--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -390,6 +390,10 @@ check_principals_line(struct ssh *ssh, c
continue;
debug3("%s: matched principal \"%.100s\"",
loc, cert->principals[i]);
+ verbose("Matched principal \"%.100s\" from %s against \"%.100s\" "
+ "from cert",
+ cp, loc, cert->principals[i]);
+
found = 1;
slog_set_principal(cp);
}
@@ -433,6 +437,8 @@ process_principals(struct ssh *ssh, FILE
found_principal = 1;
}
free(line);
+ if (!found_principal)
+ verbose("Did not match any principals from auth_principals_* files");
return found_principal;
}
@@ -711,7 +717,7 @@ check_authkey_line(struct ssh *ssh, stru
&reason) != 0)
goto fail_reason;
- verbose("Accepted certificate ID \"%s\" (serial %llu) "
+ verbose("Accepted cert ID \"%s\" (serial %llu) "
"signed by CA %s %s found at %s",
key->cert->key_id,
(unsigned long long)key->cert->serial,
@@ -781,7 +787,7 @@ static int
user_cert_trusted_ca(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
struct sshauthopt **authoptsp)
{
- char *ca_fp, *principals_file = NULL;
+ char *ca_fp, *key_fp, *principals_file = NULL;
const char *reason;
struct sshauthopt *principals_opts = NULL, *cert_opts = NULL;
struct sshauthopt *final_opts = NULL;
@@ -797,11 +803,16 @@ user_cert_trusted_ca(struct ssh *ssh, st
options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
return 0;
+ key_fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);
+
if ((r = sshkey_in_file(key->cert->signature_key,
options.trusted_user_ca_keys, 1, 0)) != 0) {
debug2_fr(r, "CA %s %s is not listed in %s",
sshkey_type(key->cert->signature_key), ca_fp,
options.trusted_user_ca_keys);
+ verbose("CA %s %s is not listed in %s",
+ sshkey_type(key->cert->signature_key), ca_fp,
+ options.trusted_user_ca_keys);
goto out;
}
/*
@@ -852,6 +863,11 @@ user_cert_trusted_ca(struct ssh *ssh, st
if ((final_opts = sshauthopt_merge(principals_opts,
cert_opts, &reason)) == NULL) {
fail_reason:
+ verbose("Rejected cert ID \"%s\" with signature "
+ "%s signed by %s CA %s via %s",
+ key->cert->key_id, key_fp,
+ sshkey_type(key->cert->signature_key), ca_fp,
+ options.trusted_user_ca_keys);
error("%s", reason);
auth_debug_add("%s", reason);
goto out;
@@ -859,9 +875,10 @@ user_cert_trusted_ca(struct ssh *ssh, st
}
/* Success */
- verbose("Accepted certificate ID \"%s\" (serial %llu) signed by "
- "%s CA %s via %s", key->cert->key_id,
- (unsigned long long)key->cert->serial,
+ verbose("Accepted cert ID \"%s\" (serial %llu) with signature %s "
+ "signed by %s CA %s via %s",
+ key->cert->key_id,
+ (unsigned long long)key->cert->serial, key_fp,
sshkey_type(key->cert->signature_key), ca_fp,
options.trusted_user_ca_keys);
if (authoptsp != NULL) {
@@ -876,6 +893,7 @@ user_cert_trusted_ca(struct ssh *ssh, st
sshauthopt_free(final_opts);
free(principals_file);
free(ca_fp);
+ free(key_fp);
return ret;
}
--- /dev/null
+++ b/regress/cert-logging.sh
@@ -0,0 +1,84 @@
+tid="cert logging"
+
+CERT_ID="cert_id"
+PRINCIPAL=$USER
+SERIAL=0
+
+log_grep() {
+ if [ "$(grep -c -G "$1" "$TEST_SSHD_LOGFILE")" == "0" ]; then
+ return 1;
+ else
+ return 0;
+ fi
+}
+
+cat << EOF >> $OBJ/sshd_config
+TrustedUserCAKeys $OBJ/ssh-rsa.pub
+Protocol 2
+PubkeyAuthentication yes
+AuthenticationMethods publickey
+AuthorizedPrincipalsFile $OBJ/auth_principals
+EOF
+
+if [ ! -f $OBJ/trusted_rsa ]; then
+ ${SSHKEYGEN} -q -t rsa -C '' -N '' -f $OBJ/trusted_rsa
+fi
+if [ ! -f $OBJ/untrusted_rsa ]; then
+ ${SSHKEYGEN} -q -t rsa -C '' -N '' -f $OBJ/untrusted_rsa
+fi
+
+${SSHKEYGEN} -q -s $OBJ/ssh-rsa -I $CERT_ID -n $PRINCIPAL -z $SERIAL $OBJ/trusted_rsa.pub ||
+ fatal "Could not create trusted SSH cert"
+
+${SSHKEYGEN} -q -s $OBJ/untrusted_rsa -I $CERT_ID -n $PRINCIPAL -z $SERIAL $OBJ/untrusted_rsa.pub ||
+ fatal "Could not create untrusted SSH cert"
+
+CA_FP="$(${SSHKEYGEN} -l -E sha256 -f ssh-rsa | cut -d' ' -f2)"
+KEY_FP="$(${SSHKEYGEN} -l -E sha256 -f trusted_rsa | cut -d' ' -f2)"
+UNTRUSTED_CA_FP="$(${SSHKEYGEN} -l -E sha256 -f untrusted_rsa | cut -d' ' -f2)"
+
+start_sshd
+
+
+test_no_principals() {
+ echo > $OBJ/auth_principals
+ ${SSH} -F $OBJ/ssh_config -i $OBJ/trusted_rsa-cert.pub somehost true ||
+ fatal "SSH failed"
+
+ if ! log_grep 'Did not match any principals from auth_principals_\* files'; then
+ fail "No 'Did not match any principals' message"
+ fi
+
+ if ! log_grep "Rejected cert ID \"$CERT_ID\" with signature $KEY_FP signed by RSA CA $CA_FP via $OBJ/ssh-rsa.pub"; then
+ fail "No 'Rejected cert ID' message"
+ fi
+}
+
+
+test_with_principals() {
+ echo $USER > $OBJ/auth_principals
+ ${SSH} -F $OBJ/ssh_config -i $OBJ/trusted_rsa-cert.pub somehost true ||
+ fatal "SSH failed"
+
+ if ! log_grep "Matched principal \"$PRINCIPAL\" from $OBJ/auth_principals:1 against \"$PRINCIPAL\" from cert"; then
+ fail "No 'Matched principal' message"
+ fi
+ if ! log_grep "Accepted cert ID \"$CERT_ID\" (serial $SERIAL) with signature $KEY_FP signed by RSA CA $CA_FP via $OBJ/ssh-rsa.pub"; then
+ fail "No 'Accepted cert ID' message"
+ fi
+}
+
+
+test_untrusted_cert() {
+ ${SSH} -F $OBJ/ssh_config -i $OBJ/untrusted_rsa-cert.pub somehost true ||
+ fatal "SSH failed"
+
+ if ! log_grep "CA RSA $UNTRUSTED_CA_FP is not listed in $OBJ/ssh-rsa.pub"; then
+ fail "No 'CA is not listed' message"
+ fi
+}
+
+
+test_no_principals
+test_with_principals
+test_untrusted_cert