summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordtucker@openbsd.org <dtucker@openbsd.org>2019-08-30 05:08:28 +0000
committerDarren Tucker <dtucker@dtucker.net>2019-08-30 15:56:42 +1000
commite50f808712393e86d69e42e9847cdf8d473412d7 (patch)
tree1236ecf9c2673fca7660695b11533eaa8ca5b781
parent5e4796c47dd8d6c38fb2ff0b3e817525fed6040d (diff)
upstream: Use ed25519 for most hostkey rotation tests since it's
supported even when built without OpenSSL. Use RSA for the secondary type test if supported, otherwise skip it. Fixes this test for !OpenSSL builds. OpenBSD-Regress-ID: 101cb34a84fd974c623bdb2e496f25a6e91be109
-rw-r--r--regress/hostkey-rotate.sh74
1 files changed, 44 insertions, 30 deletions
diff --git a/regress/hostkey-rotate.sh b/regress/hostkey-rotate.sh
index d69de3255..cc6bd9cf6 100644
--- a/regress/hostkey-rotate.sh
+++ b/regress/hostkey-rotate.sh
@@ -1,10 +1,10 @@
1# $OpenBSD: hostkey-rotate.sh,v 1.5 2015/09/04 04:23:10 djm Exp $ 1# $OpenBSD: hostkey-rotate.sh,v 1.6 2019/08/30 05:08:28 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="hostkey rotate" 4tid="hostkey rotate"
5 5
6# Need full names here since they are used in HostKeyAlgorithms 6# Need full names here since they are used in HostKeyAlgorithms
7HOSTKEY_TYPES="ecdsa-sha2-nistp256 ssh-ed25519 ssh-rsa ssh-dss" 7HOSTKEY_TYPES="`${SSH} -Q key-plain`"
8 8
9rm -f $OBJ/hkr.* $OBJ/ssh_proxy.orig 9rm -f $OBJ/hkr.* $OBJ/ssh_proxy.orig
10 10
@@ -12,15 +12,23 @@ grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig
12echo "UpdateHostkeys=yes" >> $OBJ/ssh_proxy 12echo "UpdateHostkeys=yes" >> $OBJ/ssh_proxy
13rm $OBJ/known_hosts 13rm $OBJ/known_hosts
14 14
15# The "primary" key type is ed25519 since it's supported even when built
16# without OpenSSL. The secondary is RSA if it's supported.
17primary="ssh-ed25519"
18secondary="$primary"
19
15trace "prepare hostkeys" 20trace "prepare hostkeys"
16nkeys=0 21nkeys=0
17all_algs="" 22all_algs=""
18for k in `${SSH} -Q key-plain` ; do 23for k in $HOSTKEY_TYPES; do
19 ${SSHKEYGEN} -qt $k -f $OBJ/hkr.$k -N '' || fatal "ssh-keygen $k" 24 ${SSHKEYGEN} -qt $k -f $OBJ/hkr.$k -N '' || fatal "ssh-keygen $k"
20 echo "Hostkey $OBJ/hkr.${k}" >> $OBJ/sshd_proxy.orig 25 echo "Hostkey $OBJ/hkr.${k}" >> $OBJ/sshd_proxy.orig
21 nkeys=`expr $nkeys + 1` 26 nkeys=`expr $nkeys + 1`
22 test "x$all_algs" = "x" || all_algs="${all_algs}," 27 test "x$all_algs" = "x" || all_algs="${all_algs},"
23 all_algs="${all_algs}$k" 28 all_algs="${all_algs}$k"
29 case "$k" in
30 ssh-rsa) secondary="ssh-rsa" ;;
31 esac
24done 32done
25 33
26dossh() { 34dossh() {
@@ -49,62 +57,68 @@ cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
49# Connect to sshd with StrictHostkeyChecking=no 57# Connect to sshd with StrictHostkeyChecking=no
50verbose "learn hostkey with StrictHostKeyChecking=no" 58verbose "learn hostkey with StrictHostKeyChecking=no"
51>$OBJ/known_hosts 59>$OBJ/known_hosts
52dossh -oHostKeyAlgorithms=ssh-ed25519 -oStrictHostKeyChecking=no 60dossh -oHostKeyAlgorithms=$primary -oStrictHostKeyChecking=no
53# Verify no additional keys learned 61# Verify no additional keys learned
54expect_nkeys 1 "unstrict connect keys" 62expect_nkeys 1 "unstrict connect keys"
55check_key_present ssh-ed25519 || fail "unstrict didn't learn key" 63check_key_present $primary || fail "unstrict didn't learn key"
56 64
57# Connect to sshd as usual 65# Connect to sshd as usual
58verbose "learn additional hostkeys" 66verbose "learn additional hostkeys"
59dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs 67dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs
60# Check that other keys learned 68# Check that other keys learned
61expect_nkeys $nkeys "learn hostkeys" 69expect_nkeys $nkeys "learn hostkeys"
62check_key_present ssh-rsa || fail "didn't learn keys" 70for k in $HOSTKEY_TYPES; do
71 check_key_present $k || fail "didn't learn keytype $k"
72done
63 73
64# Check each key type 74# Check each key type
65for k in `${SSH} -Q key-plain` ; do 75for k in $HOSTKEY_TYPES; do
66 verbose "learn additional hostkeys, type=$k" 76 verbose "learn additional hostkeys, type=$k"
67 dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$k,$all_algs 77 dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$k,$all_algs
68 expect_nkeys $nkeys "learn hostkeys $k" 78 expect_nkeys $nkeys "learn hostkeys $k"
69 check_key_present $k || fail "didn't learn $k" 79 check_key_present $k || fail "didn't learn $k correctly"
70done 80done
71 81
72# Change one hostkey (non primary) and relearn 82# Change one hostkey (non primary) and relearn
73verbose "learn changed non-primary hostkey" 83if [ "$primary" != "$secondary" ]; then
74mv $OBJ/hkr.ssh-rsa.pub $OBJ/hkr.ssh-rsa.pub.old 84 verbose "learn changed non-primary hostkey type=${secondary}"
75rm -f $OBJ/hkr.ssh-rsa 85 mv $OBJ/hkr.${secondary}.pub $OBJ/hkr.${secondary}.pub.old
76${SSHKEYGEN} -qt ssh-rsa -f $OBJ/hkr.ssh-rsa -N '' || fatal "ssh-keygen $k" 86 rm -f $OBJ/hkr.${secondary}
77dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs 87 ${SSHKEYGEN} -qt ${secondary} -f $OBJ/hkr.${secondary} -N '' || \
78# Check that the key was replaced 88 fatal "ssh-keygen $secondary"
79expect_nkeys $nkeys "learn hostkeys" 89 dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs
80check_key_present ssh-rsa $OBJ/hkr.ssh-rsa.pub.old && fail "old key present" 90 # Check that the key was replaced
81check_key_present ssh-rsa || fail "didn't learn changed key" 91 expect_nkeys $nkeys "learn hostkeys"
92 check_key_present ${secondary} $OBJ/hkr.${secondary}.pub.old && \
93 fail "old key present"
94 check_key_present ${secondary} || fail "didn't learn changed key"
95fi
82 96
83# Add new hostkey (primary type) to sshd and connect 97# Add new hostkey (primary type) to sshd and connect
84verbose "learn new primary hostkey" 98verbose "learn new primary hostkey"
85${SSHKEYGEN} -qt ssh-rsa -f $OBJ/hkr.ssh-rsa-new -N '' || fatal "ssh-keygen $k" 99${SSHKEYGEN} -qt ${primary} -f $OBJ/hkr.${primary}-new -N '' || fatal "ssh-keygen ed25519"
86( cat $OBJ/sshd_proxy.orig ; echo HostKey $OBJ/hkr.ssh-rsa-new ) \ 100( cat $OBJ/sshd_proxy.orig ; echo HostKey $OBJ/hkr.${primary}-new ) \
87 > $OBJ/sshd_proxy 101 > $OBJ/sshd_proxy
88# Check new hostkey added 102# Check new hostkey added
89dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa,$all_algs 103dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=${primary},$all_algs
90expect_nkeys `expr $nkeys + 1` "learn hostkeys" 104expect_nkeys `expr $nkeys + 1` "learn hostkeys"
91check_key_present ssh-rsa || fail "current key missing" 105check_key_present ${primary} || fail "current key missing"
92check_key_present ssh-rsa $OBJ/hkr.ssh-rsa-new.pub || fail "new key missing" 106check_key_present ${primary} $OBJ/hkr.${primary}-new.pub || fail "new key missing"
93 107
94# Remove old hostkey (primary type) from sshd 108# Remove old hostkey (primary type) from sshd
95verbose "rotate primary hostkey" 109verbose "rotate primary hostkey"
96cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy 110cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
97mv $OBJ/hkr.ssh-rsa.pub $OBJ/hkr.ssh-rsa.pub.old 111mv $OBJ/hkr.${primary}.pub $OBJ/hkr.${primary}.pub.old
98mv $OBJ/hkr.ssh-rsa-new.pub $OBJ/hkr.ssh-rsa.pub 112mv $OBJ/hkr.${primary}-new.pub $OBJ/hkr.${primary}.pub
99mv $OBJ/hkr.ssh-rsa-new $OBJ/hkr.ssh-rsa 113mv $OBJ/hkr.${primary}-new $OBJ/hkr.${primary}
100# Check old hostkey removed 114# Check old hostkey removed
101dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa,$all_algs 115dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=${primary},$all_algs
102expect_nkeys $nkeys "learn hostkeys" 116expect_nkeys $nkeys "learn hostkeys"
103check_key_present ssh-rsa $OBJ/hkr.ssh-rsa.pub.old && fail "old key present" 117check_key_present ${primary} $OBJ/hkr.${primary}.pub.old && fail "old key present"
104check_key_present ssh-rsa || fail "didn't learn changed key" 118check_key_present ${primary} || fail "didn't learn changed key"
105 119
106# Connect again, forcing rotated key 120# Connect again, forcing rotated key
107verbose "check rotate primary hostkey" 121verbose "check rotate primary hostkey"
108dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa 122dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=${primary}
109expect_nkeys 1 "learn hostkeys" 123expect_nkeys 1 "learn hostkeys"
110check_key_present ssh-rsa || fail "didn't learn changed key" 124check_key_present ${primary} || fail "didn't learn changed key"