Petr Šabata 81d24c
#!/bin/bash
Petr Šabata 81d24c
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
Petr Šabata 81d24c
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Petr Šabata 81d24c
#
Petr Šabata 81d24c
#   runtest.sh of /CoreOS/openssh/Sanity/pam_ssh_agent_auth
Petr Šabata 81d24c
#   Description: This is a basic sanity test for pam_ssh_agent_auth
Petr Šabata 81d24c
#   Author: Jakub Jelen <jjelen@redhat.com>
Petr Šabata 81d24c
#
Petr Šabata 81d24c
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Petr Šabata 81d24c
#
Petr Šabata 81d24c
#   Copyright (c) 2015 Red Hat, Inc.
Petr Šabata 81d24c
#
Petr Šabata 81d24c
#   This program is free software: you can redistribute it and/or
Petr Šabata 81d24c
#   modify it under the terms of the GNU General Public License as
Petr Šabata 81d24c
#   published by the Free Software Foundation, either version 2 of
Petr Šabata 81d24c
#   the License, or (at your option) any later version.
Petr Šabata 81d24c
#
Petr Šabata 81d24c
#   This program is distributed in the hope that it will be
Petr Šabata 81d24c
#   useful, but WITHOUT ANY WARRANTY; without even the implied
Petr Šabata 81d24c
#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
Petr Šabata 81d24c
#   PURPOSE.  See the GNU General Public License for more details.
Petr Šabata 81d24c
#
Petr Šabata 81d24c
#   You should have received a copy of the GNU General Public License
Petr Šabata 81d24c
#   along with this program. If not, see http://www.gnu.org/licenses/.
Petr Šabata 81d24c
#
Petr Šabata 81d24c
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Petr Šabata 81d24c
Petr Šabata 81d24c
# Include Beaker environment
Petr Šabata 81d24c
. /usr/bin/rhts-environment.sh || exit 1
Petr Šabata 81d24c
. /usr/share/beakerlib/beakerlib.sh || exit 1
Petr Šabata 81d24c
Petr Šabata 81d24c
PACKAGE="openssh"
Petr Šabata 81d24c
PAM_SUDO="/etc/pam.d/sudo"
Petr Šabata 81d24c
PAM_SSHD="/etc/pam.d/sshd"
Petr Šabata 81d24c
PAM_MODULE="pam_save_ssh_var"
Petr Šabata 81d24c
SUDOERS_CFG="/etc/sudoers.d/01_pam_ssh_auth"
Petr Šabata 81d24c
SSHD_CFG="/etc/ssh/sshd_config"
Petr Šabata 81d24c
USER="testuser$RANDOM"
Petr Šabata 81d24c
PASS="testpassxy4re.3298fhdsaf"
Petr Šabata 81d24c
AUTH_KEYS="/etc/security/authorized_keys"
Petr Šabata 81d24c
AK_COMMAND_BIN="/root/ak.sh"
Petr Šabata 81d24c
AK_COMMAND_KEYS="/root/akeys"
Petr Šabata 81d24c
declare -a KEYS=("rsa" "ecdsa")
Petr Šabata 81d24c
Petr Šabata 81d24c
rlJournalStart
Petr Šabata 81d24c
    rlPhaseStartSetup
Petr Šabata 81d24c
        rlAssertRpm $PACKAGE
Petr Šabata 81d24c
        rlAssertRpm pam_ssh_agent_auth
Petr Šabata 81d24c
        rlImport distribution/fips
Petr Šabata 81d24c
        rlServiceStart sshd
Petr Šabata 81d24c
        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
Petr Šabata 81d24c
        rlRun "cp ${PAM_MODULE}.c $TmpDir/"
Petr Šabata 81d24c
        rlRun "pushd $TmpDir"
Petr Šabata 81d24c
        rlFileBackup --clean $PAM_SUDO /etc/sudoers /etc/sudoers.d/ /etc/security/ $AUTH_KEYS
Petr Šabata 81d24c
        rlRun "sed -i '1 a\
Petr Šabata 81d24c
auth       sufficient   pam_ssh_agent_auth.so file=$AUTH_KEYS' $PAM_SUDO"
Petr Šabata 81d24c
        rlRun "echo 'Defaults    env_keep += \"SSH_AUTH_SOCK\"' > $SUDOERS_CFG"
Petr Šabata 81d24c
        rlRun "echo 'Defaults    !requiretty' >> $SUDOERS_CFG"
Petr Šabata 81d24c
        grep '^%wheel' /etc/sudoers || \
Petr Šabata 81d24c
           rlRun "echo '%wheel        ALL=(ALL)       ALL' >> $SUDOERS_CFG"
Petr Šabata 81d24c
        rlRun "useradd $USER -G wheel"
Petr Šabata 81d24c
        rlRun "echo $PASS |passwd --stdin $USER"
Petr Šabata 81d24c
    rlPhaseEnd
Petr Šabata 81d24c
Petr Šabata 81d24c
    if ! fipsIsEnabled; then
Petr Šabata 81d24c
        KEYS+=("dsa")
Petr Šabata 81d24c
    fi
Petr Šabata 81d24c
Petr Šabata 81d24c
    for KEY in "${KEYS[@]}"; do
Petr Šabata 81d24c
        rlPhaseStartTest "Test with key type $KEY"
Petr Šabata 81d24c
            rlRun "su $USER -c 'ssh-keygen -t $KEY -f ~/.ssh/my_id_$KEY -N \"\"'" 0
Petr Šabata 81d24c
Petr Šabata 81d24c
            # Without authorized_keys, the authentication should fail
Petr Šabata 81d24c
            rlRun -s "su $USER -c 'eval \`ssh-agent\`; sudo id; ssh-agent -k'" 0
Petr Šabata 81d24c
            rlAssertNotGrep "uid=0(root) gid=0(root)" $rlRun_LOG
Petr Šabata 81d24c
Petr Šabata 81d24c
            # Append the keys only to make sure we can match also the non-first line
Petr Šabata 81d24c
            rlRun "cat ~$USER/.ssh/my_id_${KEY}.pub >> $AUTH_KEYS"
Petr Šabata 81d24c
            rlRun -s "su $USER -c 'eval \`ssh-agent\`; ssh-add ~/.ssh/my_id_$KEY; sudo id; ssh-agent -k'"
Petr Šabata 81d24c
            rlAssertGrep "uid=0(root) gid=0(root)" $rlRun_LOG
Petr Šabata 81d24c
        rlPhaseEnd
Petr Šabata 81d24c
    done
Petr Šabata 81d24c
Petr Šabata 81d24c
    if rlIsRHEL '<6.8' || ( rlIsRHEL '<7.3' && rlIsRHEL 7 ) ; then
Petr Šabata 81d24c
        : # not available
Petr Šabata 81d24c
    else
Petr Šabata 81d24c
        rlPhaseStartSetup "Setup for authorized_keys_command"
Petr Šabata 81d24c
            rlFileBackup --namespace ak_command $PAM_SUDO
Petr Šabata 81d24c
            rlRun "rm -f $AUTH_KEYS"
Petr Šabata 81d24c
            cat >$AK_COMMAND_BIN <<_EOF
Petr Šabata 81d24c
#!/bin/bash
Petr Šabata 81d24c
cat $AK_COMMAND_KEYS
Petr Šabata 81d24c
_EOF
Petr Šabata 81d24c
            rlRun "chmod +x $AK_COMMAND_BIN"
Petr Šabata 81d24c
            rlRun "sed -i 's|.*pam_ssh_agent_auth.*|auth sufficient pam_ssh_agent_auth.so authorized_keys_command=$AK_COMMAND_BIN authorized_keys_command_user=root|' $PAM_SUDO"
Petr Šabata 81d24c
            rlRun "cat $PAM_SUDO"
Petr Šabata 81d24c
        rlPhaseEnd
Petr Šabata 81d24c
Petr Šabata 81d24c
        for KEY in "${KEYS[@]}"; do
Petr Šabata 81d24c
            rlPhaseStartTest "Test authorized_keys_command with key type $KEY (bz1299555, bz1317858)"
Petr Šabata 81d24c
                rlRun "cat ~$USER/.ssh/my_id_${KEY}.pub >$AK_COMMAND_KEYS"
Petr Šabata 81d24c
                rlRun -s "su $USER -c 'eval \`ssh-agent\`; ssh-add ~/.ssh/my_id_$KEY; sudo id; ssh-agent -k'"
Petr Šabata 81d24c
                rlAssertGrep "uid=0(root) gid=0(root)" $rlRun_LOG
Petr Šabata 81d24c
            rlPhaseEnd
Petr Šabata 81d24c
        done
Petr Šabata 81d24c
Petr Šabata 81d24c
        rlPhaseStartCleanup "Cleanup for authorized_keys_command"
Petr Šabata 81d24c
            rlFileRestore --namespace ak_command
Petr Šabata 81d24c
            rlRun "rm -f $AK_COMMAND_BIN $AK_COMMAND_KEYS"
Petr Šabata 81d24c
        rlPhaseEnd
Petr Šabata 81d24c
    fi
Petr Šabata 81d24c
Petr Šabata 81d24c
    if rlIsRHEL '>=7.3'; then # not in Fedora anymore
Petr Šabata 81d24c
        rlPhaseStartTest "bz1312304 - Exposing information about succesful auth"
Petr Šabata 81d24c
            rlRun "rlFileBackup --namespace exposing $PAM_SSHD"
Petr Šabata 81d24c
            rlRun "rlFileBackup --namespace exposing $SSHD_CFG"
Petr Šabata 81d24c
            rlRun "rlFileBackup --namespace exposing /root/.ssh/"
Petr Šabata 81d24c
            rlRun "rm -f ~/.ssh/id_rsa*"
Petr Šabata 81d24c
            rlRun "ssh-keygen -f ~/.ssh/id_rsa -N \"\"" 0
Petr Šabata 81d24c
            rlRun "ssh-keyscan localhost >~/.ssh/known_hosts" 0
Petr Šabata 81d24c
            USER_AK_FILE=~$USER/.ssh/authorized_keys
Petr Šabata 81d24c
            rlRun "cat ~/.ssh/id_rsa.pub >$USER_AK_FILE"
Petr Šabata 81d24c
            rlRun "chown $USER:$USER $USER_AK_FILE"
Petr Šabata 81d24c
            rlRun "chmod 0600 $USER_AK_FILE"
Petr Šabata 81d24c
            rlRun "gcc -fPIC -DPIC -shared -rdynamic -o $PAM_MODULE.o $PAM_MODULE.c"
Petr Šabata 81d24c
            rlRun "test -d /lib64/security && cp $PAM_MODULE.o /lib64/security/" 0,1
Petr Šabata 81d24c
            rlRun "test -d /lib/security && cp $PAM_MODULE.o /lib/security/" 0,1
Petr Šabata 81d24c
            rlRun "sed -i '1 i auth       optional         $PAM_MODULE.o' $PAM_SSHD"
Petr Šabata 81d24c
Petr Šabata 81d24c
            # pam-and-env should expose information to both PAM and environmental variable;
Petr Šabata 81d24c
            # we will be testing only env variable here for the time being,
Petr Šabata 81d24c
            rlRun "echo 'ExposeAuthenticationMethods pam-and-env' >>$SSHD_CFG"
Petr Šabata 81d24c
            rlRun "sed -i '/^ChallengeResponseAuthentication/ d' $SSHD_CFG"
Petr Šabata 81d24c
            rlRun "service sshd restart"
Petr Šabata 81d24c
            rlWaitForSocket 22 -t 5
Petr Šabata 81d24c
            rlRun -s "ssh -i ~/.ssh/id_rsa $USER@localhost \"env|grep SSH_USER_AUTH\"" 0 \
Petr Šabata 81d24c
                "Environment variable SSH_USER_AUTH is set"
Petr Šabata 81d24c
            rlAssertGrep "^SSH_USER_AUTH=publickey:" $rlRun_LOG
Petr Šabata 81d24c
            rlRun "rm -f $rlRun_LOG"
Petr Šabata 81d24c
Petr Šabata 81d24c
            # pam-only should expose information only to PAM and not to environment variable
Petr Šabata 81d24c
            rlRun "sed -i 's/pam-and-env/pam-only/' $SSHD_CFG"
Petr Šabata 81d24c
            rlRun "echo 'AuthenticationMethods publickey,keyboard-interactive:pam' >>$SSHD_CFG"
Petr Šabata 81d24c
            rlRun "service sshd restart"
Petr Šabata 81d24c
            rlWaitForSocket 22 -t 5
Petr Šabata 81d24c
ssh_with_pass() {
Petr Šabata 81d24c
    ssh_args=("-i /root/.ssh/id_rsa")
Petr Šabata 81d24c
    ssh_args+=("$USER@localhost")
Petr Šabata 81d24c
    cat >ssh.exp <<_EOF
Petr Šabata 81d24c
#!/usr/bin/expect -f
Petr Šabata 81d24c
Petr Šabata 81d24c
set timeout 5
Petr Šabata 81d24c
spawn ssh ${ssh_args[*]} "echo CONNECTED; env|grep SSH_USER_AUTH"
Petr Šabata 81d24c
expect {
Petr Šabata 81d24c
    -re {.*[Pp]assword.*} { send -- "$PASS\r"; exp_continue }
Petr Šabata 81d24c
    timeout { exit 1 }
Petr Šabata 81d24c
    eof { exit 0 }
Petr Šabata 81d24c
}
Petr Šabata 81d24c
_EOF
Petr Šabata 81d24c
    rlRun -s "expect -f ssh.exp"
Petr Šabata 81d24c
}
Petr Šabata 81d24c
            #rlRun -s "ssh ${ssh_args[*]} \"echo CONNECTED; env|grep SSH_USER_AUTH\"" 1 \
Petr Šabata 81d24c
                #"Environment variable SSH_USER_AUTH is NOT set"
Petr Šabata 81d24c
            rlRun "ssh_with_pass"
Petr Šabata 81d24c
            rlRun "grep -q CONNECTED $rlRun_LOG" 0 "Connection was successful"
Petr Šabata 81d24c
            rlAssertGrep "^SSH_USER_AUTH: 'publickey:" /tmp/SSH_USER_AUTH
Petr Šabata 81d24c
            rlRun "cat /tmp/SSH_USER_AUTH"
Petr Šabata 81d24c
            rlRun "rm -f $rlRun_LOG /tmp/SSH_USER_AUTH"
Petr Šabata 81d24c
            for pm in /lib64/security/$PAM_MODULE.o /lib/security/$PAM_MODULE.o; do
Petr Šabata 81d24c
                rlRun "test -e $pm && rm -f $pm" 0,1
Petr Šabata 81d24c
            done
Petr Šabata 81d24c
            rlRun "rlFileRestore --namespace exposing"
Petr Šabata 81d24c
        rlPhaseEnd
Petr Šabata 81d24c
    fi
Petr Šabata 81d24c
Petr Šabata 81d24c
    rlPhaseStartCleanup
Petr Šabata 81d24c
        rlRun "popd"
Petr Šabata 81d24c
        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
Petr Šabata 81d24c
        rlRun "userdel -fr $USER"
Petr Šabata 81d24c
        rlFileRestore
Petr Šabata 81d24c
        rlServiceRestore sshd
Petr Šabata 81d24c
    rlPhaseEnd
Petr Šabata 81d24c
rlJournalPrintText
Petr Šabata 81d24c
rlJournalEnd