diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-12-16 02:39:05 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-12-21 13:35:42 +1100 |
commit | e5b7cf8edca7e843adc125621e1dab14507f430a (patch) | |
tree | 3b7fd4a0558e25b422d64b341f8c5fd50d15c013 | |
parent | 40be78f503277bd91c958fa25ea9ef918a2ffd3d (diff) |
upstream: test security key host keys in addition to user keys
OpenBSD-Regress-ID: 9fb45326106669a27e4bf150575c321806e275b1
-rw-r--r-- | regress/cert-hostkey.sh | 6 | ||||
-rw-r--r-- | regress/hostkey-agent.sh | 6 | ||||
-rw-r--r-- | regress/keygen-change.sh | 6 | ||||
-rw-r--r-- | regress/keyscan.sh | 7 | ||||
-rw-r--r-- | regress/keytype.sh | 8 | ||||
-rw-r--r-- | regress/krl.sh | 4 | ||||
-rw-r--r-- | regress/limit-keytype.sh | 4 | ||||
-rw-r--r-- | regress/principals-command.sh | 4 | ||||
-rw-r--r-- | regress/test-exec.sh | 12 |
9 files changed, 24 insertions, 33 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 67a9795d0..95d7c176a 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: cert-hostkey.sh,v 1.21 2019/12/11 18:47:14 djm Exp $ | 1 | # $OpenBSD: cert-hostkey.sh,v 1.22 2019/12/16 02:39:05 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="certified host keys" | 4 | tid="certified host keys" |
@@ -9,7 +9,7 @@ rm -f $OBJ/cert_host_key* $OBJ/host_krl_* | |||
9 | # Allow all hostkey/pubkey types, prefer certs for the client | 9 | # Allow all hostkey/pubkey types, prefer certs for the client |
10 | rsa=0 | 10 | rsa=0 |
11 | types="" | 11 | types="" |
12 | for i in `$SSH -Q key | filter_sk`; do | 12 | for i in `$SSH -Q key | maybe_filter_sk`; do |
13 | if [ -z "$types" ]; then | 13 | if [ -z "$types" ]; then |
14 | types="$i" | 14 | types="$i" |
15 | continue | 15 | continue |
@@ -70,7 +70,7 @@ touch $OBJ/host_revoked_plain | |||
70 | touch $OBJ/host_revoked_cert | 70 | touch $OBJ/host_revoked_cert |
71 | cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca | 71 | cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca |
72 | 72 | ||
73 | PLAIN_TYPES=`$SSH -Q key-plain | filter_sk | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` | 73 | PLAIN_TYPES=`echo "$SSH_KEYTYPES" | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` |
74 | 74 | ||
75 | if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then | 75 | if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then |
76 | PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" | 76 | PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" |
diff --git a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh index 7f490e013..d6736e246 100644 --- a/regress/hostkey-agent.sh +++ b/regress/hostkey-agent.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: hostkey-agent.sh,v 1.10 2019/12/11 18:47:14 djm Exp $ | 1 | # $OpenBSD: hostkey-agent.sh,v 1.11 2019/12/16 02:39:05 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="hostkey agent" | 4 | tid="hostkey agent" |
@@ -14,7 +14,7 @@ grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig | |||
14 | echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig | 14 | echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig |
15 | 15 | ||
16 | trace "load hostkeys" | 16 | trace "load hostkeys" |
17 | for k in `${SSH} -Q key-plain | filter_sk` ; do | 17 | for k in $SSH_KEYTYPES ; do |
18 | ${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k" | 18 | ${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k" |
19 | ( | 19 | ( |
20 | printf 'localhost-with-alias,127.0.0.1,::1 ' | 20 | printf 'localhost-with-alias,127.0.0.1,::1 ' |
@@ -31,7 +31,7 @@ cp $OBJ/known_hosts.orig $OBJ/known_hosts | |||
31 | unset SSH_AUTH_SOCK | 31 | unset SSH_AUTH_SOCK |
32 | 32 | ||
33 | for ps in yes; do | 33 | for ps in yes; do |
34 | for k in `${SSH} -Q key-plain | filter_sk` ; do | 34 | for k in $SSH_KEYTYPES ; do |
35 | verbose "key type $k privsep=$ps" | 35 | verbose "key type $k privsep=$ps" |
36 | cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy | 36 | cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy |
37 | echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy | 37 | echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy |
diff --git a/regress/keygen-change.sh b/regress/keygen-change.sh index dd1bfda80..3863e33b5 100644 --- a/regress/keygen-change.sh +++ b/regress/keygen-change.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: keygen-change.sh,v 1.8 2019/11/26 23:43:10 djm Exp $ | 1 | # $OpenBSD: keygen-change.sh,v 1.9 2019/12/16 02:39:05 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="change passphrase for key" | 4 | tid="change passphrase for key" |
@@ -6,9 +6,7 @@ tid="change passphrase for key" | |||
6 | S1="secret1" | 6 | S1="secret1" |
7 | S2="2secret" | 7 | S2="2secret" |
8 | 8 | ||
9 | KEYTYPES=`${SSH} -Q key-plain | maybe_filter_sk` | 9 | for t in $SSH_KEYTYPES; do |
10 | |||
11 | for t in $KEYTYPES; do | ||
12 | trace "generating $t key" | 10 | trace "generating $t key" |
13 | rm -f $OBJ/$t-key | 11 | rm -f $OBJ/$t-key |
14 | ${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key | 12 | ${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key |
diff --git a/regress/keyscan.sh b/regress/keyscan.sh index 0ce0c7410..b8593fede 100644 --- a/regress/keyscan.sh +++ b/regress/keyscan.sh | |||
@@ -1,10 +1,9 @@ | |||
1 | # $OpenBSD: keyscan.sh,v 1.11 2019/11/26 23:43:10 djm Exp $ | 1 | # $OpenBSD: keyscan.sh,v 1.12 2019/12/16 02:39:05 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="keyscan" | 4 | tid="keyscan" |
5 | 5 | ||
6 | KEYTYPES=`${SSH} -Q key-plain | filter_sk` | 6 | for i in $SSH_KEYTYPES; do |
7 | for i in $KEYTYPES; do | ||
8 | if [ -z "$algs" ]; then | 7 | if [ -z "$algs" ]; then |
9 | algs="$i" | 8 | algs="$i" |
10 | else | 9 | else |
@@ -15,7 +14,7 @@ echo "HostKeyAlgorithms $algs" >> $OBJ/sshd_config | |||
15 | 14 | ||
16 | start_sshd | 15 | start_sshd |
17 | 16 | ||
18 | for t in $KEYTYPES; do | 17 | for t in $SSH_KEYTYPES; do |
19 | trace "keyscan type $t" | 18 | trace "keyscan type $t" |
20 | ${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \ | 19 | ${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \ |
21 | > /dev/null 2>&1 | 20 | > /dev/null 2>&1 |
diff --git a/regress/keytype.sh b/regress/keytype.sh index 91c5aca1b..20a8ceaf2 100644 --- a/regress/keytype.sh +++ b/regress/keytype.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: keytype.sh,v 1.9 2019/11/26 23:43:10 djm Exp $ | 1 | # $OpenBSD: keytype.sh,v 1.10 2019/12/16 02:39:05 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="login with different key types" | 4 | tid="login with different key types" |
@@ -50,11 +50,7 @@ kname_to_ktype() { | |||
50 | tries="1 2 3" | 50 | tries="1 2 3" |
51 | for ut in $ktypes; do | 51 | for ut in $ktypes; do |
52 | user_type=`kname_to_ktype "$ut"` | 52 | user_type=`kname_to_ktype "$ut"` |
53 | # SK keys are not supported for hostkeys. | 53 | htypes="$ut" |
54 | case "$ut" in | ||
55 | *sk) htypes=ed25519-512;; | ||
56 | *) htypes="$ut";; | ||
57 | esac | ||
58 | #htypes=$ktypes | 54 | #htypes=$ktypes |
59 | for ht in $htypes; do | 55 | for ht in $htypes; do |
60 | host_type=`kname_to_ktype "$ht"` | 56 | host_type=`kname_to_ktype "$ht"` |
diff --git a/regress/krl.sh b/regress/krl.sh index 1efd80bfe..c381225ed 100644 --- a/regress/krl.sh +++ b/regress/krl.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: krl.sh,v 1.10 2019/11/26 23:43:10 djm Exp $ | 1 | # $OpenBSD: krl.sh,v 1.11 2019/12/16 02:39:05 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="key revocation lists" | 4 | tid="key revocation lists" |
@@ -7,7 +7,7 @@ tid="key revocation lists" | |||
7 | # w/out OpenSSL. Populate ktype[2-4] with the other types if supported. | 7 | # w/out OpenSSL. Populate ktype[2-4] with the other types if supported. |
8 | ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; | 8 | ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; |
9 | ktype4=ed25519; ktype5=ed25519; ktype6=ed25519; | 9 | ktype4=ed25519; ktype5=ed25519; ktype6=ed25519; |
10 | for t in `${SSH} -Q key-plain | maybe_filter_sk`; do | 10 | for t in $SSH_KEYTYPES; do |
11 | case "$t" in | 11 | case "$t" in |
12 | ecdsa*) ktype2=ecdsa ;; | 12 | ecdsa*) ktype2=ecdsa ;; |
13 | ssh-rsa) ktype3=rsa ;; | 13 | ssh-rsa) ktype3=rsa ;; |
diff --git a/regress/limit-keytype.sh b/regress/limit-keytype.sh index abac05c0c..010a88cd7 100644 --- a/regress/limit-keytype.sh +++ b/regress/limit-keytype.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: limit-keytype.sh,v 1.8 2019/11/26 23:43:10 djm Exp $ | 1 | # $OpenBSD: limit-keytype.sh,v 1.9 2019/12/16 02:39:05 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="restrict pubkey type" | 4 | tid="restrict pubkey type" |
@@ -13,7 +13,7 @@ mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig | |||
13 | 13 | ||
14 | ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; | 14 | ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; |
15 | ktype4=ed25519; ktype5=ed25519; ktype6=ed25519; | 15 | ktype4=ed25519; ktype5=ed25519; ktype6=ed25519; |
16 | for t in `${SSH} -Q key-plain | maybe_filter_sk`; do | 16 | for t in $SSH_KEYTYPES ; do |
17 | case "$t" in | 17 | case "$t" in |
18 | ssh-rsa) ktype2=rsa ;; | 18 | ssh-rsa) ktype2=rsa ;; |
19 | ecdsa*) ktype3=ecdsa ;; # unused | 19 | ecdsa*) ktype3=ecdsa ;; # unused |
diff --git a/regress/principals-command.sh b/regress/principals-command.sh index 9e85e8e75..5e535c133 100644 --- a/regress/principals-command.sh +++ b/regress/principals-command.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: principals-command.sh,v 1.10 2019/12/11 18:47:14 djm Exp $ | 1 | # $OpenBSD: principals-command.sh,v 1.11 2019/12/16 02:39:05 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="authorized principals command" | 4 | tid="authorized principals command" |
@@ -12,7 +12,7 @@ if [ -z "$SUDO" -a ! -w /var/run ]; then | |||
12 | exit 0 | 12 | exit 0 |
13 | fi | 13 | fi |
14 | 14 | ||
15 | case "`${SSH} -Q key-plain`" in | 15 | case "$SSH_KEYTYPES" in |
16 | *ssh-rsa*) userkeytype=rsa ;; | 16 | *ssh-rsa*) userkeytype=rsa ;; |
17 | *) userkeytype=ed25519 ;; | 17 | *) userkeytype=ed25519 ;; |
18 | esac | 18 | esac |
diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 4bf4059fc..03dab2031 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: test-exec.sh,v 1.68 2019/11/26 23:43:10 djm Exp $ | 1 | # $OpenBSD: test-exec.sh,v 1.69 2019/12/16 02:39:05 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | #SUDO=sudo | 4 | #SUDO=sudo |
@@ -493,23 +493,21 @@ export SSH_SK_PROVIDER | |||
493 | if ! test -z "$SSH_SK_PROVIDER"; then | 493 | if ! test -z "$SSH_SK_PROVIDER"; then |
494 | EXTRA_AGENT_ARGS='-P/*' # XXX want realpath(1)... | 494 | EXTRA_AGENT_ARGS='-P/*' # XXX want realpath(1)... |
495 | echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/ssh_config | 495 | echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/ssh_config |
496 | echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_config | ||
497 | echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_proxy | ||
496 | fi | 498 | fi |
497 | export EXTRA_AGENT_ARGS | 499 | export EXTRA_AGENT_ARGS |
498 | 500 | ||
499 | filter_sk() { | ||
500 | grep -v ^sk | ||
501 | } | ||
502 | |||
503 | maybe_filter_sk() { | 501 | maybe_filter_sk() { |
504 | if test -z "$SSH_SK_PROVIDER" ; then | 502 | if test -z "$SSH_SK_PROVIDER" ; then |
505 | filter_sk | 503 | grep -v ^sk |
506 | else | 504 | else |
507 | cat | 505 | cat |
508 | fi | 506 | fi |
509 | } | 507 | } |
510 | 508 | ||
511 | SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk` | 509 | SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk` |
512 | SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | filter_sk` | 510 | SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | maybe_filter_sk` |
513 | 511 | ||
514 | for t in ${SSH_KEYTYPES}; do | 512 | for t in ${SSH_KEYTYPES}; do |
515 | # generate user key | 513 | # generate user key |