* New upstream release (LP: #535029).

- After a transition period of about 10 years, this release disables SSH protocol 1 by default. Clients and servers that need to use the legacy protocol must explicitly enable it in ssh_config / sshd_config or on the command-line. - Remove the libsectok/OpenSC-based smartcard code and add support for PKCS#11 tokens. This support is enabled by default in the Debian packaging, since it now doesn't involve additional library dependencies (closes: #231472, LP: #16918). - Add support for certificate authentication of users and hosts using a new, minimal OpenSSH certificate format (closes: #482806). - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...". - Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian package, this overlaps with the key blacklisting facility added in openssh 1:4.7p1-9, but with different file formats and slightly different scopes; for the moment, I've roughly merged the two.) - Various multiplexing improvements, including support for requesting port-forwardings via the multiplex protocol (closes: #360151). - Allow setting an explicit umask on the sftp-server(8) commandline to override whatever default the user has (closes: #496843). - Many sftp client improvements, including tab-completion, more options, and recursive transfer support for get/put (LP: #33378). The old mget/mput commands never worked properly and have been removed (closes: #270399, #428082). - Do not prompt for a passphrase if we fail to open a keyfile, and log the reason why the open failed to debug (closes: #431538). - Prevent sftp from crashing when given a "-" without a command. Also, allow whitespace to follow a "-" (closes: #531561).
author: Colin Watson <cjwatson@debian.org> 2010-03-31 10:46:28 +0100
committer: Colin Watson <cjwatson@debian.org> 2010-03-31 10:46:28 +0100
commit: efd3d4522636ae029488c2e9730b60c88e257d2e (patch)
tree: 31e02ac3f16090ce8c53448677356b2b7f423683 /regress/cert-userkey.sh
parent: bbec4db36d464ea1d464a707625125f9fd5c7b5e (diff)
parent: d1a87e462e1db89f19cd960588d0c6b287cb5ccc (diff)
1 files changed, 176 insertions, 0 deletions
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
new file mode 100644
index 000000000..7a58e7b75
--- /dev/null
+++ b/regress/cert-userkey.sh
@@ -0,0 +1,176 @@
+#       $OpenBSD: cert-userkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
+#       Placed in the Public Domain.
+tid="certified user keys"
+rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+# Create a CA key
+${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/user_ca_key ||\
+        fail "ssh-keygen of user_ca_key failed"
+# Generate and sign user keys
+for ktype in rsa dsa ; do 
+        verbose "$tid: sign user ${ktype} cert"
+        ${SSHKEYGEN} -q -N '' -t ${ktype} \
+            -f $OBJ/cert_user_key_${ktype} || \
+                fail "ssh-keygen of cert_user_key_${ktype} failed"
+        ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
+            "regress user key for $USER" \
+            -n $USER $OBJ/cert_user_key_${ktype} ||
+                fail "couldn't sign cert_user_key_${ktype}"
+done
+basic_tests() {
+        auth=$1
+        if test "x$auth" = "xauthorized_keys" ; then
+                # Add CA to authorized_keys
+                (
+                        echon 'cert-authority '
+                        cat $OBJ/user_ca_key.pub
+                ) > $OBJ/authorized_keys_$USER
+        else
+                echo > $OBJ/authorized_keys_$USER
+                extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
+        fi
+        
+        for ktype in rsa dsa ; do 
+                for privsep in yes no ; do
+                        _prefix="${ktype} privsep $privsep $auth"
+                        # Simple connect
+                        verbose "$tid: ${_prefix} connect"
+                        (
+                                cat $OBJ/sshd_proxy_bak
+                                echo "UsePrivilegeSeparation $privsep"
+                                echo "$extra_sshd"
+                        ) > $OBJ/sshd_proxy
+        
+                        ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+                            -F $OBJ/ssh_proxy somehost true
+                        if [ $? -ne 0 ]; then
+                                fail "ssh cert connect failed"
+                        fi
+                        # Revoked keys
+                        verbose "$tid: ${_prefix} revoked key"
+                        (
+                                cat $OBJ/sshd_proxy_bak
+                                echo "UsePrivilegeSeparation $privsep"
+                                echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub"
+                                echo "$extra_sshd"
+                        ) > $OBJ/sshd_proxy
+                        ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+                            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                        if [ $? -eq 0 ]; then
+                                fail "ssh cert connect succeeded unexpecedly"
+                        fi
+                done
+        
+                # Revoked CA
+                verbose "$tid: ${ktype} $auth revoked CA key"
+                (
+                        cat $OBJ/sshd_proxy_bak
+                        echo "RevokedKeys $OBJ/user_ca_key.pub"
+                        echo "$extra_sshd"
+                ) > $OBJ/sshd_proxy
+                ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
+                    somehost true >/dev/null 2>&1
+                if [ $? -eq 0 ]; then
+                        fail "ssh cert connect succeeded unexpecedly"
+                fi
+        done
+        
+        verbose "$tid: $auth CA does not authenticate"
+        (
+                cat $OBJ/sshd_proxy_bak
+                echo "$extra_sshd"
+        ) > $OBJ/sshd_proxy
+        verbose "$tid: ensure CA key does not authenticate user"
+        ${SSH} -2i $OBJ/user_ca_key \
+            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+        if [ $? -eq 0 ]; then
+                fail "ssh cert connect with CA key succeeded unexpectedly"
+        fi
+}
+basic_tests authorized_keys
+basic_tests TrustedUserCAKeys
+test_one() {
+        ident=$1
+        result=$2
+        sign_opts=$3
+        auth_choice=$4
+        if test "x$auth_choice" = "x" ; then
+                auth_choice="authorized_keys TrustedUserCAKeys"
+        fi
+        for auth in $auth_choice ; do
+                cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
+                if test "x$auth" = "xauthorized_keys" ; then
+                        # Add CA to authorized_keys
+                        (
+                                echon 'cert-authority '
+                                cat $OBJ/user_ca_key.pub
+                        ) > $OBJ/authorized_keys_$USER
+                else
+                        echo > $OBJ/authorized_keys_$USER
+                        echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" >> \
+                            $OBJ/sshd_proxy
+                fi
+                
+                verbose "$tid: $ident auth $auth expect $result"
+                ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
+                    -I "regress user key for $USER" \
+                    $sign_opts \
+                    $OBJ/cert_user_key_rsa ||
+                        fail "couldn't sign cert_user_key_rsa"
+        
+                ${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
+                    somehost true >/dev/null 2>&1
+                rc=$?
+                if [ "x$result" = "xsuccess" ] ; then
+                        if [ $rc -ne 0 ]; then
+                                fail "$ident failed unexpectedly"
+                        fi
+                else
+                        if [ $rc -eq 0 ]; then
+                                fail "$ident succeeded unexpectedly"
+                        fi
+                fi
+        done
+}
+test_one "correct principal"    success "-n ${USER}"
+test_one "host-certificate"     failure "-n ${USER} -h"
+test_one "wrong principals"     failure "-n foo"
+test_one "cert not yet valid"   failure "-n ${USER} -V20200101:20300101"
+test_one "cert expired"         failure "-n ${USER} -V19800101:19900101"
+test_one "cert valid interval"  success "-n ${USER} -V-1w:+2w"
+test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8"
+test_one "force-command"        failure "-n ${USER} -Oforce-command=false"
+# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals
+test_one "empty principals"     success "" authorized_keys
+test_one "empty principals"     failure "" TrustedUserCAKeys
+# Wrong certificate
+for ktype in rsa dsa ; do 
+        # Self-sign
+        ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
+            "regress user key for $USER" \
+            -n $USER $OBJ/cert_user_key_${ktype} ||
+                fail "couldn't sign cert_user_key_${ktype}"
+        verbose "$tid: user ${ktype} connect wrong cert"
+        ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
+            somehost true >/dev/null 2>&1
+        if [ $? -eq 0 ]; then
+                fail "ssh cert connect $ident succeeded unexpectedly"
+        fi
+done
+rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
author	Colin Watson <cjwatson@debian.org>	2010-03-31 10:46:28 +0100
committer	Colin Watson <cjwatson@debian.org>	2010-03-31 10:46:28 +0100
commit	efd3d4522636ae029488c2e9730b60c88e257d2e (patch)
tree	31e02ac3f16090ce8c53448677356b2b7f423683 /regress/cert-userkey.sh
parent	bbec4db36d464ea1d464a707625125f9fd5c7b5e (diff)
parent	d1a87e462e1db89f19cd960588d0c6b287cb5ccc (diff)

diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh new file mode 100644 index 000000000..7a58e7b75 --- /dev/null +++ b/regress/cert-userkey.sh
@@ -0,0 +1,176 @@
	1	# $OpenBSD: cert-userkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
	2	# Placed in the Public Domain.
	3
	4	tid="certified user keys"
	5
	6	rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
	7	cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
	8
	9	# Create a CA key
	10	${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key \|\|\
	11	fail "ssh-keygen of user_ca_key failed"
	12
	13	# Generate and sign user keys
	14	for ktype in rsa dsa ; do
	15	verbose "$tid: sign user ${ktype} cert"
	16	${SSHKEYGEN} -q -N '' -t ${ktype} \
	17	-f $OBJ/cert_user_key_${ktype} \|\| \
	18	fail "ssh-keygen of cert_user_key_${ktype} failed"
	19	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
	20	"regress user key for $USER" \
	21	-n $USER $OBJ/cert_user_key_${ktype} \|\|
	22	fail "couldn't sign cert_user_key_${ktype}"
	23	done
	24
	25	basic_tests() {
	26	auth=$1
	27	if test "x$auth" = "xauthorized_keys" ; then
	28	# Add CA to authorized_keys
	29	(
	30	echon 'cert-authority '
	31	cat $OBJ/user_ca_key.pub
	32	) > $OBJ/authorized_keys_$USER
	33	else
	34	echo > $OBJ/authorized_keys_$USER
	35	extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
	36	fi
	37
	38	for ktype in rsa dsa ; do
	39	for privsep in yes no ; do
	40	_prefix="${ktype} privsep $privsep $auth"
	41	# Simple connect
	42	verbose "$tid: ${_prefix} connect"
	43	(
	44	cat $OBJ/sshd_proxy_bak
	45	echo "UsePrivilegeSeparation $privsep"
	46	echo "$extra_sshd"
	47	) > $OBJ/sshd_proxy
	48
	49	${SSH} -2i $OBJ/cert_user_key_${ktype} \
	50	-F $OBJ/ssh_proxy somehost true
	51	if [ $? -ne 0 ]; then
	52	fail "ssh cert connect failed"
	53	fi
	54
	55	# Revoked keys
	56	verbose "$tid: ${_prefix} revoked key"
	57	(
	58	cat $OBJ/sshd_proxy_bak
	59	echo "UsePrivilegeSeparation $privsep"
	60	echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub"
	61	echo "$extra_sshd"
	62	) > $OBJ/sshd_proxy
	63	${SSH} -2i $OBJ/cert_user_key_${ktype} \
	64	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	65	if [ $? -eq 0 ]; then
	66	fail "ssh cert connect succeeded unexpecedly"
	67	fi
	68	done
	69
	70	# Revoked CA
	71	verbose "$tid: ${ktype} $auth revoked CA key"
	72	(
	73	cat $OBJ/sshd_proxy_bak
	74	echo "RevokedKeys $OBJ/user_ca_key.pub"
	75	echo "$extra_sshd"
	76	) > $OBJ/sshd_proxy
	77	${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
	78	somehost true >/dev/null 2>&1
	79	if [ $? -eq 0 ]; then
	80	fail "ssh cert connect succeeded unexpecedly"
	81	fi
	82	done
	83
	84	verbose "$tid: $auth CA does not authenticate"
	85	(
	86	cat $OBJ/sshd_proxy_bak
	87	echo "$extra_sshd"
	88	) > $OBJ/sshd_proxy
	89	verbose "$tid: ensure CA key does not authenticate user"
	90	${SSH} -2i $OBJ/user_ca_key \
	91	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	92	if [ $? -eq 0 ]; then
	93	fail "ssh cert connect with CA key succeeded unexpectedly"
	94	fi
	95	}
	96
	97	basic_tests authorized_keys
	98	basic_tests TrustedUserCAKeys
	99
	100	test_one() {
	101	ident=$1
	102	result=$2
	103	sign_opts=$3
	104	auth_choice=$4
	105
	106	if test "x$auth_choice" = "x" ; then
	107	auth_choice="authorized_keys TrustedUserCAKeys"
	108	fi
	109
	110	for auth in $auth_choice ; do
	111	cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
	112	if test "x$auth" = "xauthorized_keys" ; then
	113	# Add CA to authorized_keys
	114	(
	115	echon 'cert-authority '
	116	cat $OBJ/user_ca_key.pub
	117	) > $OBJ/authorized_keys_$USER
	118	else
	119	echo > $OBJ/authorized_keys_$USER
	120	echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" >> \
	121	$OBJ/sshd_proxy
	122
	123	fi
	124
	125	verbose "$tid: $ident auth $auth expect $result"
	126	${SSHKEYGEN} -q -s $OBJ/user_ca_key \
	127	-I "regress user key for $USER" \
	128	$sign_opts \
	129	$OBJ/cert_user_key_rsa \|\|
	130	fail "couldn't sign cert_user_key_rsa"
	131
	132	${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
	133	somehost true >/dev/null 2>&1
	134	rc=$?
	135	if [ "x$result" = "xsuccess" ] ; then
	136	if [ $rc -ne 0 ]; then
	137	fail "$ident failed unexpectedly"
	138	fi
	139	else
	140	if [ $rc -eq 0 ]; then
	141	fail "$ident succeeded unexpectedly"
	142	fi
	143	fi
	144	done
	145	}
	146
	147	test_one "correct principal" success "-n ${USER}"
	148	test_one "host-certificate" failure "-n ${USER} -h"
	149	test_one "wrong principals" failure "-n foo"
	150	test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101"
	151	test_one "cert expired" failure "-n ${USER} -V19800101:19900101"
	152	test_one "cert valid interval" success "-n ${USER} -V-1w:+2w"
	153	test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8"
	154	test_one "force-command" failure "-n ${USER} -Oforce-command=false"
	155
	156	# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals
	157	test_one "empty principals" success "" authorized_keys
	158	test_one "empty principals" failure "" TrustedUserCAKeys
	159
	160	# Wrong certificate
	161	for ktype in rsa dsa ; do
	162	# Self-sign
	163	${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
	164	"regress user key for $USER" \
	165	-n $USER $OBJ/cert_user_key_${ktype} \|\|
	166	fail "couldn't sign cert_user_key_${ktype}"
	167	verbose "$tid: user ${ktype} connect wrong cert"
	168	${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
	169	somehost true >/dev/null 2>&1
	170	if [ $? -eq 0 ]; then
	171	fail "ssh cert connect $ident succeeded unexpectedly"
	172	fi
	173	done
	174
	175	rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
	176