diff options
author | djm@openbsd.org <djm@openbsd.org> | 2015-01-19 06:01:32 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2015-01-20 00:26:13 +1100 |
commit | d85e06245907d49a2cd0cfa0abf59150ad616f42 (patch) | |
tree | 0d59921c7b193e52786741cdb8215a0f645cd81b | |
parent | 7947810eab5fe0ad311f32a48f4d4eb1f71be6cf (diff) |
upstream commit
be a bit more careful in these tests to ensure that
known_hosts is clean
-rw-r--r-- | regress/cert-hostkey.sh | 26 | ||||
-rw-r--r-- | regress/hostkey-agent.sh | 17 |
2 files changed, 25 insertions, 18 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index baaa35b2c..51685dc2b 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh | |||
@@ -1,9 +1,9 @@ | |||
1 | # $OpenBSD: cert-hostkey.sh,v 1.10 2014/12/04 22:31:50 djm Exp $ | 1 | # $OpenBSD: cert-hostkey.sh,v 1.11 2015/01/19 06:01:32 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="certified host keys" | 4 | tid="certified host keys" |
5 | 5 | ||
6 | rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/host_revoked_* | 6 | rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/host_revoked_* |
7 | rm -f $OBJ/cert_host_key* $OBJ/host_krl_* | 7 | rm -f $OBJ/cert_host_key* $OBJ/host_krl_* |
8 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | 8 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak |
9 | 9 | ||
@@ -16,7 +16,8 @@ ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key ||\ | |||
16 | printf '@cert-authority ' | 16 | printf '@cert-authority ' |
17 | printf "$HOSTS " | 17 | printf "$HOSTS " |
18 | cat $OBJ/host_ca_key.pub | 18 | cat $OBJ/host_ca_key.pub |
19 | ) > $OBJ/known_hosts-cert | 19 | ) > $OBJ/known_hosts-cert.orig |
20 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | ||
20 | 21 | ||
21 | # Plain text revocation files | 22 | # Plain text revocation files |
22 | touch $OBJ/host_revoked_empty | 23 | touch $OBJ/host_revoked_empty |
@@ -79,6 +80,7 @@ attempt_connect() { | |||
79 | _expect_success="$2" | 80 | _expect_success="$2" |
80 | shift; shift | 81 | shift; shift |
81 | verbose "$tid: $_ident expect success $_expect_success" | 82 | verbose "$tid: $_ident expect success $_expect_success" |
83 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | ||
82 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 84 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ |
83 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 85 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ |
84 | "$@" -F $OBJ/ssh_proxy somehost true | 86 | "$@" -F $OBJ/ssh_proxy somehost true |
@@ -135,7 +137,8 @@ done | |||
135 | test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey" | 137 | test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey" |
136 | printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n" | 138 | printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n" |
137 | done | 139 | done |
138 | ) > $OBJ/known_hosts-cert | 140 | ) > $OBJ/known_hosts-cert.orig |
141 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | ||
139 | for privsep in yes no ; do | 142 | for privsep in yes no ; do |
140 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do | 143 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do |
141 | verbose "$tid: host ${ktype} revoked cert privsep $privsep" | 144 | verbose "$tid: host ${ktype} revoked cert privsep $privsep" |
@@ -146,6 +149,7 @@ for privsep in yes no ; do | |||
146 | echo UsePrivilegeSeparation $privsep | 149 | echo UsePrivilegeSeparation $privsep |
147 | ) > $OBJ/sshd_proxy | 150 | ) > $OBJ/sshd_proxy |
148 | 151 | ||
152 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | ||
149 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 153 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ |
150 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 154 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ |
151 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 155 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
@@ -163,7 +167,8 @@ done | |||
163 | printf '@revoked ' | 167 | printf '@revoked ' |
164 | printf "* " | 168 | printf "* " |
165 | cat $OBJ/host_ca_key.pub | 169 | cat $OBJ/host_ca_key.pub |
166 | ) > $OBJ/known_hosts-cert | 170 | ) > $OBJ/known_hosts-cert.orig |
171 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | ||
167 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do | 172 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do |
168 | verbose "$tid: host ${ktype} revoked cert" | 173 | verbose "$tid: host ${ktype} revoked cert" |
169 | ( | 174 | ( |
@@ -171,6 +176,7 @@ for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do | |||
171 | echo HostKey $OBJ/cert_host_key_${ktype} | 176 | echo HostKey $OBJ/cert_host_key_${ktype} |
172 | echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub | 177 | echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub |
173 | ) > $OBJ/sshd_proxy | 178 | ) > $OBJ/sshd_proxy |
179 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | ||
174 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 180 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ |
175 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 181 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ |
176 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 182 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
@@ -184,7 +190,8 @@ done | |||
184 | printf '@cert-authority ' | 190 | printf '@cert-authority ' |
185 | printf "$HOSTS " | 191 | printf "$HOSTS " |
186 | cat $OBJ/host_ca_key.pub | 192 | cat $OBJ/host_ca_key.pub |
187 | ) > $OBJ/known_hosts-cert | 193 | ) > $OBJ/known_hosts-cert.orig |
194 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | ||
188 | 195 | ||
189 | test_one() { | 196 | test_one() { |
190 | ident=$1 | 197 | ident=$1 |
@@ -209,6 +216,7 @@ test_one() { | |||
209 | echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub | 216 | echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub |
210 | ) > $OBJ/sshd_proxy | 217 | ) > $OBJ/sshd_proxy |
211 | 218 | ||
219 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | ||
212 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 220 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ |
213 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 221 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ |
214 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 222 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
@@ -271,7 +279,8 @@ done | |||
271 | printf '@cert-authority ' | 279 | printf '@cert-authority ' |
272 | printf "$HOSTS " | 280 | printf "$HOSTS " |
273 | cat $OBJ/host_ca_key.pub | 281 | cat $OBJ/host_ca_key.pub |
274 | ) > $OBJ/known_hosts-cert | 282 | ) > $OBJ/known_hosts-cert.orig |
283 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | ||
275 | for v in v01 v00 ; do | 284 | for v in v01 v00 ; do |
276 | for kt in $PLAIN_TYPES ; do | 285 | for kt in $PLAIN_TYPES ; do |
277 | type_has_legacy $kt || continue | 286 | type_has_legacy $kt || continue |
@@ -291,6 +300,7 @@ for v in v01 v00 ; do | |||
291 | echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub | 300 | echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub |
292 | ) > $OBJ/sshd_proxy | 301 | ) > $OBJ/sshd_proxy |
293 | 302 | ||
303 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | ||
294 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 304 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ |
295 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 305 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ |
296 | -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 | 306 | -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 |
@@ -300,4 +310,4 @@ for v in v01 v00 ; do | |||
300 | done | 310 | done |
301 | done | 311 | done |
302 | 312 | ||
303 | rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* | 313 | rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key* |
diff --git a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh index 4562f42af..84fb2c2d2 100644 --- a/regress/hostkey-agent.sh +++ b/regress/hostkey-agent.sh | |||
@@ -1,12 +1,9 @@ | |||
1 | # $OpenBSD: hostkey-agent.sh,v 1.1 2015/01/17 18:54:30 djm Exp $ | 1 | # $OpenBSD: hostkey-agent.sh,v 1.2 2015/01/19 06:01:32 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="hostkey agent" | 4 | tid="hostkey agent" |
5 | 5 | ||
6 | # Need full names here since they are used in HostKeyAlgorithms | 6 | rm -f $OBJ/agent.* $OBJ/ssh_proxy.orig $OBJ/known_hosts.orig |
7 | HOSTKEY_TYPES="ecdsa-sha2-nistp256 ssh-ed25519 ssh-rsa ssh-dss" | ||
8 | |||
9 | rm -f $OBJ/agent.* $OBJ/ssh_proxy.orig | ||
10 | 7 | ||
11 | trace "start agent" | 8 | trace "start agent" |
12 | eval `${SSHAGENT} -s` > /dev/null | 9 | eval `${SSHAGENT} -s` > /dev/null |
@@ -15,31 +12,31 @@ r=$? | |||
15 | 12 | ||
16 | grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig | 13 | grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig |
17 | echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig | 14 | echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig |
18 | echo "LogLevel debug3" >> $OBJ/sshd_proxy.orig | ||
19 | rm $OBJ/known_hosts | ||
20 | 15 | ||
21 | trace "load hostkeys" | 16 | trace "load hostkeys" |
22 | for k in $HOSTKEY_TYPES ; do | 17 | for k in `${SSH} -Q key-plain` ; do |
23 | ${SSHKEYGEN} -qt $k -f $OBJ/agent.$k -N '' || fatal "ssh-keygen $k" | 18 | ${SSHKEYGEN} -qt $k -f $OBJ/agent.$k -N '' || fatal "ssh-keygen $k" |
24 | ( | 19 | ( |
25 | echo -n 'localhost-with-alias,127.0.0.1,::1 ' | 20 | echo -n 'localhost-with-alias,127.0.0.1,::1 ' |
26 | cat $OBJ/agent.$k.pub | 21 | cat $OBJ/agent.$k.pub |
27 | ) >> $OBJ/known_hosts | 22 | ) >> $OBJ/known_hosts.orig |
28 | ${SSHADD} $OBJ/agent.$k >/dev/null 2>&1 || \ | 23 | ${SSHADD} $OBJ/agent.$k >/dev/null 2>&1 || \ |
29 | fatal "couldn't load key $OBJ/agent.$k" | 24 | fatal "couldn't load key $OBJ/agent.$k" |
30 | echo "Hostkey $OBJ/agent.${k}" >> sshd_proxy.orig | 25 | echo "Hostkey $OBJ/agent.${k}" >> sshd_proxy.orig |
31 | # Remove private key so the server can't use it. | 26 | # Remove private key so the server can't use it. |
32 | rm $OBJ/agent.$k || fatal "couldn't rm $OBJ/agent.$k" | 27 | rm $OBJ/agent.$k || fatal "couldn't rm $OBJ/agent.$k" |
33 | done | 28 | done |
29 | cp $OBJ/known_hosts.orig $OBJ/known_hosts | ||
34 | 30 | ||
35 | unset SSH_AUTH_SOCK | 31 | unset SSH_AUTH_SOCK |
36 | 32 | ||
37 | for ps in no yes; do | 33 | for ps in no yes; do |
38 | cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy | 34 | cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy |
39 | echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy | 35 | echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy |
40 | for k in $HOSTKEY_TYPES ; do | 36 | for k in `${SSH} -Q key-plain` ; do |
41 | verbose "key type $k privsep=$ps" | 37 | verbose "key type $k privsep=$ps" |
42 | opts="-oHostKeyAlgorithms=$k -F $OBJ/ssh_proxy" | 38 | opts="-oHostKeyAlgorithms=$k -F $OBJ/ssh_proxy" |
39 | cp $OBJ/known_hosts.orig $OBJ/known_hosts | ||
43 | SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'` | 40 | SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'` |
44 | if [ $? -ne 0 ]; then | 41 | if [ $? -ne 0 ]; then |
45 | fail "protocol $p privsep=$ps failed" | 42 | fail "protocol $p privsep=$ps failed" |