- djm@cvs.openbsd.org 2010/03/03 00:47:23

[regress/cert-hostkey.sh regress/cert-userkey.sh] add an extra test to ensure that authentication with the wrong certificate fails as it should (and it does)
author: Damien Miller <djm@mindrot.org> 2010-03-04 21:57:21 +1100
committer: Damien Miller <djm@mindrot.org> 2010-03-04 21:57:21 +1100
commit: 017d1e777ef197eab866b9d0046e000a46baf10b (patch)
tree: 9fd0ffce102946db33980cc92cc2c17b568d6bfb /regress/cert-hostkey.sh
parent: 1aed65eb27feec505997c98621bdf158f9ab8b99 (diff)
1 files changed, 28 insertions, 1 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 9539a927f..9097a1359 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cert-hostkey.sh,v 1.1 2010/02/26 20:33:21 djm Exp $
+#       $OpenBSD: cert-hostkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $
 #       Placed in the Public Domain.
 tid="certified host keys"
@@ -119,4 +119,31 @@ for ktype in rsa dsa ; do
        fi
 done
+# Wrong certificate
+(
+        echon '@cert-authority '
+        echon "$HOSTS "
+        cat $OBJ/host_ca_key.pub
+) > $OBJ/known_hosts-cert
+for ktype in rsa dsa ; do 
+        # Self-sign key
+        ${SSHKEYGEN} -h -q -s $OBJ/cert_host_key_${ktype} \
+            -I "regress host key for $USER" \
+            -n $HOSTS $OBJ/cert_host_key_${ktype} ||
+                fail "couldn't sign cert_host_key_${ktype}"
+        verbose "$tid: host ${ktype} connect wrong cert"
+        (
+                cat $OBJ/sshd_proxy_bak
+                echo HostKey $OBJ/cert_host_key_${ktype}
+                echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+        ) > $OBJ/sshd_proxy
+        ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+            -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+                -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
+        if [ $? -eq 0 ]; then
+                fail "ssh cert connect $ident succeeded unexpectedly"
+        fi
+done
 rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
author	Damien Miller <djm@mindrot.org>	2010-03-04 21:57:21 +1100
committer	Damien Miller <djm@mindrot.org>	2010-03-04 21:57:21 +1100
commit	017d1e777ef197eab866b9d0046e000a46baf10b (patch)
tree	9fd0ffce102946db33980cc92cc2c17b568d6bfb /regress/cert-hostkey.sh
parent	1aed65eb27feec505997c98621bdf158f9ab8b99 (diff)

diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 9539a927f..9097a1359 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: cert-hostkey.sh,v 1.1 2010/02/26 20:33:21 djm Exp $	1	# $OpenBSD: cert-hostkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="certified host keys"	4	tid="certified host keys"
@@ -119,4 +119,31 @@ for ktype in rsa dsa ; do
119	fi	119	fi
120	done	120	done
121		121
		122	# Wrong certificate
		123	(
		124	echon '@cert-authority '
		125	echon "$HOSTS "
		126	cat $OBJ/host_ca_key.pub
		127	) > $OBJ/known_hosts-cert
		128	for ktype in rsa dsa ; do
		129	# Self-sign key
		130	${SSHKEYGEN} -h -q -s $OBJ/cert_host_key_${ktype} \
		131	-I "regress host key for $USER" \
		132	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|
		133	fail "couldn't sign cert_host_key_${ktype}"
		134	verbose "$tid: host ${ktype} connect wrong cert"
		135	(
		136	cat $OBJ/sshd_proxy_bak
		137	echo HostKey $OBJ/cert_host_key_${ktype}
		138	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
		139	) > $OBJ/sshd_proxy
		140
		141	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
		142	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
		143	-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
		144	if [ $? -eq 0 ]; then
		145	fail "ssh cert connect $ident succeeded unexpectedly"
		146	fi
		147	done
		148
122	rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*	149	rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*