* New upstream release (LP: #535029).

- After a transition period of about 10 years, this release disables SSH protocol 1 by default. Clients and servers that need to use the legacy protocol must explicitly enable it in ssh_config / sshd_config or on the command-line. - Remove the libsectok/OpenSC-based smartcard code and add support for PKCS#11 tokens. This support is enabled by default in the Debian packaging, since it now doesn't involve additional library dependencies (closes: #231472, LP: #16918). - Add support for certificate authentication of users and hosts using a new, minimal OpenSSH certificate format (closes: #482806). - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...". - Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian package, this overlaps with the key blacklisting facility added in openssh 1:4.7p1-9, but with different file formats and slightly different scopes; for the moment, I've roughly merged the two.) - Various multiplexing improvements, including support for requesting port-forwardings via the multiplex protocol (closes: #360151). - Allow setting an explicit umask on the sftp-server(8) commandline to override whatever default the user has (closes: #496843). - Many sftp client improvements, including tab-completion, more options, and recursive transfer support for get/put (LP: #33378). The old mget/mput commands never worked properly and have been removed (closes: #270399, #428082). - Do not prompt for a passphrase if we fail to open a keyfile, and log the reason why the open failed to debug (closes: #431538). - Prevent sftp from crashing when given a "-" without a command. Also, allow whitespace to follow a "-" (closes: #531561).
author: Colin Watson <cjwatson@debian.org> 2010-03-31 10:46:28 +0100
committer: Colin Watson <cjwatson@debian.org> 2010-03-31 10:46:28 +0100
commit: efd3d4522636ae029488c2e9730b60c88e257d2e (patch)
tree: 31e02ac3f16090ce8c53448677356b2b7f423683 /regress/agent-pkcs11.sh
parent: bbec4db36d464ea1d464a707625125f9fd5c7b5e (diff)
parent: d1a87e462e1db89f19cd960588d0c6b287cb5ccc (diff)
1 files changed, 69 insertions, 0 deletions
diff --git a/regress/agent-pkcs11.sh b/regress/agent-pkcs11.sh
new file mode 100644
index 000000000..db33ab37e
--- /dev/null
+++ b/regress/agent-pkcs11.sh
@@ -0,0 +1,69 @@
+#       $OpenBSD: agent-pkcs11.sh,v 1.1 2010/02/08 10:52:47 markus Exp $
+#       Placed in the Public Domain.
+tid="pkcs11 agent test"
+TEST_SSH_PIN=""
+TEST_SSH_PKCS11=/usr/local/lib/soft-pkcs11.so.0.0
+# setup environment for soft-pkcs11 token
+SOFTPKCS11RC=$OBJ/pkcs11.info
+export SOFTPKCS11RC
+# prevent ssh-agent from calling ssh-askpass
+SSH_ASKPASS=/usr/bin/true
+export SSH_ASKPASS
+unset DISPLAY
+# start command w/o tty, so ssh-add accepts pin from stdin
+notty() {
+        perl -e 'use POSIX; POSIX::setsid(); 
+            if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@"
+}
+trace "start agent"
+eval `${SSHAGENT} -s` > /dev/null
+r=$?
+if [ $r -ne 0 ]; then
+        fail "could not start ssh-agent: exit code $r"
+else
+        trace "generating key/cert"
+        rm -f $OBJ/pkcs11.key $OBJ/pkcs11.crt
+        openssl genrsa -out $OBJ/pkcs11.key 2048 > /dev/null 2>&1
+        chmod 600 $OBJ/pkcs11.key 
+        openssl req -key $OBJ/pkcs11.key -new -x509 \
+            -out $OBJ/pkcs11.crt -text -subj '/CN=pkcs11 test' > /dev/null
+        printf "a\ta\t$OBJ/pkcs11.crt\t$OBJ/pkcs11.key" > $SOFTPKCS11RC
+        # add to authorized keys
+        ${SSHKEYGEN} -y -f $OBJ/pkcs11.key > $OBJ/authorized_keys_$USER
+        trace "add pkcs11 key to agent"
+        echo ${TEST_SSH_PIN} | notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1
+        r=$?
+        if [ $r -ne 0 ]; then
+                fail "ssh-add -s failed: exit code $r"
+        fi
+        trace "pkcs11 list via agent"
+        ${SSHADD} -l > /dev/null 2>&1
+        r=$?
+        if [ $r -ne 0 ]; then
+                fail "ssh-add -l failed: exit code $r"
+        fi
+        trace "pkcs11 connect via agent"
+        ${SSH} -2 -F $OBJ/ssh_proxy somehost exit 5
+        r=$?
+        if [ $r -ne 5 ]; then
+                fail "ssh connect failed (exit code $r)"
+        fi
+        trace "remove pkcs11 keys"
+        echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1
+        r=$?
+        if [ $r -ne 0 ]; then
+                fail "ssh-add -e failed: exit code $r"
+        fi
+        trace "kill agent"
+        ${SSHAGENT} -k > /dev/null
+fi
author	Colin Watson <cjwatson@debian.org>	2010-03-31 10:46:28 +0100
committer	Colin Watson <cjwatson@debian.org>	2010-03-31 10:46:28 +0100
commit	efd3d4522636ae029488c2e9730b60c88e257d2e (patch)
tree	31e02ac3f16090ce8c53448677356b2b7f423683 /regress/agent-pkcs11.sh
parent	bbec4db36d464ea1d464a707625125f9fd5c7b5e (diff)
parent	d1a87e462e1db89f19cd960588d0c6b287cb5ccc (diff)

diff --git a/regress/agent-pkcs11.sh b/regress/agent-pkcs11.sh new file mode 100644 index 000000000..db33ab37e --- /dev/null +++ b/regress/agent-pkcs11.sh
@@ -0,0 +1,69 @@
	1	# $OpenBSD: agent-pkcs11.sh,v 1.1 2010/02/08 10:52:47 markus Exp $
	2	# Placed in the Public Domain.
	3
	4	tid="pkcs11 agent test"
	5
	6	TEST_SSH_PIN=""
	7	TEST_SSH_PKCS11=/usr/local/lib/soft-pkcs11.so.0.0
	8
	9	# setup environment for soft-pkcs11 token
	10	SOFTPKCS11RC=$OBJ/pkcs11.info
	11	export SOFTPKCS11RC
	12	# prevent ssh-agent from calling ssh-askpass
	13	SSH_ASKPASS=/usr/bin/true
	14	export SSH_ASKPASS
	15	unset DISPLAY
	16
	17	# start command w/o tty, so ssh-add accepts pin from stdin
	18	notty() {
	19	perl -e 'use POSIX; POSIX::setsid();
	20	if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@"
	21	}
	22
	23	trace "start agent"
	24	eval `${SSHAGENT} -s` > /dev/null
	25	r=$?
	26	if [ $r -ne 0 ]; then
	27	fail "could not start ssh-agent: exit code $r"
	28	else
	29	trace "generating key/cert"
	30	rm -f $OBJ/pkcs11.key $OBJ/pkcs11.crt
	31	openssl genrsa -out $OBJ/pkcs11.key 2048 > /dev/null 2>&1
	32	chmod 600 $OBJ/pkcs11.key
	33	openssl req -key $OBJ/pkcs11.key -new -x509 \
	34	-out $OBJ/pkcs11.crt -text -subj '/CN=pkcs11 test' > /dev/null
	35	printf "a\ta\t$OBJ/pkcs11.crt\t$OBJ/pkcs11.key" > $SOFTPKCS11RC
	36	# add to authorized keys
	37	${SSHKEYGEN} -y -f $OBJ/pkcs11.key > $OBJ/authorized_keys_$USER
	38
	39	trace "add pkcs11 key to agent"
	40	echo ${TEST_SSH_PIN} \| notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1
	41	r=$?
	42	if [ $r -ne 0 ]; then
	43	fail "ssh-add -s failed: exit code $r"
	44	fi
	45
	46	trace "pkcs11 list via agent"
	47	${SSHADD} -l > /dev/null 2>&1
	48	r=$?
	49	if [ $r -ne 0 ]; then
	50	fail "ssh-add -l failed: exit code $r"
	51	fi
	52
	53	trace "pkcs11 connect via agent"
	54	${SSH} -2 -F $OBJ/ssh_proxy somehost exit 5
	55	r=$?
	56	if [ $r -ne 5 ]; then
	57	fail "ssh connect failed (exit code $r)"
	58	fi
	59
	60	trace "remove pkcs11 keys"
	61	echo ${TEST_SSH_PIN} \| notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1
	62	r=$?
	63	if [ $r -ne 0 ]; then
	64	fail "ssh-add -e failed: exit code $r"
	65	fi
	66
	67	trace "kill agent"
	68	${SSHAGENT} -k > /dev/null
	69	fi