summaryrefslogtreecommitdiff
path: root/regress/cert-userkey.sh
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2015-08-22 10:05:45 +0100
committerColin Watson <cjwatson@debian.org>2015-08-22 10:05:45 +0100
commit58ddb8ad21f21f5358db0204c4ba9abf94a1ca11 (patch)
treec55df1f23e6fa0fb87a96d8ec4c06a68c3a82b45 /regress/cert-userkey.sh
parent544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 (diff)
parent1dc8d93ce69d6565747eb44446ed117187621b26 (diff)
Import openssh_7.0p1.orig.tar.gz
Diffstat (limited to 'regress/cert-userkey.sh')
-rw-r--r--regress/cert-userkey.sh64
1 files changed, 34 insertions, 30 deletions
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index b093a9196..c38c00a02 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,18 +1,17 @@
1# $OpenBSD: cert-userkey.sh,v 1.12 2013/12/06 13:52:46 markus Exp $ 1# $OpenBSD: cert-userkey.sh,v 1.14 2015/07/10 06:23:25 markus Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified user keys" 4tid="certified user keys"
5 5
6rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* 6rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
8 9
9PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` 10PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
10 11
11type_has_legacy() { 12kname() {
12 case $1 in 13 n=`echo "$1" | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'`
13 ed25519*|ecdsa*) return 1 ;; 14 echo "$n*,ssh-rsa*,ssh-ed25519*"
14 esac
15 return 0
16} 15}
17 16
18# Create a CA key 17# Create a CA key
@@ -28,18 +27,11 @@ for ktype in $PLAIN_TYPES ; do
28 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ 27 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
29 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || 28 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
30 fail "couldn't sign cert_user_key_${ktype}" 29 fail "couldn't sign cert_user_key_${ktype}"
31 type_has_legacy $ktype || continue
32 cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
33 cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
34 verbose "$tid: sign host ${ktype}_v00 cert"
35 ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
36 "regress user key for $USER" \
37 -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
38 fatal "couldn't sign cert_user_key_${ktype}_v00"
39done 30done
40 31
41# Test explicitly-specified principals 32# Test explicitly-specified principals
42for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 33for ktype in $PLAIN_TYPES ; do
34 t=$(kname $ktype)
43 for privsep in yes no ; do 35 for privsep in yes no ; do
44 _prefix="${ktype} privsep $privsep" 36 _prefix="${ktype} privsep $privsep"
45 37
@@ -51,7 +43,12 @@ for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do
51 echo "AuthorizedPrincipalsFile " \ 43 echo "AuthorizedPrincipalsFile " \
52 "$OBJ/authorized_principals_%u" 44 "$OBJ/authorized_principals_%u"
53 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" 45 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
46 echo "PubkeyAcceptedKeyTypes ${t}"
54 ) > $OBJ/sshd_proxy 47 ) > $OBJ/sshd_proxy
48 (
49 cat $OBJ/ssh_proxy_bak
50 echo "PubkeyAcceptedKeyTypes ${t}"
51 ) > $OBJ/ssh_proxy
55 52
56 # Missing authorized_principals 53 # Missing authorized_principals
57 verbose "$tid: ${_prefix} missing authorized_principals" 54 verbose "$tid: ${_prefix} missing authorized_principals"
@@ -124,7 +121,12 @@ for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do
124 ( 121 (
125 cat $OBJ/sshd_proxy_bak 122 cat $OBJ/sshd_proxy_bak
126 echo "UsePrivilegeSeparation $privsep" 123 echo "UsePrivilegeSeparation $privsep"
124 echo "PubkeyAcceptedKeyTypes ${t}"
127 ) > $OBJ/sshd_proxy 125 ) > $OBJ/sshd_proxy
126 (
127 cat $OBJ/ssh_proxy_bak
128 echo "PubkeyAcceptedKeyTypes ${t}"
129 ) > $OBJ/ssh_proxy
128 130
129 # Wrong principals list 131 # Wrong principals list
130 verbose "$tid: ${_prefix} wrong principals key option" 132 verbose "$tid: ${_prefix} wrong principals key option"
@@ -165,7 +167,8 @@ basic_tests() {
165 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" 167 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
166 fi 168 fi
167 169
168 for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 170 for ktype in $PLAIN_TYPES ; do
171 t=$(kname $ktype)
169 for privsep in yes no ; do 172 for privsep in yes no ; do
170 _prefix="${ktype} privsep $privsep $auth" 173 _prefix="${ktype} privsep $privsep $auth"
171 # Simple connect 174 # Simple connect
@@ -173,8 +176,13 @@ basic_tests() {
173 ( 176 (
174 cat $OBJ/sshd_proxy_bak 177 cat $OBJ/sshd_proxy_bak
175 echo "UsePrivilegeSeparation $privsep" 178 echo "UsePrivilegeSeparation $privsep"
179 echo "PubkeyAcceptedKeyTypes ${t}"
176 echo "$extra_sshd" 180 echo "$extra_sshd"
177 ) > $OBJ/sshd_proxy 181 ) > $OBJ/sshd_proxy
182 (
183 cat $OBJ/ssh_proxy_bak
184 echo "PubkeyAcceptedKeyTypes ${t}"
185 ) > $OBJ/ssh_proxy
178 186
179 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 187 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
180 -F $OBJ/ssh_proxy somehost true 188 -F $OBJ/ssh_proxy somehost true
@@ -188,6 +196,7 @@ basic_tests() {
188 cat $OBJ/sshd_proxy_bak 196 cat $OBJ/sshd_proxy_bak
189 echo "UsePrivilegeSeparation $privsep" 197 echo "UsePrivilegeSeparation $privsep"
190 echo "RevokedKeys $OBJ/cert_user_key_revoked" 198 echo "RevokedKeys $OBJ/cert_user_key_revoked"
199 echo "PubkeyAcceptedKeyTypes ${t}"
191 echo "$extra_sshd" 200 echo "$extra_sshd"
192 ) > $OBJ/sshd_proxy 201 ) > $OBJ/sshd_proxy
193 cp $OBJ/cert_user_key_${ktype}.pub \ 202 cp $OBJ/cert_user_key_${ktype}.pub \
@@ -220,6 +229,7 @@ basic_tests() {
220 ( 229 (
221 cat $OBJ/sshd_proxy_bak 230 cat $OBJ/sshd_proxy_bak
222 echo "RevokedKeys $OBJ/user_ca_key.pub" 231 echo "RevokedKeys $OBJ/user_ca_key.pub"
232 echo "PubkeyAcceptedKeyTypes ${t}"
223 echo "$extra_sshd" 233 echo "$extra_sshd"
224 ) > $OBJ/sshd_proxy 234 ) > $OBJ/sshd_proxy
225 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ 235 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
@@ -232,6 +242,7 @@ basic_tests() {
232 verbose "$tid: $auth CA does not authenticate" 242 verbose "$tid: $auth CA does not authenticate"
233 ( 243 (
234 cat $OBJ/sshd_proxy_bak 244 cat $OBJ/sshd_proxy_bak
245 echo "PubkeyAcceptedKeyTypes ${t}"
235 echo "$extra_sshd" 246 echo "$extra_sshd"
236 ) > $OBJ/sshd_proxy 247 ) > $OBJ/sshd_proxy
237 verbose "$tid: ensure CA key does not authenticate user" 248 verbose "$tid: ensure CA key does not authenticate user"
@@ -257,12 +268,7 @@ test_one() {
257 fi 268 fi
258 269
259 for auth in $auth_choice ; do 270 for auth in $auth_choice ; do
260 for ktype in rsa rsa_v00 ; do 271 for ktype in rsa ed25519 ; do
261 case $ktype in
262 *_v00) keyv="-t v00" ;;
263 *) keyv="" ;;
264 esac
265
266 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 272 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
267 if test "x$auth" = "xauthorized_keys" ; then 273 if test "x$auth" = "xauthorized_keys" ; then
268 # Add CA to authorized_keys 274 # Add CA to authorized_keys
@@ -274,6 +280,8 @@ test_one() {
274 echo > $OBJ/authorized_keys_$USER 280 echo > $OBJ/authorized_keys_$USER
275 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \ 281 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
276 >> $OBJ/sshd_proxy 282 >> $OBJ/sshd_proxy
283 echo "PubkeyAcceptedKeyTypes ${t}*" \
284 >> $OBJ/sshd_proxy
277 if test "x$auth_opt" != "x" ; then 285 if test "x$auth_opt" != "x" ; then
278 echo $auth_opt >> $OBJ/sshd_proxy 286 echo $auth_opt >> $OBJ/sshd_proxy
279 fi 287 fi
@@ -282,8 +290,7 @@ test_one() {
282 verbose "$tid: $ident auth $auth expect $result $ktype" 290 verbose "$tid: $ident auth $auth expect $result $ktype"
283 ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ 291 ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
284 -I "regress user key for $USER" \ 292 -I "regress user key for $USER" \
285 $sign_opts $keyv \ 293 $sign_opts $OBJ/cert_user_key_${ktype} ||
286 $OBJ/cert_user_key_${ktype} ||
287 fail "couldn't sign cert_user_key_${ktype}" 294 fail "couldn't sign cert_user_key_${ktype}"
288 295
289 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 296 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
@@ -335,13 +342,10 @@ test_one "principals key option no principals" failure "" \
335 342
336# Wrong certificate 343# Wrong certificate
337cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 344cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
338for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 345for ktype in $PLAIN_TYPES ; do
339 case $ktype in 346 t=$(kname $ktype)
340 *_v00) args="-t v00" ;;
341 *) args="" ;;
342 esac
343 # Self-sign 347 # Self-sign
344 ${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \ 348 ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
345 "regress user key for $USER" \ 349 "regress user key for $USER" \
346 -n $USER $OBJ/cert_user_key_${ktype} || 350 -n $USER $OBJ/cert_user_key_${ktype} ||
347 fail "couldn't sign cert_user_key_${ktype}" 351 fail "couldn't sign cert_user_key_${ktype}"