upstream commit

regress test for PubkeyAcceptedKeyTypes; ok markus@
author: djm@openbsd.org <djm@openbsd.org> 2015-01-13 07:49:49 +0000
committer: Damien Miller <djm@mindrot.org> 2015-01-15 21:39:15 +1100
commit: 0920553d0aee117a596b03ed5b49b280d34a32c5 (patch)
tree: c3095b49a5b99b93bb76c7fd24c1c36e917b3716
parent: 27ca1a5c0095eda151934bca39a77e391f875d17 (diff)
2 files changed, 85 insertions, 2 deletions
diff --git a/regress/Makefile b/regress/Makefile
index dd3b79506..2e068e94a 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.73 2015/01/12 20:13:27 markus Exp $
+#       $OpenBSD: Makefile,v 1.74 2015/01/13 07:49:49 djm Exp $
 REGRESS_TARGETS=        unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec
 tests:          $(REGRESS_TARGETS)
@@ -65,7 +65,10 @@ LTESTS= 	connect \
                forward-control \
                integrity \
                krl \
-                multipubkey
+                multipubkey \
+                limit-keytype
 #               dhgex \
 INTEROP_TESTS=  putty-transfer putty-ciphers putty-kex conch-ciphers
diff --git a/regress/limit-keytype.sh b/regress/limit-keytype.sh
new file mode 100644
index 000000000..2de037bd1
--- /dev/null
+++ b/regress/limit-keytype.sh
@@ -0,0 +1,80 @@
+#       $OpenBSD: limit-keytype.sh,v 1.1 2015/01/13 07:49:49 djm Exp $
+#       Placed in the Public Domain.
+tid="restrict pubkey type"
+rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/user_key*
+rm -f $OBJ/authorized_principals_$USER $OBJ/cert_user_key*
+mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
+mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig
+# Create a CA key
+${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key ||\
+        fatal "ssh-keygen failed"
+# Make some keys and a certificate.
+${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 || \
+        fatal "ssh-keygen failed"
+${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_key2 || \
+        fatal "ssh-keygen failed"
+${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_key3 || \
+        fatal "ssh-keygen failed"
+${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
+        -z $$ -n ${USER},mekmitasdigoat $OBJ/user_key3 ||
+                fatal "couldn't sign user_key1"
+# Copy the private key alongside the cert to allow better control of when
+# it is offered.
+mv $OBJ/user_key3-cert.pub $OBJ/cert_user_key3.pub
+cp -p $OBJ/user_key3 $OBJ/cert_user_key3
+grep -v IdentityFile $OBJ/ssh_proxy.orig > $OBJ/ssh_proxy
+opts="-oProtocol=2 -F $OBJ/ssh_proxy -oIdentitiesOnly=yes"
+fullopts="$opts -i $OBJ/cert_user_key3 -i $OBJ/user_key1 -i $OBJ/user_key2"
+echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+cat $OBJ/user_key1.pub > $OBJ/authorized_keys_$USER
+cat $OBJ/user_key2.pub >> $OBJ/authorized_keys_$USER
+prepare_config() {
+        (
+                grep -v "Protocol"  $OBJ/sshd_proxy.orig
+                echo "Protocol 2"
+                echo "AuthenticationMethods publickey"
+                echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+                echo "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
+                for x in "$@" ; do
+                        echo "$x"
+                done
+        ) > $OBJ/sshd_proxy
+}
+prepare_config
+# Check we can log in with all key types.
+${SSH} $opts -i $OBJ/cert_user_key3 proxy true || fatal "cert failed"
+${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
+${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed"
+# Allow plain Ed25519 and RSA. The certificate should fail.
+verbose "privsep=$privsep allow rsa,ed25519"
+prepare_config "PubkeyAcceptedKeyTypes ssh-rsa,ssh-ed25519"
+${SSH} $opts -i $OBJ/cert_user_key3 proxy true && fatal "cert succeeded"
+${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
+${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed"
+# Allow Ed25519 only.
+verbose "privsep=$privsep allow ed25519"
+prepare_config "PubkeyAcceptedKeyTypes ssh-ed25519"
+${SSH} $opts -i $OBJ/cert_user_key3 proxy true && fatal "cert succeeded"
+${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
+${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded"
+# Allow all certs. Plain keys should fail.
+verbose "privsep=$privsep allow cert only"
+prepare_config "PubkeyAcceptedKeyTypes ssh-*-cert-v01@openssh.com"
+${SSH} $opts -i $OBJ/cert_user_key3 proxy true || fatal "cert failed"
+${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded"
+${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded"
author	djm@openbsd.org <djm@openbsd.org>	2015-01-13 07:49:49 +0000
committer	Damien Miller <djm@mindrot.org>	2015-01-15 21:39:15 +1100
commit	0920553d0aee117a596b03ed5b49b280d34a32c5 (patch)
tree	c3095b49a5b99b93bb76c7fd24c1c36e917b3716
parent	27ca1a5c0095eda151934bca39a77e391f875d17 (diff)

diff --git a/regress/Makefile b/regress/Makefile index dd3b79506..2e068e94a 100644 --- a/regress/Makefile +++ b/regress/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.73 2015/01/12 20:13:27 markus Exp $	1	# $OpenBSD: Makefile,v 1.74 2015/01/13 07:49:49 djm Exp $
2		2
3	REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec	3	REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec
4	tests: $(REGRESS_TARGETS)	4	tests: $(REGRESS_TARGETS)
@@ -65,7 +65,10 @@ LTESTS= connect \
65	forward-control \	65	forward-control \
66	integrity \	66	integrity \
67	krl \	67	krl \
68	multipubkey	68	multipubkey \
		69	limit-keytype
		70
		71
69	# dhgex \	72	# dhgex \
70		73
71	INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers	74	INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers


diff --git a/regress/limit-keytype.sh b/regress/limit-keytype.sh new file mode 100644 index 000000000..2de037bd1 --- /dev/null +++ b/regress/limit-keytype.sh
@@ -0,0 +1,80 @@
		1	# $OpenBSD: limit-keytype.sh,v 1.1 2015/01/13 07:49:49 djm Exp $
		2	# Placed in the Public Domain.
		3
		4	tid="restrict pubkey type"
		5
		6	rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/user_key*
		7	rm -f $OBJ/authorized_principals_$USER $OBJ/cert_user_key*
		8
		9	mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
		10	mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig
		11
		12	# Create a CA key
		13	${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key \|\|\
		14	fatal "ssh-keygen failed"
		15
		16	# Make some keys and a certificate.
		17	${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 \|\| \
		18	fatal "ssh-keygen failed"
		19	${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_key2 \|\| \
		20	fatal "ssh-keygen failed"
		21	${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_key3 \|\| \
		22	fatal "ssh-keygen failed"
		23	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
		24	-z $$ -n ${USER},mekmitasdigoat $OBJ/user_key3 \|\|
		25	fatal "couldn't sign user_key1"
		26	# Copy the private key alongside the cert to allow better control of when
		27	# it is offered.
		28	mv $OBJ/user_key3-cert.pub $OBJ/cert_user_key3.pub
		29	cp -p $OBJ/user_key3 $OBJ/cert_user_key3
		30
		31	grep -v IdentityFile $OBJ/ssh_proxy.orig > $OBJ/ssh_proxy
		32
		33	opts="-oProtocol=2 -F $OBJ/ssh_proxy -oIdentitiesOnly=yes"
		34	fullopts="$opts -i $OBJ/cert_user_key3 -i $OBJ/user_key1 -i $OBJ/user_key2"
		35
		36	echo mekmitasdigoat > $OBJ/authorized_principals_$USER
		37	cat $OBJ/user_key1.pub > $OBJ/authorized_keys_$USER
		38	cat $OBJ/user_key2.pub >> $OBJ/authorized_keys_$USER
		39
		40	prepare_config() {
		41	(
		42	grep -v "Protocol" $OBJ/sshd_proxy.orig
		43	echo "Protocol 2"
		44	echo "AuthenticationMethods publickey"
		45	echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
		46	echo "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
		47	for x in "$@" ; do
		48	echo "$x"
		49	done
		50	) > $OBJ/sshd_proxy
		51	}
		52
		53	prepare_config
		54
		55	# Check we can log in with all key types.
		56	${SSH} $opts -i $OBJ/cert_user_key3 proxy true \|\| fatal "cert failed"
		57	${SSH} $opts -i $OBJ/user_key1 proxy true \|\| fatal "key1 failed"
		58	${SSH} $opts -i $OBJ/user_key2 proxy true \|\| fatal "key2 failed"
		59
		60	# Allow plain Ed25519 and RSA. The certificate should fail.
		61	verbose "privsep=$privsep allow rsa,ed25519"
		62	prepare_config "PubkeyAcceptedKeyTypes ssh-rsa,ssh-ed25519"
		63	${SSH} $opts -i $OBJ/cert_user_key3 proxy true && fatal "cert succeeded"
		64	${SSH} $opts -i $OBJ/user_key1 proxy true \|\| fatal "key1 failed"
		65	${SSH} $opts -i $OBJ/user_key2 proxy true \|\| fatal "key2 failed"
		66
		67	# Allow Ed25519 only.
		68	verbose "privsep=$privsep allow ed25519"
		69	prepare_config "PubkeyAcceptedKeyTypes ssh-ed25519"
		70	${SSH} $opts -i $OBJ/cert_user_key3 proxy true && fatal "cert succeeded"
		71	${SSH} $opts -i $OBJ/user_key1 proxy true \|\| fatal "key1 failed"
		72	${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded"
		73
		74	# Allow all certs. Plain keys should fail.
		75	verbose "privsep=$privsep allow cert only"
		76	prepare_config "PubkeyAcceptedKeyTypes ssh-*-cert-v01@openssh.com"
		77	${SSH} $opts -i $OBJ/cert_user_key3 proxy true \|\| fatal "cert failed"
		78	${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded"
		79	${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded"
		80