serial,`
Vishal Mishra	7bfe72	`sshkey_type(key->cert->signature_key), ca_fp,`
Vishal Mishra	7bfe72	`@@ -604,6 +617,7 @@ user_cert_trusted_ca(struct passwd *pw,`
Vishal Mishra	7bfe72	`sshauthopt_free(final_opts);`
Vishal Mishra	7bfe72	`free(principals_file);`
Vishal Mishra	7bfe72	`free(ca_fp);`
Vishal Mishra	7bfe72	`+`
Vishal Mishra	7bfe72	`return ret;`
Vishal Mishra	7bfe72	`}`
Vishal Mishra	7bfe72
Vishal Mishra	7bfe72	`Index: openssh-9.9p1/regress/cert-logging.sh`
Vishal Mishra	7bfe72	`===================================================================`
Vishal Mishra	7bfe72	`--- /dev/null`
Vishal Mishra	7bfe72	`+++ openssh-9.9p1/regress/cert-logging.sh`
Vishal Mishra	7bfe72	`@@ -0,0 +1,84 @@`
Vishal Mishra	7bfe72	`+tid="cert logging"`
Vishal Mishra	7bfe72	`+`
Vishal Mishra	7bfe72	`+CERT_ID="cert_id"`
Vishal Mishra	7bfe72	`+PRINCIPAL=$USER`
Vishal Mishra	7bfe72	`+SERIAL=0`
Vishal Mishra	7bfe72	`+`
Vishal Mishra	7bfe72	`+log_grep() {`
Vishal Mishra	7bfe72	`+ if [ "$(grep -c -G "$1" "$TEST_SSHD_LOGFILE")" == "0" ]; then`
Vishal Mishra	7bfe72	`+ return 1;`
Vishal Mishra	7bfe72	`+ else`
Vishal Mishra	7bfe72	`+ return 0;`
Vishal Mishra	7bfe72	`+ fi`
Vishal Mishra	7bfe72	`+}`
Vishal Mishra	7bfe72	`+`
Vishal Mishra	7bfe72	`+cat << EOF >> $OBJ/sshd_config`
Vishal Mishra	7bfe72	`+TrustedUserCAKeys $OBJ/ssh-rsa.pub`
Vishal Mishra	7bfe72	`+Protocol 2`
Vishal Mishra	7bfe72	`+PubkeyAuthentication yes`
Vishal Mishra	7bfe72	`+AuthenticationMethods publickey`
Vishal Mishra	7bfe72	`+AuthorizedPrincipalsFile $OBJ/auth_principals`
Vishal Mishra	7bfe72	`+EOF`
Vishal Mishra	7bfe72	`+`
Vishal Mishra	7bfe72	`+if [ ! -f $OBJ/trusted_rsa ]; then`
Vishal Mishra	7bfe72	`+ ${SSHKEYGEN} -q -t rsa -C '' -N '' -f $OBJ/trusted_rsa`
Vishal Mishra	7bfe72	`+fi`
Vishal Mishra	7bfe72	`+if [ ! -f $OBJ/untrusted_rsa ]; then`
Vishal Mishra	7bfe72	`+ ${SSHKEYGEN} -q -t rsa -C '' -N '' -f $OBJ/untrusted_rsa`
Vishal Mishra	7bfe72	`+fi`
Vishal Mishra	7bfe72	`+`
Vishal Mishra	7bfe72	`+${SSHKEYGEN} -q -s $OBJ/ssh-rsa -I $CERT_ID -n $PRINCIPAL -z $SERIAL $OBJ/trusted_rsa.pub \|\|`
Vishal Mishra	7bfe72	`+ fatal "Could not create trusted SSH cert"`
Vishal Mishra	7bfe72	`+`
Vishal Mishra	7bfe72	`+${SSHKEYGEN} -q -s $OBJ/untrusted_rsa -I $CERT_ID -n $PRINCIPAL -z $SERIAL $OBJ/untrusted_rsa.pub \|\|`
Vishal Mishra	7bfe72	`+ fatal "Could not create untrusted SSH cert"`
Vishal Mishra	7bfe72	`+`
Vishal Mishra	7bfe72	`+CA_FP="$(${SSHKEYGEN} -l -E sha256 -f ssh-rsa \| cut -d' ' -f2)"`
Vishal Mishra	7bfe72	`+KEY_FP="$(${SSHKEYGEN} -l -E sha256 -f trusted_rsa \| cut -d' ' -f2)"`
Vishal Mishra	7bfe72	`+UNTRUSTED_CA_FP="$(${SSHKEYGEN} -l -E sha256 -f untrusted_rsa \| cut -d' ' -f2)"`
Vishal Mishra	7bfe72	`+`
Vishal Mishra	7bfe72	`+start_sshd`
Vishal Mishra	7bfe72	`+`
Vishal Mishra	7bfe72	`+`
Vishal Mishra	7bfe72	`+test_no_principals() {`
Vishal Mishra	7bfe72	`+ echo > $OBJ/auth_principals`
Vishal Mishra	7bfe72	`+ ${SSH} -F $OBJ/ssh_config -i $OBJ/trusted_rsa-cert.pub somehost true \|\|`
Vishal Mishra	7bfe72	`+ fatal "SSH failed"`
Vishal Mishra	7bfe72	`+`
Vishal Mishra	7bfe72	`+ if ! log_grep 'Did not match any principals from auth_principals_\* files'; then`
Vishal Mishra	7bfe72	`+ fail "No 'Did not match any principals' message"`
Vishal Mishra	7bfe72	`+ fi`
Vishal Mishra	7bfe72	`+`
Vishal Mishra	7bfe72	`+ if ! log_grep "Rejected cert ID \"$CERT_ID\" with signature $KEY_FP signed by RSA CA $CA_FP via $OBJ/ssh-rsa.pub"; then`
Vishal Mishra	7bfe72	`+ fail "No 'Rejected cert ID' message"`
Vishal Mishra	7bfe72	`+ fi`
Vishal Mishra	7bfe72	`+}`
Vishal Mishra	7bfe72	`+`
Vishal Mishra	7bfe72	`+`
Vishal Mishra	7bfe72	`+test_with_principals() {`
Vishal Mishra	7bfe72	`+ echo $USER > $OBJ/auth_principals`
Vishal Mishra	7bfe72	`+ ${SSH} -F $OBJ/ssh_config -i $OBJ/trusted_rsa-cert.pub somehost true \|\|`
Vishal Mishra	7bfe72	`+ fatal "SSH failed"`
Vishal Mishra	7bfe72	`+`
Vishal Mishra	7bfe72	`+ if ! log_grep "Matched principal \"$PRINCIPAL\" from $OBJ/auth_principals:1 against \"$PRINCIPAL\" from cert"; then`
Vishal Mishra	7bfe72	`+ fail "No 'Matched principal' message"`
Vishal Mishra	7bfe72	`+ fi`
Vishal Mishra	7bfe72	`+ if ! log_grep "Accepted cert ID \"$CERT_ID\" (serial $SERIAL) with signature $KEY_FP signed by RSA CA $CA_FP via $OBJ/ssh-rsa.pub"; then`
Vishal Mishra	7bfe72	`+ fail "No 'Accepted cert ID' message"`
Vishal Mishra	7bfe72	`+ fi`
Vishal Mishra	7bfe72	`+}`
Vishal Mishra	7bfe72	`+`
Vishal Mishra	7bfe72	`+`
Vishal Mishra	7bfe72	`+test_untrusted_cert() {`
Vishal Mishra	7bfe72	`+ ${SSH} -F $OBJ/ssh_config -i $OBJ/untrusted_rsa-cert.pub somehost true \|\|`
Vishal Mishra	7bfe72	`+ fatal "SSH failed"`
Vishal Mishra	7bfe72	`+`
Vishal Mishra	7bfe72	`+ if ! log_grep "CA RSA $UNTRUSTED_CA_FP is not listed in $OBJ/ssh-rsa.pub"; then`
Vishal Mishra	7bfe72	`+ fail "No 'CA is not listed' message"`
Vishal Mishra	7bfe72	`+ fi`
Vishal Mishra	7bfe72	`+}`
Vishal Mishra	7bfe72	`+`
Vishal Mishra	7bfe72	`+`
Vishal Mishra	7bfe72	`+test_no_principals`
Vishal Mishra	7bfe72	`+test_with_principals`
Vishal Mishra	7bfe72	`+test_untrusted_cert`

rpms / openssh

Source Code

Blame fb87_080_logging_certificates.patch