upstream commit

legacy v00 certificates are gone; adapt and don't try to test them; "sure" markus@ dtucker@ Upstream-Regress-ID: c57321e69b3cd4a3b3396dfcc43f0803d047da12
author: djm@openbsd.org <djm@openbsd.org> 2015-07-03 04:39:23 +0000
committer: Damien Miller <djm@mindrot.org> 2015-07-15 16:04:02 +1000
commit: 6a977a4b68747ade189e43d302f33403fd4a47ac (patch)
tree: 51474b3b479b4e16d20309d8d6b5ccf235e4c152 /regress/cert-hostkey.sh
parent: 0c4123ad5e93fb90fee9c6635b13a6cdabaac385 (diff)
1 files changed, 58 insertions, 90 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 51685dc2b..c99c2b1c3 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cert-hostkey.sh,v 1.11 2015/01/19 06:01:32 djm Exp $
+#       $OpenBSD: cert-hostkey.sh,v 1.12 2015/07/03 04:39:23 djm Exp $
 #       Placed in the Public Domain.
 tid="certified host keys"
@@ -27,13 +27,6 @@ cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
 PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
-type_has_legacy() {
-        case $1 in
-                ed25519*|ecdsa*) return 1 ;;
-        esac
-        return 0
-}
 # Prepare certificate, plain key and CA KRLs
 ${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed"
 ${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed"
@@ -61,18 +54,6 @@ for ktype in $PLAIN_TYPES ; do
                fatal "KRL update failed"
        cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert
        serial=`expr $serial + 1`
-        type_has_legacy $ktype || continue
-        cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
-        cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
-        verbose "$tid: sign host ${ktype}_v00 cert"
-        ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
-            -I "regress host key for $USER" \
-            -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
-                fatal "couldn't sign cert_host_key_${ktype}_v00"
-        ${SSHKEYGEN} -ukf $OBJ/host_krl_cert \
-            $OBJ/cert_host_key_${ktype}_v00-cert.pub || \
-                fatal "KRL update failed"
-        cat $OBJ/cert_host_key_${ktype}_v00-cert.pub >> $OBJ/host_revoked_cert
 done
 attempt_connect() {
@@ -98,7 +79,7 @@ attempt_connect() {
 # Basic connect and revocation tests.
 for privsep in yes no ; do
-        for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 
+        for ktype in $PLAIN_TYPES ; do 
                verbose "$tid: host ${ktype} cert connect privsep $privsep"
                (
                        cat $OBJ/sshd_proxy_bak
@@ -133,14 +114,14 @@ done
        printf '@cert-authority '
        printf "$HOSTS "
        cat $OBJ/host_ca_key.pub
-        for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do
+        for ktype in $PLAIN_TYPES ; do
                test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
                printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
        done
 ) > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
 for privsep in yes no ; do
-        for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 
+        for ktype in $PLAIN_TYPES ; do 
                verbose "$tid: host ${ktype} revoked cert privsep $privsep"
                (
                        cat $OBJ/sshd_proxy_bak
@@ -169,7 +150,7 @@ done
        cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
+for ktype in $PLAIN_TYPES ; do 
        verbose "$tid: host ${ktype} revoked cert"
        (
                cat $OBJ/sshd_proxy_bak
@@ -198,17 +179,10 @@ test_one() {
        result=$2
        sign_opts=$3
-        for kt in rsa rsa_v00 ; do
+        for kt in rsa ed25519 ; do
-                case $kt in
-                *_v00) args="-t v00" ;;
-                *) args="" ;;
-                esac
-                verbose "$tid: host cert connect $ident $kt expect $result"
                ${SSHKEYGEN} -q -s $OBJ/host_ca_key \
                    -I "regress host key for $USER" \
-                    $sign_opts $args \
+                    $sign_opts $OBJ/cert_host_key_${kt} ||
-                    $OBJ/cert_host_key_${kt} ||
                        fail "couldn't sign cert_host_key_${kt}"
                (
                        cat $OBJ/sshd_proxy_bak
@@ -242,36 +216,33 @@ test_one "cert valid interval"	success "-h -V-1w:+2w"
 test_one "cert has constraints" failure "-h -Oforce-command=false"
 # Check downgrade of cert to raw key when no CA found
-for v in v01 v00 ;  do 
+for ktype in $PLAIN_TYPES ; do 
-        for ktype in $PLAIN_TYPES ; do 
+        rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
-                type_has_legacy $ktype || continue
+        verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
-                rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
+        # Generate and sign a host key
-                verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
+        ${SSHKEYGEN} -q -N '' -t ${ktype} \
-                # Generate and sign a host key
+            -f $OBJ/cert_host_key_${ktype} || \
-                ${SSHKEYGEN} -q -N '' -t ${ktype} \
+                fail "ssh-keygen of cert_host_key_${ktype} failed"
-                    -f $OBJ/cert_host_key_${ktype} || \
+        ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
-                        fail "ssh-keygen of cert_host_key_${ktype} failed"
+            -I "regress host key for $USER" \
-                ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
+            -n $HOSTS $OBJ/cert_host_key_${ktype} ||
-                    -I "regress host key for $USER" \
+                fail "couldn't sign cert_host_key_${ktype}"
-                    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
+        (
-                        fail "couldn't sign cert_host_key_${ktype}"
+                printf "$HOSTS "
-                (
+                cat $OBJ/cert_host_key_${ktype}.pub
-                        printf "$HOSTS "
+        ) > $OBJ/known_hosts-cert
-                        cat $OBJ/cert_host_key_${ktype}.pub
+        (
-                ) > $OBJ/known_hosts-cert
+                cat $OBJ/sshd_proxy_bak
-                (
+                echo HostKey $OBJ/cert_host_key_${ktype}
-                        cat $OBJ/sshd_proxy_bak
+                echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
-                        echo HostKey $OBJ/cert_host_key_${ktype}
+        ) > $OBJ/sshd_proxy
-                        echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+        
-                ) > $OBJ/sshd_proxy
+        ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-                
+            -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-                ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+                -F $OBJ/ssh_proxy somehost true
-                    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+        if [ $? -ne 0 ]; then
-                        -F $OBJ/ssh_proxy somehost true
+                fail "ssh cert connect failed"
-                if [ $? -ne 0 ]; then
+        fi
-                        fail "ssh cert connect failed"
-                fi
-        done
 done
 # Wrong certificate
@@ -281,33 +252,30 @@ done
        cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-for v in v01 v00 ;  do 
+for kt in $PLAIN_TYPES ; do 
-        for kt in $PLAIN_TYPES ; do 
+        rm -f $OBJ/cert_host_key*
-                type_has_legacy $kt || continue
+        # Self-sign key
-                rm -f $OBJ/cert_host_key*
+        ${SSHKEYGEN} -q -N '' -t ${kt} \
-                # Self-sign key
+            -f $OBJ/cert_host_key_${kt} || \
-                ${SSHKEYGEN} -q -N '' -t ${kt} \
+                fail "ssh-keygen of cert_host_key_${kt} failed"
-                    -f $OBJ/cert_host_key_${kt} || \
+        ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
-                        fail "ssh-keygen of cert_host_key_${kt} failed"
+            -I "regress host key for $USER" \
-                ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
+            -n $HOSTS $OBJ/cert_host_key_${kt} ||
-                    -I "regress host key for $USER" \
+                fail "couldn't sign cert_host_key_${kt}"
-                    -n $HOSTS $OBJ/cert_host_key_${kt} ||
+        verbose "$tid: host ${kt} connect wrong cert"
-                        fail "couldn't sign cert_host_key_${kt}"
+        (
-                verbose "$tid: host ${kt} connect wrong cert"
+                cat $OBJ/sshd_proxy_bak
-                (
+                echo HostKey $OBJ/cert_host_key_${kt}
-                        cat $OBJ/sshd_proxy_bak
+                echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
-                        echo HostKey $OBJ/cert_host_key_${kt}
+        ) > $OBJ/sshd_proxy
-                        echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
-                ) > $OBJ/sshd_proxy
+        cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-        
+        ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-                cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
+            -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-                ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+                -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
-                    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+        if [ $? -eq 0 ]; then
-                        -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
+                fail "ssh cert connect $ident succeeded unexpectedly"
-                if [ $? -eq 0 ]; then
+        fi
-                        fail "ssh cert connect $ident succeeded unexpectedly"
-                fi
-        done
 done
 rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key*
author	djm@openbsd.org <djm@openbsd.org>	2015-07-03 04:39:23 +0000
committer	Damien Miller <djm@mindrot.org>	2015-07-15 16:04:02 +1000
commit	6a977a4b68747ade189e43d302f33403fd4a47ac (patch)
tree	51474b3b479b4e16d20309d8d6b5ccf235e4c152 /regress/cert-hostkey.sh
parent	0c4123ad5e93fb90fee9c6635b13a6cdabaac385 (diff)

diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 51685dc2b..c99c2b1c3 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: cert-hostkey.sh,v 1.11 2015/01/19 06:01:32 djm Exp $	1	# $OpenBSD: cert-hostkey.sh,v 1.12 2015/07/03 04:39:23 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="certified host keys"	4	tid="certified host keys"
@@ -27,13 +27,6 @@ cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
27		27
28	PLAIN_TYPES=`$SSH -Q key-plain \| sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`	28	PLAIN_TYPES=`$SSH -Q key-plain \| sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
29		29
30	type_has_legacy() {
31	case $1 in
32	ed25519\|ecdsa) return 1 ;;
33	esac
34	return 0
35	}
36
37	# Prepare certificate, plain key and CA KRLs	30	# Prepare certificate, plain key and CA KRLs
38	${SSHKEYGEN} -kf $OBJ/host_krl_empty \|\| fatal "KRL init failed"	31	${SSHKEYGEN} -kf $OBJ/host_krl_empty \|\| fatal "KRL init failed"
39	${SSHKEYGEN} -kf $OBJ/host_krl_plain \|\| fatal "KRL init failed"	32	${SSHKEYGEN} -kf $OBJ/host_krl_plain \|\| fatal "KRL init failed"
@@ -61,18 +54,6 @@ for ktype in $PLAIN_TYPES ; do
61	fatal "KRL update failed"	54	fatal "KRL update failed"
62	cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert	55	cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert
63	serial=`expr $serial + 1`	56	serial=`expr $serial + 1`
64	type_has_legacy $ktype \|\| continue
65	cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
66	cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
67	verbose "$tid: sign host ${ktype}_v00 cert"
68	${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
69	-I "regress host key for $USER" \
70	-n $HOSTS $OBJ/cert_host_key_${ktype}_v00 \|\|
71	fatal "couldn't sign cert_host_key_${ktype}_v00"
72	${SSHKEYGEN} -ukf $OBJ/host_krl_cert \
73	$OBJ/cert_host_key_${ktype}_v00-cert.pub \|\| \
74	fatal "KRL update failed"
75	cat $OBJ/cert_host_key_${ktype}_v00-cert.pub >> $OBJ/host_revoked_cert
76	done	57	done
77		58
78	attempt_connect() {	59	attempt_connect() {
@@ -98,7 +79,7 @@ attempt_connect() {
98		79
99	# Basic connect and revocation tests.	80	# Basic connect and revocation tests.
100	for privsep in yes no ; do	81	for privsep in yes no ; do
101	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do	82	for ktype in $PLAIN_TYPES ; do
102	verbose "$tid: host ${ktype} cert connect privsep $privsep"	83	verbose "$tid: host ${ktype} cert connect privsep $privsep"
103	(	84	(
104	cat $OBJ/sshd_proxy_bak	85	cat $OBJ/sshd_proxy_bak
@@ -133,14 +114,14 @@ done
133	printf '@cert-authority '	114	printf '@cert-authority '
134	printf "$HOSTS "	115	printf "$HOSTS "
135	cat $OBJ/host_ca_key.pub	116	cat $OBJ/host_ca_key.pub
136	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do	117	for ktype in $PLAIN_TYPES ; do
137	test -f "$OBJ/cert_host_key_${ktype}.pub" \|\| fatal "no pubkey"	118	test -f "$OBJ/cert_host_key_${ktype}.pub" \|\| fatal "no pubkey"
138	printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"	119	printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
139	done	120	done
140	) > $OBJ/known_hosts-cert.orig	121	) > $OBJ/known_hosts-cert.orig
141	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert	122	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
142	for privsep in yes no ; do	123	for privsep in yes no ; do
143	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do	124	for ktype in $PLAIN_TYPES ; do
144	verbose "$tid: host ${ktype} revoked cert privsep $privsep"	125	verbose "$tid: host ${ktype} revoked cert privsep $privsep"
145	(	126	(
146	cat $OBJ/sshd_proxy_bak	127	cat $OBJ/sshd_proxy_bak
@@ -169,7 +150,7 @@ done
169	cat $OBJ/host_ca_key.pub	150	cat $OBJ/host_ca_key.pub
170	) > $OBJ/known_hosts-cert.orig	151	) > $OBJ/known_hosts-cert.orig
171	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert	152	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
172	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do	153	for ktype in $PLAIN_TYPES ; do
173	verbose "$tid: host ${ktype} revoked cert"	154	verbose "$tid: host ${ktype} revoked cert"
174	(	155	(
175	cat $OBJ/sshd_proxy_bak	156	cat $OBJ/sshd_proxy_bak
@@ -198,17 +179,10 @@ test_one() {
198	result=$2	179	result=$2
199	sign_opts=$3	180	sign_opts=$3
200		181
201	for kt in rsa rsa_v00 ; do	182	for kt in rsa ed25519 ; do
202	case $kt in
203	*_v00) args="-t v00" ;;
204	*) args="" ;;
205	esac
206
207	verbose "$tid: host cert connect $ident $kt expect $result"
208	${SSHKEYGEN} -q -s $OBJ/host_ca_key \	183	${SSHKEYGEN} -q -s $OBJ/host_ca_key \
209	-I "regress host key for $USER" \	184	-I "regress host key for $USER" \
210	$sign_opts $args \	185	$sign_opts $OBJ/cert_host_key_${kt} \|\|
211	$OBJ/cert_host_key_${kt} \|\|
212	fail "couldn't sign cert_host_key_${kt}"	186	fail "couldn't sign cert_host_key_${kt}"
213	(	187	(
214	cat $OBJ/sshd_proxy_bak	188	cat $OBJ/sshd_proxy_bak
@@ -242,36 +216,33 @@ test_one "cert valid interval" success "-h -V-1w:+2w"
242	test_one "cert has constraints" failure "-h -Oforce-command=false"	216	test_one "cert has constraints" failure "-h -Oforce-command=false"
243		217
244	# Check downgrade of cert to raw key when no CA found	218	# Check downgrade of cert to raw key when no CA found
245	for v in v01 v00 ; do	219	for ktype in $PLAIN_TYPES ; do
246	for ktype in $PLAIN_TYPES ; do	220	rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
247	type_has_legacy $ktype \|\| continue	221	verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
248	rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*	222	# Generate and sign a host key
249	verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"	223	${SSHKEYGEN} -q -N '' -t ${ktype} \
250	# Generate and sign a host key	224	-f $OBJ/cert_host_key_${ktype} \|\| \
251	${SSHKEYGEN} -q -N '' -t ${ktype} \	225	fail "ssh-keygen of cert_host_key_${ktype} failed"
252	-f $OBJ/cert_host_key_${ktype} \|\| \	226	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
253	fail "ssh-keygen of cert_host_key_${ktype} failed"	227	-I "regress host key for $USER" \
254	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \	228	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|
255	-I "regress host key for $USER" \	229	fail "couldn't sign cert_host_key_${ktype}"
256	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|	230	(
257	fail "couldn't sign cert_host_key_${ktype}"	231	printf "$HOSTS "
258	(	232	cat $OBJ/cert_host_key_${ktype}.pub
259	printf "$HOSTS "	233	) > $OBJ/known_hosts-cert
260	cat $OBJ/cert_host_key_${ktype}.pub	234	(
261	) > $OBJ/known_hosts-cert	235	cat $OBJ/sshd_proxy_bak
262	(	236	echo HostKey $OBJ/cert_host_key_${ktype}
263	cat $OBJ/sshd_proxy_bak	237	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
264	echo HostKey $OBJ/cert_host_key_${ktype}	238	) > $OBJ/sshd_proxy
265	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub	239
266	) > $OBJ/sshd_proxy	240	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
267		241	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
268	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \	242	-F $OBJ/ssh_proxy somehost true
269	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \	243	if [ $? -ne 0 ]; then
270	-F $OBJ/ssh_proxy somehost true	244	fail "ssh cert connect failed"
271	if [ $? -ne 0 ]; then	245	fi
272	fail "ssh cert connect failed"
273	fi
274	done
275	done	246	done
276		247
277	# Wrong certificate	248	# Wrong certificate
@@ -281,33 +252,30 @@ done
281	cat $OBJ/host_ca_key.pub	252	cat $OBJ/host_ca_key.pub
282	) > $OBJ/known_hosts-cert.orig	253	) > $OBJ/known_hosts-cert.orig
283	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert	254	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
284	for v in v01 v00 ; do	255	for kt in $PLAIN_TYPES ; do
285	for kt in $PLAIN_TYPES ; do	256	rm -f $OBJ/cert_host_key*
286	type_has_legacy $kt \|\| continue	257	# Self-sign key
287	rm -f $OBJ/cert_host_key*	258	${SSHKEYGEN} -q -N '' -t ${kt} \
288	# Self-sign key	259	-f $OBJ/cert_host_key_${kt} \|\| \
289	${SSHKEYGEN} -q -N '' -t ${kt} \	260	fail "ssh-keygen of cert_host_key_${kt} failed"
290	-f $OBJ/cert_host_key_${kt} \|\| \	261	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
291	fail "ssh-keygen of cert_host_key_${kt} failed"	262	-I "regress host key for $USER" \
292	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \	263	-n $HOSTS $OBJ/cert_host_key_${kt} \|\|
293	-I "regress host key for $USER" \	264	fail "couldn't sign cert_host_key_${kt}"
294	-n $HOSTS $OBJ/cert_host_key_${kt} \|\|	265	verbose "$tid: host ${kt} connect wrong cert"
295	fail "couldn't sign cert_host_key_${kt}"	266	(
296	verbose "$tid: host ${kt} connect wrong cert"	267	cat $OBJ/sshd_proxy_bak
297	(	268	echo HostKey $OBJ/cert_host_key_${kt}
298	cat $OBJ/sshd_proxy_bak	269	echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
299	echo HostKey $OBJ/cert_host_key_${kt}	270	) > $OBJ/sshd_proxy
300	echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub	271
301	) > $OBJ/sshd_proxy	272	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
302		273	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
303	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert	274	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
304	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \	275	-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
305	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \	276	if [ $? -eq 0 ]; then
306	-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1	277	fail "ssh cert connect $ident succeeded unexpectedly"
307	if [ $? -eq 0 ]; then	278	fi
308	fail "ssh cert connect $ident succeeded unexpectedly"
309	fi
310	done
311	done	279	done
312		280
313	rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key*	281	rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key*