bmh10 / rpms / openssh

Forked from rpms/openssh 10 days ago
Clone
Blob Blame History Raw
Index: b/regress/slog.sh
===================================================================
--- b.orig/regress/slog.sh
+++ b/regress/slog.sh
@@ -1,41 +1,60 @@
 tid='structured log'
 
-port="4242"
 log_prefix="sshd_auth_msg:"
-log_keys="server_ip server_port remote_ip remote_port pid session_id method cert_id cert_serial principal user session_state auth_successful _time command end_time duration auth_info client_version"
+log_keys="server_ip server_port remote_ip remote_port pid session_id method cert_id cert_serial principal user session_state auth_successful command end_time duration auth_info client_version"
 do_log_json="yes"
-test_config="$OBJ/sshd2_config"
-old_config="$OBJ/sshd_config"
-PIDFILE=$OBJ/pidfile
-
-cat << EOF > $test_config
-	#*:
-	StrictModes             no
-	Port                    $port
-	AddressFamily           inet
-	ListenAddress           127.0.0.1
-	#ListenAddress          ::1
-	PidFile                 $PIDFILE
-	AuthorizedKeysFile      $OBJ/authorized_keys_%u
-	LogLevel                ERROR
-	AcceptEnv               _XXX_TEST_*
-	AcceptEnv               _XXX_TEST
-	HostKey $OBJ/host.ssh-ed25519
-	LogFormatPrefix $log_prefix
-	LogFormatJson $do_log_json
-	LogFormatKeys $log_keys
+
+AUTH_PRINC_FILE="$OBJ/auth_principals"
+CA_FILE="$OBJ/ca-rsa"
+IDENTITY_FILE="$OBJ/$USER-rsa"
+CERT_ID=$USER
+
+cat << EOF >>	$OBJ/sshd_config
+TrustedUserCAKeys $CA_FILE.pub
+PubkeyAuthentication yes
+AuthenticationMethods publickey
+AuthorizedPrincipalsFile $AUTH_PRINC_FILE
+LogFormatPrefix $log_prefix
+LogFormatJson $do_log_json
+LogFormatKeys $log_keys
 EOF
 
+sed -i 's/DEBUG3/VERBOSE/g' $OBJ/sshd_config
 
-cp $test_config $old_config
-start_sshd
+cleanup() {
+	rm -f $CA_FILE{.pub,}
+	rm -f $IDENTITY_FILE{-cert.pub,.pub,}
+	rm -f $AUTH_PRINC_FILE
+	rm -f $TEST_SSHD_LOGFILE
+}
+
+make_keys() {
+	local keytype=$1
+
+	rm -f $IDENTITY_FILE{.pub,}
+	${SSHKEYGEN} -q -t $keytype -C '' -N '' -f $IDENTITY_FILE ||
+	    fatal 'Could not create keypair'
+
+	cat $IDENTITY_FILE.pub > authorized_keys_$USER
+	${SSHKEYGEN} -lf $IDENTITY_FILE
+}
 
-${SSH} -F $OBJ/ssh_config somehost true
-if [ $? -ne 0 ]; then
-	fail "ssh connect with failed"
-fi
+make_cert() {
+	local princs=$1
+	local certtype=$2
+	local serial=$3
 
-test_log_counts() {
+	rm -f $CA_FILE
+	rm -f "$IDENTITY_FILE-cert.pub"
+
+	${SSHKEYGEN} -q -t $certtype -C '' -N '' -f $CA_FILE ||
+	    fatal 'Could not create CA key'
+
+	${SSHKEYGEN} -q -s $CA_FILE -I $CERT_ID -n "$princs" -z $serial "$IDENTITY_FILE.pub" ||
+	    fatal "Could not create SSH cert"
+}
+
+do_test_log_counts() {
 	cnt=$(grep -c "$log_prefix" "$TEST_SSHD_LOGFILE")
 	if [ $cnt -ne 2 ]; then
 		fail "expected 2 structured logging lines, got $cnt"
@@ -43,7 +62,10 @@ test_log_counts() {
 }
 
 test_json_valid() {
-	which python &>/dev/null || echo 'python not found in path, skipping tests'
+	if ! $(which python &>/dev/null) ; then
+		 echo 'python not found in path, skipping JSON tests'
+		 return 1
+	fi
 
 	loglines=$(cat "$TEST_SSHD_LOGFILE" | grep "$log_prefix")
 	first=$(echo "$loglines" | head -n1)
@@ -55,5 +77,72 @@ test_json_valid() {
 	    || fail "invalid json structure $last"
 }
 
-test_log_counts
-test_json_valid
+# todo: first/last line
+extract_key() {
+	local key=$1
+	loglines=$(cat "$TEST_SSHD_LOGFILE" | grep "$log_prefix")
+	last=$(echo "$loglines" | tail -n1)
+	json=${last:$(expr length $log_prefix)}
+
+	val=$(echo $json | python -c "import sys, json; print(json.load(sys.stdin)[\"$key\"])") ||
+	    fail "error extracting $key from $json"
+	echo "$val"
+}
+
+test_basic_logging() {
+	${SSH} -F $OBJ/ssh_config -v -i "$IDENTITY_FILE" somehost true ||
+		    fatal "SSH failed"
+
+	do_test_log_counts
+	test_json_valid || return 1
+}
+
+extract_hash() {
+	local source=$1
+	echo $source | sed "s/.*\(SHA256:[[:print:]]\{43\}\).*$/\1/"
+}
+
+test_auth_info() {
+	local keyfp=$1
+	local keytype=$2
+	local princ=$3
+	local serial=$4
+
+	${SSH} -F $OBJ/ssh_config -v -i "$IDENTITY_FILE" somehost true ||
+	    fatal "SSH failed"
+
+	auth_info=$(extract_key 'auth_info')
+	digest=$(extract_hash "$keyfp")
+
+	[ -z "$keyfp" ] || echo "$auth_info" | grep -q "$digest" ||
+		echo "hash digest not found"
+	[ -z "$keytype" ] || echo "$auth_info" | grep -q "$keytype" ||
+		echo "keytype not found"
+	[ -z "$princ" ] || echo "$auth_info" | grep -q "$princ" ||
+		echo "princ not found"
+	[ -z "$serial" ] || echo "$auth_info" | grep -q "$serial" ||
+		echo "serial not found"
+}
+
+test_cert_serial() {
+	local serial=$1
+	logged_serial=$(extract_key 'cert_serial')
+	 [ $serial = $logged_serial ] || fail 'cert serial mismatch'
+}
+
+start_sshd
+
+keytype="RSA"
+keyfp=$(make_keys $keytype)
+test_basic_logging || return
+test_auth_info "$keyfp" "$keytype"
+
+rm authorized_keys_$USER # force cert auth
+
+princ="$USER"
+echo $princ > $AUTH_PRINC_FILE
+
+serial='42'
+make_cert "$princ" "$keytype" "$serial"
+test_auth_info "$keyfp" "$keytype" "$princ" "$serial"
+test_cert_serial "$serial"
Index: b/auth.c
===================================================================
--- b.orig/auth.c
+++ b/auth.c
@@ -351,6 +351,8 @@ auth_log(struct ssh *ssh, int authentica
 	    extra != NULL ? ": " : "",
 	    extra != NULL ? extra : "");
 
+	if (extra != NULL)
+		slog_set_auth_info(extra);
 	free(extra);
 	slog_set_auth_data(authenticated, method, authctxt->user);
 
Index: b/auth2-pubkey.c
===================================================================
--- b.orig/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -722,7 +722,7 @@ check_authkey_line(struct ssh *ssh, stru
 	    (unsigned long long)key->cert->serial,
 	    sshkey_type(found), fp, loc);
 
-	    slog_set_cert_serial(key->cert->serial);
+	slog_set_cert_serial(key->cert->serial);
  success:
 	if (finalopts == NULL)
 		fatal_f("internal error: missing options");
@@ -885,6 +885,8 @@ user_cert_trusted_ca(struct ssh *ssh, st
 		final_opts = NULL;
 	}
 	slog_set_cert_id(key->cert->key_id);
+	slog_set_cert_serial(key->cert->serial);
+
 	ret = 1;
  out:
 	sshauthopt_free(principals_opts);