summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2019-12-16 02:39:05 +0000
committerDamien Miller <djm@mindrot.org>2019-12-21 13:35:42 +1100
commite5b7cf8edca7e843adc125621e1dab14507f430a (patch)
tree3b7fd4a0558e25b422d64b341f8c5fd50d15c013
parent40be78f503277bd91c958fa25ea9ef918a2ffd3d (diff)
upstream: test security key host keys in addition to user keys
OpenBSD-Regress-ID: 9fb45326106669a27e4bf150575c321806e275b1
-rw-r--r--regress/cert-hostkey.sh6
-rw-r--r--regress/hostkey-agent.sh6
-rw-r--r--regress/keygen-change.sh6
-rw-r--r--regress/keyscan.sh7
-rw-r--r--regress/keytype.sh8
-rw-r--r--regress/krl.sh4
-rw-r--r--regress/limit-keytype.sh4
-rw-r--r--regress/principals-command.sh4
-rw-r--r--regress/test-exec.sh12
9 files changed, 24 insertions, 33 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 67a9795d0..95d7c176a 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-hostkey.sh,v 1.21 2019/12/11 18:47:14 djm Exp $ 1# $OpenBSD: cert-hostkey.sh,v 1.22 2019/12/16 02:39:05 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified host keys" 4tid="certified host keys"
@@ -9,7 +9,7 @@ rm -f $OBJ/cert_host_key* $OBJ/host_krl_*
9# Allow all hostkey/pubkey types, prefer certs for the client 9# Allow all hostkey/pubkey types, prefer certs for the client
10rsa=0 10rsa=0
11types="" 11types=""
12for i in `$SSH -Q key | filter_sk`; do 12for i in `$SSH -Q key | maybe_filter_sk`; do
13 if [ -z "$types" ]; then 13 if [ -z "$types" ]; then
14 types="$i" 14 types="$i"
15 continue 15 continue
@@ -70,7 +70,7 @@ touch $OBJ/host_revoked_plain
70touch $OBJ/host_revoked_cert 70touch $OBJ/host_revoked_cert
71cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca 71cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca
72 72
73PLAIN_TYPES=`$SSH -Q key-plain | filter_sk | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` 73PLAIN_TYPES=`echo "$SSH_KEYTYPES" | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
74 74
75if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then 75if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
76 PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" 76 PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
diff --git a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh
index 7f490e013..d6736e246 100644
--- a/regress/hostkey-agent.sh
+++ b/regress/hostkey-agent.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: hostkey-agent.sh,v 1.10 2019/12/11 18:47:14 djm Exp $ 1# $OpenBSD: hostkey-agent.sh,v 1.11 2019/12/16 02:39:05 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="hostkey agent" 4tid="hostkey agent"
@@ -14,7 +14,7 @@ grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig
14echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig 14echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig
15 15
16trace "load hostkeys" 16trace "load hostkeys"
17for k in `${SSH} -Q key-plain | filter_sk` ; do 17for k in $SSH_KEYTYPES ; do
18 ${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k" 18 ${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k"
19 ( 19 (
20 printf 'localhost-with-alias,127.0.0.1,::1 ' 20 printf 'localhost-with-alias,127.0.0.1,::1 '
@@ -31,7 +31,7 @@ cp $OBJ/known_hosts.orig $OBJ/known_hosts
31unset SSH_AUTH_SOCK 31unset SSH_AUTH_SOCK
32 32
33for ps in yes; do 33for ps in yes; do
34 for k in `${SSH} -Q key-plain | filter_sk` ; do 34 for k in $SSH_KEYTYPES ; do
35 verbose "key type $k privsep=$ps" 35 verbose "key type $k privsep=$ps"
36 cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy 36 cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
37 echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy 37 echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
diff --git a/regress/keygen-change.sh b/regress/keygen-change.sh
index dd1bfda80..3863e33b5 100644
--- a/regress/keygen-change.sh
+++ b/regress/keygen-change.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: keygen-change.sh,v 1.8 2019/11/26 23:43:10 djm Exp $ 1# $OpenBSD: keygen-change.sh,v 1.9 2019/12/16 02:39:05 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="change passphrase for key" 4tid="change passphrase for key"
@@ -6,9 +6,7 @@ tid="change passphrase for key"
6S1="secret1" 6S1="secret1"
7S2="2secret" 7S2="2secret"
8 8
9KEYTYPES=`${SSH} -Q key-plain | maybe_filter_sk` 9for t in $SSH_KEYTYPES; do
10
11for t in $KEYTYPES; do
12 trace "generating $t key" 10 trace "generating $t key"
13 rm -f $OBJ/$t-key 11 rm -f $OBJ/$t-key
14 ${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key 12 ${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key
diff --git a/regress/keyscan.sh b/regress/keyscan.sh
index 0ce0c7410..b8593fede 100644
--- a/regress/keyscan.sh
+++ b/regress/keyscan.sh
@@ -1,10 +1,9 @@
1# $OpenBSD: keyscan.sh,v 1.11 2019/11/26 23:43:10 djm Exp $ 1# $OpenBSD: keyscan.sh,v 1.12 2019/12/16 02:39:05 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="keyscan" 4tid="keyscan"
5 5
6KEYTYPES=`${SSH} -Q key-plain | filter_sk` 6for i in $SSH_KEYTYPES; do
7for i in $KEYTYPES; do
8 if [ -z "$algs" ]; then 7 if [ -z "$algs" ]; then
9 algs="$i" 8 algs="$i"
10 else 9 else
@@ -15,7 +14,7 @@ echo "HostKeyAlgorithms $algs" >> $OBJ/sshd_config
15 14
16start_sshd 15start_sshd
17 16
18for t in $KEYTYPES; do 17for t in $SSH_KEYTYPES; do
19 trace "keyscan type $t" 18 trace "keyscan type $t"
20 ${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \ 19 ${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \
21 > /dev/null 2>&1 20 > /dev/null 2>&1
diff --git a/regress/keytype.sh b/regress/keytype.sh
index 91c5aca1b..20a8ceaf2 100644
--- a/regress/keytype.sh
+++ b/regress/keytype.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: keytype.sh,v 1.9 2019/11/26 23:43:10 djm Exp $ 1# $OpenBSD: keytype.sh,v 1.10 2019/12/16 02:39:05 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="login with different key types" 4tid="login with different key types"
@@ -50,11 +50,7 @@ kname_to_ktype() {
50tries="1 2 3" 50tries="1 2 3"
51for ut in $ktypes; do 51for ut in $ktypes; do
52 user_type=`kname_to_ktype "$ut"` 52 user_type=`kname_to_ktype "$ut"`
53 # SK keys are not supported for hostkeys. 53 htypes="$ut"
54 case "$ut" in
55 *sk) htypes=ed25519-512;;
56 *) htypes="$ut";;
57 esac
58 #htypes=$ktypes 54 #htypes=$ktypes
59 for ht in $htypes; do 55 for ht in $htypes; do
60 host_type=`kname_to_ktype "$ht"` 56 host_type=`kname_to_ktype "$ht"`
diff --git a/regress/krl.sh b/regress/krl.sh
index 1efd80bfe..c381225ed 100644
--- a/regress/krl.sh
+++ b/regress/krl.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: krl.sh,v 1.10 2019/11/26 23:43:10 djm Exp $ 1# $OpenBSD: krl.sh,v 1.11 2019/12/16 02:39:05 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="key revocation lists" 4tid="key revocation lists"
@@ -7,7 +7,7 @@ tid="key revocation lists"
7# w/out OpenSSL. Populate ktype[2-4] with the other types if supported. 7# w/out OpenSSL. Populate ktype[2-4] with the other types if supported.
8ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; 8ktype1=ed25519; ktype2=ed25519; ktype3=ed25519;
9ktype4=ed25519; ktype5=ed25519; ktype6=ed25519; 9ktype4=ed25519; ktype5=ed25519; ktype6=ed25519;
10for t in `${SSH} -Q key-plain | maybe_filter_sk`; do 10for t in $SSH_KEYTYPES; do
11 case "$t" in 11 case "$t" in
12 ecdsa*) ktype2=ecdsa ;; 12 ecdsa*) ktype2=ecdsa ;;
13 ssh-rsa) ktype3=rsa ;; 13 ssh-rsa) ktype3=rsa ;;
diff --git a/regress/limit-keytype.sh b/regress/limit-keytype.sh
index abac05c0c..010a88cd7 100644
--- a/regress/limit-keytype.sh
+++ b/regress/limit-keytype.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: limit-keytype.sh,v 1.8 2019/11/26 23:43:10 djm Exp $ 1# $OpenBSD: limit-keytype.sh,v 1.9 2019/12/16 02:39:05 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="restrict pubkey type" 4tid="restrict pubkey type"
@@ -13,7 +13,7 @@ mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig
13 13
14ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; 14ktype1=ed25519; ktype2=ed25519; ktype3=ed25519;
15ktype4=ed25519; ktype5=ed25519; ktype6=ed25519; 15ktype4=ed25519; ktype5=ed25519; ktype6=ed25519;
16for t in `${SSH} -Q key-plain | maybe_filter_sk`; do 16for t in $SSH_KEYTYPES ; do
17 case "$t" in 17 case "$t" in
18 ssh-rsa) ktype2=rsa ;; 18 ssh-rsa) ktype2=rsa ;;
19 ecdsa*) ktype3=ecdsa ;; # unused 19 ecdsa*) ktype3=ecdsa ;; # unused
diff --git a/regress/principals-command.sh b/regress/principals-command.sh
index 9e85e8e75..5e535c133 100644
--- a/regress/principals-command.sh
+++ b/regress/principals-command.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: principals-command.sh,v 1.10 2019/12/11 18:47:14 djm Exp $ 1# $OpenBSD: principals-command.sh,v 1.11 2019/12/16 02:39:05 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="authorized principals command" 4tid="authorized principals command"
@@ -12,7 +12,7 @@ if [ -z "$SUDO" -a ! -w /var/run ]; then
12 exit 0 12 exit 0
13fi 13fi
14 14
15case "`${SSH} -Q key-plain`" in 15case "$SSH_KEYTYPES" in
16 *ssh-rsa*) userkeytype=rsa ;; 16 *ssh-rsa*) userkeytype=rsa ;;
17 *) userkeytype=ed25519 ;; 17 *) userkeytype=ed25519 ;;
18esac 18esac
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 4bf4059fc..03dab2031 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: test-exec.sh,v 1.68 2019/11/26 23:43:10 djm Exp $ 1# $OpenBSD: test-exec.sh,v 1.69 2019/12/16 02:39:05 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4#SUDO=sudo 4#SUDO=sudo
@@ -493,23 +493,21 @@ export SSH_SK_PROVIDER
493if ! test -z "$SSH_SK_PROVIDER"; then 493if ! test -z "$SSH_SK_PROVIDER"; then
494 EXTRA_AGENT_ARGS='-P/*' # XXX want realpath(1)... 494 EXTRA_AGENT_ARGS='-P/*' # XXX want realpath(1)...
495 echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/ssh_config 495 echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/ssh_config
496 echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_config
497 echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_proxy
496fi 498fi
497export EXTRA_AGENT_ARGS 499export EXTRA_AGENT_ARGS
498 500
499filter_sk() {
500 grep -v ^sk
501}
502
503maybe_filter_sk() { 501maybe_filter_sk() {
504 if test -z "$SSH_SK_PROVIDER" ; then 502 if test -z "$SSH_SK_PROVIDER" ; then
505 filter_sk 503 grep -v ^sk
506 else 504 else
507 cat 505 cat
508 fi 506 fi
509} 507}
510 508
511SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk` 509SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk`
512SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | filter_sk` 510SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | maybe_filter_sk`
513 511
514for t in ${SSH_KEYTYPES}; do 512for t in ${SSH_KEYTYPES}; do
515 # generate user key 513 # generate user key