--- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -390,6 +390,10 @@ check_principals_line(struct ssh *ssh, c continue; debug3("%s: matched principal \"%.100s\"", loc, cert->principals[i]); + verbose("Matched principal \"%.100s\" from %s against \"%.100s\" " + "from cert", + cp, loc, cert->principals[i]); + found = 1; slog_set_principal(cp); } @@ -433,6 +437,8 @@ process_principals(struct ssh *ssh, FILE found_principal = 1; } free(line); + if (!found_principal) + verbose("Did not match any principals from auth_principals_* files"); return found_principal; } @@ -711,7 +717,7 @@ check_authkey_line(struct ssh *ssh, stru &reason) != 0) goto fail_reason; - verbose("Accepted certificate ID \"%s\" (serial %llu) " + verbose("Accepted cert ID \"%s\" (serial %llu) " "signed by CA %s %s found at %s", key->cert->key_id, (unsigned long long)key->cert->serial, @@ -781,7 +787,7 @@ static int user_cert_trusted_ca(struct ssh *ssh, struct passwd *pw, struct sshkey *key, struct sshauthopt **authoptsp) { - char *ca_fp, *principals_file = NULL; + char *ca_fp, *key_fp, *principals_file = NULL; const char *reason; struct sshauthopt *principals_opts = NULL, *cert_opts = NULL; struct sshauthopt *final_opts = NULL; @@ -797,11 +803,16 @@ user_cert_trusted_ca(struct ssh *ssh, st options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) return 0; + key_fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT); + if ((r = sshkey_in_file(key->cert->signature_key, options.trusted_user_ca_keys, 1, 0)) != 0) { debug2_fr(r, "CA %s %s is not listed in %s", sshkey_type(key->cert->signature_key), ca_fp, options.trusted_user_ca_keys); + verbose("CA %s %s is not listed in %s", + sshkey_type(key->cert->signature_key), ca_fp, + options.trusted_user_ca_keys); goto out; } /* @@ -852,6 +863,11 @@ user_cert_trusted_ca(struct ssh *ssh, st if ((final_opts = sshauthopt_merge(principals_opts, cert_opts, &reason)) == NULL) { fail_reason: + verbose("Rejected cert ID \"%s\" with signature " + "%s signed by %s CA %s via %s", + key->cert->key_id, key_fp, + sshkey_type(key->cert->signature_key), ca_fp, + options.trusted_user_ca_keys); error("%s", reason); auth_debug_add("%s", reason); goto out; @@ -859,9 +875,10 @@ user_cert_trusted_ca(struct ssh *ssh, st } /* Success */ - verbose("Accepted certificate ID \"%s\" (serial %llu) signed by " - "%s CA %s via %s", key->cert->key_id, - (unsigned long long)key->cert->serial, + verbose("Accepted cert ID \"%s\" (serial %llu) with signature %s " + "signed by %s CA %s via %s", + key->cert->key_id, + (unsigned long long)key->cert->serial, key_fp, sshkey_type(key->cert->signature_key), ca_fp, options.trusted_user_ca_keys); if (authoptsp != NULL) { @@ -876,6 +893,7 @@ user_cert_trusted_ca(struct ssh *ssh, st sshauthopt_free(final_opts); free(principals_file); free(ca_fp); + free(key_fp); return ret; } --- /dev/null +++ b/regress/cert-logging.sh @@ -0,0 +1,84 @@ +tid="cert logging" + +CERT_ID="cert_id" +PRINCIPAL=$USER +SERIAL=0 + +log_grep() { + if [ "$(grep -c -G "$1" "$TEST_SSHD_LOGFILE")" == "0" ]; then + return 1; + else + return 0; + fi +} + +cat << EOF >> $OBJ/sshd_config +TrustedUserCAKeys $OBJ/ssh-rsa.pub +Protocol 2 +PubkeyAuthentication yes +AuthenticationMethods publickey +AuthorizedPrincipalsFile $OBJ/auth_principals +EOF + +if [ ! -f $OBJ/trusted_rsa ]; then + ${SSHKEYGEN} -q -t rsa -C '' -N '' -f $OBJ/trusted_rsa +fi +if [ ! -f $OBJ/untrusted_rsa ]; then + ${SSHKEYGEN} -q -t rsa -C '' -N '' -f $OBJ/untrusted_rsa +fi + +${SSHKEYGEN} -q -s $OBJ/ssh-rsa -I $CERT_ID -n $PRINCIPAL -z $SERIAL $OBJ/trusted_rsa.pub || + fatal "Could not create trusted SSH cert" + +${SSHKEYGEN} -q -s $OBJ/untrusted_rsa -I $CERT_ID -n $PRINCIPAL -z $SERIAL $OBJ/untrusted_rsa.pub || + fatal "Could not create untrusted SSH cert" + +CA_FP="$(${SSHKEYGEN} -l -E sha256 -f ssh-rsa | cut -d' ' -f2)" +KEY_FP="$(${SSHKEYGEN} -l -E sha256 -f trusted_rsa | cut -d' ' -f2)" +UNTRUSTED_CA_FP="$(${SSHKEYGEN} -l -E sha256 -f untrusted_rsa | cut -d' ' -f2)" + +start_sshd + + +test_no_principals() { + echo > $OBJ/auth_principals + ${SSH} -F $OBJ/ssh_config -i $OBJ/trusted_rsa-cert.pub somehost true || + fatal "SSH failed" + + if ! log_grep 'Did not match any principals from auth_principals_\* files'; then + fail "No 'Did not match any principals' message" + fi + + if ! log_grep "Rejected cert ID \"$CERT_ID\" with signature $KEY_FP signed by RSA CA $CA_FP via $OBJ/ssh-rsa.pub"; then + fail "No 'Rejected cert ID' message" + fi +} + + +test_with_principals() { + echo $USER > $OBJ/auth_principals + ${SSH} -F $OBJ/ssh_config -i $OBJ/trusted_rsa-cert.pub somehost true || + fatal "SSH failed" + + if ! log_grep "Matched principal \"$PRINCIPAL\" from $OBJ/auth_principals:1 against \"$PRINCIPAL\" from cert"; then + fail "No 'Matched principal' message" + fi + if ! log_grep "Accepted cert ID \"$CERT_ID\" (serial $SERIAL) with signature $KEY_FP signed by RSA CA $CA_FP via $OBJ/ssh-rsa.pub"; then + fail "No 'Accepted cert ID' message" + fi +} + + +test_untrusted_cert() { + ${SSH} -F $OBJ/ssh_config -i $OBJ/untrusted_rsa-cert.pub somehost true || + fatal "SSH failed" + + if ! log_grep "CA RSA $UNTRUSTED_CA_FP is not listed in $OBJ/ssh-rsa.pub"; then + fail "No 'CA is not listed' message" + fi +} + + +test_no_principals +test_with_principals +test_untrusted_cert