* New upstream release (LP: #535029).

- After a transition period of about 10 years, this release disables SSH protocol 1 by default. Clients and servers that need to use the legacy protocol must explicitly enable it in ssh_config / sshd_config or on the command-line. - Remove the libsectok/OpenSC-based smartcard code and add support for PKCS#11 tokens. This support is enabled by default in the Debian packaging, since it now doesn't involve additional library dependencies (closes: #231472, LP: #16918). - Add support for certificate authentication of users and hosts using a new, minimal OpenSSH certificate format (closes: #482806). - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...". - Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian package, this overlaps with the key blacklisting facility added in openssh 1:4.7p1-9, but with different file formats and slightly different scopes; for the moment, I've roughly merged the two.) - Various multiplexing improvements, including support for requesting port-forwardings via the multiplex protocol (closes: #360151). - Allow setting an explicit umask on the sftp-server(8) commandline to override whatever default the user has (closes: #496843). - Many sftp client improvements, including tab-completion, more options, and recursive transfer support for get/put (LP: #33378). The old mget/mput commands never worked properly and have been removed (closes: #270399, #428082). - Do not prompt for a passphrase if we fail to open a keyfile, and log the reason why the open failed to debug (closes: #431538). - Prevent sftp from crashing when given a "-" without a command. Also, allow whitespace to follow a "-" (closes: #531561).
author: Colin Watson <cjwatson@debian.org> 2010-03-31 10:46:28 +0100
committer: Colin Watson <cjwatson@debian.org> 2010-03-31 10:46:28 +0100
commit: efd3d4522636ae029488c2e9730b60c88e257d2e (patch)
tree: 31e02ac3f16090ce8c53448677356b2b7f423683 /regress/cert-hostkey.sh
parent: bbec4db36d464ea1d464a707625125f9fd5c7b5e (diff)
parent: d1a87e462e1db89f19cd960588d0c6b287cb5ccc (diff)
1 files changed, 211 insertions, 0 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
new file mode 100644
index 000000000..3fda667cb
--- /dev/null
+++ b/regress/cert-hostkey.sh
@@ -0,0 +1,211 @@
+#       $OpenBSD: cert-hostkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
+#       Placed in the Public Domain.
+tid="certified host keys"
+rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+HOSTS='localhost-with-alias,127.0.0.1,::1'
+# Create a CA key and add it to known hosts
+${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/host_ca_key ||\
+        fail "ssh-keygen of host_ca_key failed"
+(
+        echon '@cert-authority '
+        echon "$HOSTS "
+        cat $OBJ/host_ca_key.pub
+) > $OBJ/known_hosts-cert
+# Generate and sign host keys
+for ktype in rsa dsa ; do 
+        verbose "$tid: sign host ${ktype} cert"
+        # Generate and sign a host key
+        ${SSHKEYGEN} -q -N '' -t ${ktype} \
+            -f $OBJ/cert_host_key_${ktype} || \
+                fail "ssh-keygen of cert_host_key_${ktype} failed"
+        ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key \
+            -I "regress host key for $USER" \
+            -n $HOSTS $OBJ/cert_host_key_${ktype} ||
+                fail "couldn't sign cert_host_key_${ktype}"
+done
+# Basic connect tests
+for privsep in yes no ; do
+        for ktype in rsa dsa ; do 
+                verbose "$tid: host ${ktype} cert connect privsep $privsep"
+                (
+                        cat $OBJ/sshd_proxy_bak
+                        echo HostKey $OBJ/cert_host_key_${ktype}
+                        echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+                        echo UsePrivilegeSeparation $privsep
+                ) > $OBJ/sshd_proxy
+                ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+                    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+                        -F $OBJ/ssh_proxy somehost true
+                if [ $? -ne 0 ]; then
+                        fail "ssh cert connect failed"
+                fi
+        done
+done
+# Revoked certificates with key present
+(
+        echon '@cert-authority '
+        echon "$HOSTS "
+        cat $OBJ/host_ca_key.pub
+        echon '@revoked '
+        echon "* "
+        cat $OBJ/cert_host_key_rsa.pub
+        echon '@revoked '
+        echon "* "
+        cat $OBJ/cert_host_key_dsa.pub
+) > $OBJ/known_hosts-cert
+for privsep in yes no ; do
+        for ktype in rsa dsa ; do 
+                verbose "$tid: host ${ktype} revoked cert privsep $privsep"
+                (
+                        cat $OBJ/sshd_proxy_bak
+                        echo HostKey $OBJ/cert_host_key_${ktype}
+                        echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+                        echo UsePrivilegeSeparation $privsep
+                ) > $OBJ/sshd_proxy
+                ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+                    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+                        -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                if [ $? -eq 0 ]; then
+                        fail "ssh cert connect succeeded unexpectedly"
+                fi
+        done
+done
+# Revoked CA
+(
+        echon '@cert-authority '
+        echon "$HOSTS "
+        cat $OBJ/host_ca_key.pub
+        echon '@revoked '
+        echon "* "
+        cat $OBJ/host_ca_key.pub
+) > $OBJ/known_hosts-cert
+for ktype in rsa dsa ; do 
+        verbose "$tid: host ${ktype} revoked cert"
+        (
+                cat $OBJ/sshd_proxy_bak
+                echo HostKey $OBJ/cert_host_key_${ktype}
+                echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+        ) > $OBJ/sshd_proxy
+        ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+            -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+                -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+        if [ $? -eq 0 ]; then
+                fail "ssh cert connect succeeded unexpectedly"
+        fi
+done
+# Create a CA key and add it to known hosts
+(
+        echon '@cert-authority '
+        echon "$HOSTS "
+        cat $OBJ/host_ca_key.pub
+) > $OBJ/known_hosts-cert
+test_one() {
+        ident=$1
+        result=$2
+        sign_opts=$3
+        
+        verbose "$tid: test host cert connect $ident expect $result"
+        ${SSHKEYGEN} -q -s $OBJ/host_ca_key -I "regress host key for $USER" \
+            $sign_opts \
+            $OBJ/cert_host_key_rsa ||
+                fail "couldn't sign cert_host_key_rsa"
+        (
+                cat $OBJ/sshd_proxy_bak
+                echo HostKey $OBJ/cert_host_key_rsa
+                echo HostCertificate $OBJ/cert_host_key_rsa-cert.pub
+        ) > $OBJ/sshd_proxy
+        ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+            -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+        rc=$?
+        if [ "x$result" = "xsuccess" ] ; then
+                if [ $rc -ne 0 ]; then
+                        fail "ssh cert connect $ident failed unexpectedly"
+                fi
+        else
+                if [ $rc -eq 0 ]; then
+                        fail "ssh cert connect $ident succeeded unexpectedly"
+                fi
+        fi
+}
+test_one "user-certificate"     failure "-n $HOSTS"
+test_one "empty principals"     success "-h"
+test_one "wrong principals"     failure "-h -n foo"
+test_one "cert not yet valid"   failure "-h -V20200101:20300101"
+test_one "cert expired"         failure "-h -V19800101:19900101"
+test_one "cert valid interval"  success "-h -V-1w:+2w"
+test_one "cert has constraints" failure "-h -Oforce-command=false"
+# Check downgrade of cert to raw key when no CA found
+rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
+for ktype in rsa dsa ; do 
+        verbose "$tid: host ${ktype} cert downgrade to raw key"
+        # Generate and sign a host key
+        ${SSHKEYGEN} -q -N '' -t ${ktype} \
+            -f $OBJ/cert_host_key_${ktype} || \
+                fail "ssh-keygen of cert_host_key_${ktype} failed"
+        ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -I "regress host key for $USER" \
+            -n $HOSTS $OBJ/cert_host_key_${ktype} ||
+                fail "couldn't sign cert_host_key_${ktype}"
+        (
+                echon "$HOSTS "
+                cat $OBJ/cert_host_key_${ktype}.pub
+        ) > $OBJ/known_hosts-cert
+        (
+                cat $OBJ/sshd_proxy_bak
+                echo HostKey $OBJ/cert_host_key_${ktype}
+                echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+        ) > $OBJ/sshd_proxy
+        
+        ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+            -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+                -F $OBJ/ssh_proxy somehost true
+        if [ $? -ne 0 ]; then
+                fail "ssh cert connect failed"
+        fi
+done
+# Wrong certificate
+(
+        echon '@cert-authority '
+        echon "$HOSTS "
+        cat $OBJ/host_ca_key.pub
+) > $OBJ/known_hosts-cert
+for ktype in rsa dsa ; do 
+        # Self-sign key
+        ${SSHKEYGEN} -h -q -s $OBJ/cert_host_key_${ktype} \
+            -I "regress host key for $USER" \
+            -n $HOSTS $OBJ/cert_host_key_${ktype} ||
+                fail "couldn't sign cert_host_key_${ktype}"
+        verbose "$tid: host ${ktype} connect wrong cert"
+        (
+                cat $OBJ/sshd_proxy_bak
+                echo HostKey $OBJ/cert_host_key_${ktype}
+                echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+        ) > $OBJ/sshd_proxy
+        ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+            -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+                -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
+        if [ $? -eq 0 ]; then
+                fail "ssh cert connect $ident succeeded unexpectedly"
+        fi
+done
+rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
author	Colin Watson <cjwatson@debian.org>	2010-03-31 10:46:28 +0100
committer	Colin Watson <cjwatson@debian.org>	2010-03-31 10:46:28 +0100
commit	efd3d4522636ae029488c2e9730b60c88e257d2e (patch)
tree	31e02ac3f16090ce8c53448677356b2b7f423683 /regress/cert-hostkey.sh
parent	bbec4db36d464ea1d464a707625125f9fd5c7b5e (diff)
parent	d1a87e462e1db89f19cd960588d0c6b287cb5ccc (diff)

diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh new file mode 100644 index 000000000..3fda667cb --- /dev/null +++ b/regress/cert-hostkey.sh
@@ -0,0 +1,211 @@
	1	# $OpenBSD: cert-hostkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
	2	# Placed in the Public Domain.
	3
	4	tid="certified host keys"
	5
	6	rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
	7	cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
	8
	9	HOSTS='localhost-with-alias,127.0.0.1,::1'
	10
	11	# Create a CA key and add it to known hosts
	12	${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key \|\|\
	13	fail "ssh-keygen of host_ca_key failed"
	14	(
	15	echon '@cert-authority '
	16	echon "$HOSTS "
	17	cat $OBJ/host_ca_key.pub
	18	) > $OBJ/known_hosts-cert
	19
	20	# Generate and sign host keys
	21	for ktype in rsa dsa ; do
	22	verbose "$tid: sign host ${ktype} cert"
	23	# Generate and sign a host key
	24	${SSHKEYGEN} -q -N '' -t ${ktype} \
	25	-f $OBJ/cert_host_key_${ktype} \|\| \
	26	fail "ssh-keygen of cert_host_key_${ktype} failed"
	27	${SSHKEYGEN} -h -q -s $OBJ/host_ca_key \
	28	-I "regress host key for $USER" \
	29	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|
	30	fail "couldn't sign cert_host_key_${ktype}"
	31	done
	32
	33	# Basic connect tests
	34	for privsep in yes no ; do
	35	for ktype in rsa dsa ; do
	36	verbose "$tid: host ${ktype} cert connect privsep $privsep"
	37	(
	38	cat $OBJ/sshd_proxy_bak
	39	echo HostKey $OBJ/cert_host_key_${ktype}
	40	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
	41	echo UsePrivilegeSeparation $privsep
	42	) > $OBJ/sshd_proxy
	43
	44	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
	45	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
	46	-F $OBJ/ssh_proxy somehost true
	47	if [ $? -ne 0 ]; then
	48	fail "ssh cert connect failed"
	49	fi
	50	done
	51	done
	52
	53	# Revoked certificates with key present
	54	(
	55	echon '@cert-authority '
	56	echon "$HOSTS "
	57	cat $OBJ/host_ca_key.pub
	58	echon '@revoked '
	59	echon "* "
	60	cat $OBJ/cert_host_key_rsa.pub
	61	echon '@revoked '
	62	echon "* "
	63	cat $OBJ/cert_host_key_dsa.pub
	64	) > $OBJ/known_hosts-cert
	65	for privsep in yes no ; do
	66	for ktype in rsa dsa ; do
	67	verbose "$tid: host ${ktype} revoked cert privsep $privsep"
	68	(
	69	cat $OBJ/sshd_proxy_bak
	70	echo HostKey $OBJ/cert_host_key_${ktype}
	71	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
	72	echo UsePrivilegeSeparation $privsep
	73	) > $OBJ/sshd_proxy
	74
	75	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
	76	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
	77	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	78	if [ $? -eq 0 ]; then
	79	fail "ssh cert connect succeeded unexpectedly"
	80	fi
	81	done
	82	done
	83
	84	# Revoked CA
	85	(
	86	echon '@cert-authority '
	87	echon "$HOSTS "
	88	cat $OBJ/host_ca_key.pub
	89	echon '@revoked '
	90	echon "* "
	91	cat $OBJ/host_ca_key.pub
	92	) > $OBJ/known_hosts-cert
	93	for ktype in rsa dsa ; do
	94	verbose "$tid: host ${ktype} revoked cert"
	95	(
	96	cat $OBJ/sshd_proxy_bak
	97	echo HostKey $OBJ/cert_host_key_${ktype}
	98	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
	99	) > $OBJ/sshd_proxy
	100	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
	101	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
	102	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	103	if [ $? -eq 0 ]; then
	104	fail "ssh cert connect succeeded unexpectedly"
	105	fi
	106	done
	107
	108	# Create a CA key and add it to known hosts
	109	(
	110	echon '@cert-authority '
	111	echon "$HOSTS "
	112	cat $OBJ/host_ca_key.pub
	113	) > $OBJ/known_hosts-cert
	114
	115	test_one() {
	116	ident=$1
	117	result=$2
	118	sign_opts=$3
	119
	120	verbose "$tid: test host cert connect $ident expect $result"
	121
	122	${SSHKEYGEN} -q -s $OBJ/host_ca_key -I "regress host key for $USER" \
	123	$sign_opts \
	124	$OBJ/cert_host_key_rsa \|\|
	125	fail "couldn't sign cert_host_key_rsa"
	126	(
	127	cat $OBJ/sshd_proxy_bak
	128	echo HostKey $OBJ/cert_host_key_rsa
	129	echo HostCertificate $OBJ/cert_host_key_rsa-cert.pub
	130	) > $OBJ/sshd_proxy
	131
	132	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
	133	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
	134	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	135	rc=$?
	136	if [ "x$result" = "xsuccess" ] ; then
	137	if [ $rc -ne 0 ]; then
	138	fail "ssh cert connect $ident failed unexpectedly"
	139	fi
	140	else
	141	if [ $rc -eq 0 ]; then
	142	fail "ssh cert connect $ident succeeded unexpectedly"
	143	fi
	144	fi
	145	}
	146
	147	test_one "user-certificate" failure "-n $HOSTS"
	148	test_one "empty principals" success "-h"
	149	test_one "wrong principals" failure "-h -n foo"
	150	test_one "cert not yet valid" failure "-h -V20200101:20300101"
	151	test_one "cert expired" failure "-h -V19800101:19900101"
	152	test_one "cert valid interval" success "-h -V-1w:+2w"
	153	test_one "cert has constraints" failure "-h -Oforce-command=false"
	154
	155	# Check downgrade of cert to raw key when no CA found
	156	rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
	157	for ktype in rsa dsa ; do
	158	verbose "$tid: host ${ktype} cert downgrade to raw key"
	159	# Generate and sign a host key
	160	${SSHKEYGEN} -q -N '' -t ${ktype} \
	161	-f $OBJ/cert_host_key_${ktype} \|\| \
	162	fail "ssh-keygen of cert_host_key_${ktype} failed"
	163	${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -I "regress host key for $USER" \
	164	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|
	165	fail "couldn't sign cert_host_key_${ktype}"
	166	(
	167	echon "$HOSTS "
	168	cat $OBJ/cert_host_key_${ktype}.pub
	169	) > $OBJ/known_hosts-cert
	170	(
	171	cat $OBJ/sshd_proxy_bak
	172	echo HostKey $OBJ/cert_host_key_${ktype}
	173	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
	174	) > $OBJ/sshd_proxy
	175
	176	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
	177	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
	178	-F $OBJ/ssh_proxy somehost true
	179	if [ $? -ne 0 ]; then
	180	fail "ssh cert connect failed"
	181	fi
	182	done
	183
	184	# Wrong certificate
	185	(
	186	echon '@cert-authority '
	187	echon "$HOSTS "
	188	cat $OBJ/host_ca_key.pub
	189	) > $OBJ/known_hosts-cert
	190	for ktype in rsa dsa ; do
	191	# Self-sign key
	192	${SSHKEYGEN} -h -q -s $OBJ/cert_host_key_${ktype} \
	193	-I "regress host key for $USER" \
	194	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|
	195	fail "couldn't sign cert_host_key_${ktype}"
	196	verbose "$tid: host ${ktype} connect wrong cert"
	197	(
	198	cat $OBJ/sshd_proxy_bak
	199	echo HostKey $OBJ/cert_host_key_${ktype}
	200	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
	201	) > $OBJ/sshd_proxy
	202
	203	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
	204	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
	205	-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
	206	if [ $? -eq 0 ]; then
	207	fail "ssh cert connect $ident succeeded unexpectedly"
	208	fi
	209	done
	210
	211	rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*