bmh10 / rpms / openssh

Forked from rpms/openssh 10 days ago
Clone
Blob Blame History Raw
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -390,6 +390,10 @@ check_principals_line(struct ssh *ssh, c
 			continue;
 		debug3("%s: matched principal \"%.100s\"",
 		    loc, cert->principals[i]);
+		verbose("Matched principal \"%.100s\" from %s against \"%.100s\" "
+		    "from cert",
+		    cp, loc, cert->principals[i]);
+
 		found = 1;
 		slog_set_principal(cp);
 	}
@@ -433,6 +437,8 @@ process_principals(struct ssh *ssh, FILE
 			found_principal = 1;
 	}
 	free(line);
+	if (!found_principal)
+		verbose("Did not match any principals from auth_principals_* files");
 	return found_principal;
 }
 
@@ -711,7 +717,7 @@ check_authkey_line(struct ssh *ssh, stru
 	    &reason) != 0)
 		goto fail_reason;
 
-	verbose("Accepted certificate ID \"%s\" (serial %llu) "
+	verbose("Accepted cert ID \"%s\" (serial %llu) "
 	    "signed by CA %s %s found at %s",
 	    key->cert->key_id,
 	    (unsigned long long)key->cert->serial,
@@ -781,7 +787,7 @@ static int
 user_cert_trusted_ca(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
     struct sshauthopt **authoptsp)
 {
-	char *ca_fp, *principals_file = NULL;
+	char *ca_fp, *key_fp, *principals_file = NULL;
 	const char *reason;
 	struct sshauthopt *principals_opts = NULL, *cert_opts = NULL;
 	struct sshauthopt *final_opts = NULL;
@@ -797,11 +803,16 @@ user_cert_trusted_ca(struct ssh *ssh, st
 	    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
 		return 0;
 
+	key_fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);
+
 	if ((r = sshkey_in_file(key->cert->signature_key,
 	    options.trusted_user_ca_keys, 1, 0)) != 0) {
 		debug2_fr(r, "CA %s %s is not listed in %s",
 		    sshkey_type(key->cert->signature_key), ca_fp,
 		    options.trusted_user_ca_keys);
+		verbose("CA %s %s is not listed in %s",
+		    sshkey_type(key->cert->signature_key), ca_fp,
+		    options.trusted_user_ca_keys);
 		goto out;
 	}
 	/*
@@ -852,6 +863,11 @@ user_cert_trusted_ca(struct ssh *ssh, st
 		if ((final_opts = sshauthopt_merge(principals_opts,
 		    cert_opts, &reason)) == NULL) {
  fail_reason:
+			verbose("Rejected cert ID \"%s\" with signature "
+			    "%s signed by %s CA %s via %s",
+			    key->cert->key_id, key_fp,
+			    sshkey_type(key->cert->signature_key), ca_fp,
+			    options.trusted_user_ca_keys);
 			error("%s", reason);
 			auth_debug_add("%s", reason);
 			goto out;
@@ -859,9 +875,10 @@ user_cert_trusted_ca(struct ssh *ssh, st
 	}
 
 	/* Success */
-	verbose("Accepted certificate ID \"%s\" (serial %llu) signed by "
-	    "%s CA %s via %s", key->cert->key_id,
-	    (unsigned long long)key->cert->serial,
+	verbose("Accepted cert ID \"%s\" (serial %llu) with signature %s "
+	    "signed by %s CA %s via %s",
+	    key->cert->key_id,
+	    (unsigned long long)key->cert->serial, key_fp,
 	    sshkey_type(key->cert->signature_key), ca_fp,
 	    options.trusted_user_ca_keys);
 	if (authoptsp != NULL) {
@@ -876,6 +893,7 @@ user_cert_trusted_ca(struct ssh *ssh, st
 	sshauthopt_free(final_opts);
 	free(principals_file);
 	free(ca_fp);
+	free(key_fp);
 	return ret;
 }
 
--- /dev/null
+++ b/regress/cert-logging.sh
@@ -0,0 +1,84 @@
+tid="cert logging"
+
+CERT_ID="cert_id"
+PRINCIPAL=$USER
+SERIAL=0
+
+log_grep() {
+    if [ "$(grep -c -G "$1" "$TEST_SSHD_LOGFILE")" == "0" ]; then
+        return 1;
+    else
+        return 0;
+    fi
+}
+
+cat << EOF >> $OBJ/sshd_config
+TrustedUserCAKeys $OBJ/ssh-rsa.pub
+Protocol 2
+PubkeyAuthentication yes
+AuthenticationMethods publickey
+AuthorizedPrincipalsFile $OBJ/auth_principals
+EOF
+
+if [ ! -f $OBJ/trusted_rsa ]; then
+    ${SSHKEYGEN} -q -t rsa -C '' -N '' -f $OBJ/trusted_rsa
+fi
+if [ ! -f $OBJ/untrusted_rsa ]; then
+    ${SSHKEYGEN} -q -t rsa -C '' -N '' -f $OBJ/untrusted_rsa
+fi
+
+${SSHKEYGEN} -q -s $OBJ/ssh-rsa -I $CERT_ID -n $PRINCIPAL -z $SERIAL $OBJ/trusted_rsa.pub ||
+    fatal "Could not create trusted SSH cert"
+
+${SSHKEYGEN} -q -s $OBJ/untrusted_rsa -I $CERT_ID -n $PRINCIPAL -z $SERIAL $OBJ/untrusted_rsa.pub ||
+    fatal "Could not create untrusted SSH cert"
+
+CA_FP="$(${SSHKEYGEN} -l -E sha256 -f ssh-rsa | cut -d' ' -f2)"
+KEY_FP="$(${SSHKEYGEN} -l -E sha256 -f trusted_rsa | cut -d' ' -f2)"
+UNTRUSTED_CA_FP="$(${SSHKEYGEN} -l -E sha256 -f untrusted_rsa | cut -d' ' -f2)"
+
+start_sshd
+
+
+test_no_principals() {
+    echo > $OBJ/auth_principals
+    ${SSH} -F $OBJ/ssh_config -i $OBJ/trusted_rsa-cert.pub somehost true ||
+        fatal "SSH failed"
+
+    if ! log_grep 'Did not match any principals from auth_principals_\* files'; then
+        fail "No 'Did not match any principals' message"
+    fi
+
+    if ! log_grep "Rejected cert ID \"$CERT_ID\" with signature $KEY_FP signed by RSA CA $CA_FP via $OBJ/ssh-rsa.pub"; then
+        fail "No 'Rejected cert ID' message"
+    fi
+}
+
+
+test_with_principals() {
+    echo $USER > $OBJ/auth_principals
+    ${SSH} -F $OBJ/ssh_config -i $OBJ/trusted_rsa-cert.pub somehost true ||
+        fatal "SSH failed"
+
+    if ! log_grep "Matched principal \"$PRINCIPAL\" from $OBJ/auth_principals:1 against \"$PRINCIPAL\" from cert"; then
+        fail "No 'Matched principal' message"
+    fi
+    if ! log_grep "Accepted cert ID \"$CERT_ID\" (serial $SERIAL) with signature $KEY_FP signed by RSA CA $CA_FP via $OBJ/ssh-rsa.pub"; then
+        fail "No 'Accepted cert ID' message"
+    fi
+}
+
+
+test_untrusted_cert() {
+    ${SSH} -F $OBJ/ssh_config -i $OBJ/untrusted_rsa-cert.pub somehost true ||
+        fatal "SSH failed"
+
+    if ! log_grep "CA RSA $UNTRUSTED_CA_FP is not listed in $OBJ/ssh-rsa.pub"; then
+        fail "No 'CA is not listed' message"
+    fi
+}
+
+
+test_no_principals
+test_with_principals
+test_untrusted_cert