Import openssh_7.0p1.orig.tar.gz

author: Colin Watson <cjwatson@debian.org> 2015-08-22 10:05:45 +0100
committer: Colin Watson <cjwatson@debian.org> 2015-08-22 10:05:45 +0100
commit: 58ddb8ad21f21f5358db0204c4ba9abf94a1ca11 (patch)
tree: c55df1f23e6fa0fb87a96d8ec4c06a68c3a82b45 /regress/cert-userkey.sh
parent: 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 (diff)
parent: 1dc8d93ce69d6565747eb44446ed117187621b26 (diff)
1 files changed, 34 insertions, 30 deletions
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index b093a9196..c38c00a02 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,18 +1,17 @@
-#       $OpenBSD: cert-userkey.sh,v 1.12 2013/12/06 13:52:46 markus Exp $
+#       $OpenBSD: cert-userkey.sh,v 1.14 2015/07/10 06:23:25 markus Exp $
 #       Placed in the Public Domain.
 tid="certified user keys"
 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
 PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
-type_has_legacy() {
+kname() {
-        case $1 in
+        n=`echo "$1" | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'`
-                ed25519*|ecdsa*) return 1 ;;
+        echo "$n*,ssh-rsa*,ssh-ed25519*"
-        esac
-        return 0
 }
 # Create a CA key
@@ -28,18 +27,11 @@ for ktype in $PLAIN_TYPES ; do
        ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
            -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
                fail "couldn't sign cert_user_key_${ktype}"
-        type_has_legacy $ktype || continue
-        cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
-        cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
-        verbose "$tid: sign host ${ktype}_v00 cert"
-        ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
-            "regress user key for $USER" \
-            -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
-                fatal "couldn't sign cert_user_key_${ktype}_v00"
 done
 # Test explicitly-specified principals
-for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
+for ktype in $PLAIN_TYPES ; do 
+        t=$(kname $ktype)
        for privsep in yes no ; do
                _prefix="${ktype} privsep $privsep"
@@ -51,7 +43,12 @@ for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do
                        echo "AuthorizedPrincipalsFile " \
                            "$OBJ/authorized_principals_%u"
                        echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+                        echo "PubkeyAcceptedKeyTypes ${t}"
                ) > $OBJ/sshd_proxy
+                (
+                        cat $OBJ/ssh_proxy_bak
+                        echo "PubkeyAcceptedKeyTypes ${t}"
+                ) > $OBJ/ssh_proxy
                # Missing authorized_principals
                verbose "$tid: ${_prefix} missing authorized_principals"
@@ -124,7 +121,12 @@ for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do
                (
                        cat $OBJ/sshd_proxy_bak
                        echo "UsePrivilegeSeparation $privsep"
+                        echo "PubkeyAcceptedKeyTypes ${t}"
                ) > $OBJ/sshd_proxy
+                (
+                        cat $OBJ/ssh_proxy_bak
+                        echo "PubkeyAcceptedKeyTypes ${t}"
+                ) > $OBJ/ssh_proxy
                # Wrong principals list
                verbose "$tid: ${_prefix} wrong principals key option"
@@ -165,7 +167,8 @@ basic_tests() {
                extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
        fi
        
-        for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
+        for ktype in $PLAIN_TYPES ; do 
+                t=$(kname $ktype)
                for privsep in yes no ; do
                        _prefix="${ktype} privsep $privsep $auth"
                        # Simple connect
@@ -173,8 +176,13 @@ basic_tests() {
                        (
                                cat $OBJ/sshd_proxy_bak
                                echo "UsePrivilegeSeparation $privsep"
+                                echo "PubkeyAcceptedKeyTypes ${t}"
                                echo "$extra_sshd"
                        ) > $OBJ/sshd_proxy
+                        (
+                                cat $OBJ/ssh_proxy_bak
+                                echo "PubkeyAcceptedKeyTypes ${t}"
+                        ) > $OBJ/ssh_proxy
        
                        ${SSH} -2i $OBJ/cert_user_key_${ktype} \
                            -F $OBJ/ssh_proxy somehost true
@@ -188,6 +196,7 @@ basic_tests() {
                                cat $OBJ/sshd_proxy_bak
                                echo "UsePrivilegeSeparation $privsep"
                                echo "RevokedKeys $OBJ/cert_user_key_revoked"
+                                echo "PubkeyAcceptedKeyTypes ${t}"
                                echo "$extra_sshd"
                        ) > $OBJ/sshd_proxy
                        cp $OBJ/cert_user_key_${ktype}.pub \
@@ -220,6 +229,7 @@ basic_tests() {
                (
                        cat $OBJ/sshd_proxy_bak
                        echo "RevokedKeys $OBJ/user_ca_key.pub"
+                        echo "PubkeyAcceptedKeyTypes ${t}"
                        echo "$extra_sshd"
                ) > $OBJ/sshd_proxy
                ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
@@ -232,6 +242,7 @@ basic_tests() {
        verbose "$tid: $auth CA does not authenticate"
        (
                cat $OBJ/sshd_proxy_bak
+                echo "PubkeyAcceptedKeyTypes ${t}"
                echo "$extra_sshd"
        ) > $OBJ/sshd_proxy
        verbose "$tid: ensure CA key does not authenticate user"
@@ -257,12 +268,7 @@ test_one() {
        fi
        for auth in $auth_choice ; do
-                for ktype in rsa rsa_v00 ; do
+                for ktype in rsa ed25519 ; do
-                        case $ktype in
-                        *_v00) keyv="-t v00" ;;
-                        *) keyv="" ;;
-                        esac
                        cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
                        if test "x$auth" = "xauthorized_keys" ; then
                                # Add CA to authorized_keys
@@ -274,6 +280,8 @@ test_one() {
                                echo > $OBJ/authorized_keys_$USER
                                echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
                                    >> $OBJ/sshd_proxy
+                                echo "PubkeyAcceptedKeyTypes ${t}*" \
+                                    >> $OBJ/sshd_proxy
                                if test "x$auth_opt" != "x" ; then
                                        echo $auth_opt >> $OBJ/sshd_proxy
                                fi
@@ -282,8 +290,7 @@ test_one() {
                        verbose "$tid: $ident auth $auth expect $result $ktype"
                        ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
                            -I "regress user key for $USER" \
-                            $sign_opts $keyv \
+                            $sign_opts $OBJ/cert_user_key_${ktype} ||
-                            $OBJ/cert_user_key_${ktype} ||
                                fail "couldn't sign cert_user_key_${ktype}"
                        ${SSH} -2i $OBJ/cert_user_key_${ktype} \
@@ -335,13 +342,10 @@ test_one "principals key option no principals" failure "" \
 # Wrong certificate
 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
-for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
+for ktype in $PLAIN_TYPES ; do 
-        case $ktype in
+        t=$(kname $ktype)
-        *_v00) args="-t v00" ;;
-        *) args="" ;;
-        esac
        # Self-sign
-        ${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \
+        ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
            "regress user key for $USER" \
            -n $USER $OBJ/cert_user_key_${ktype} ||
                fail "couldn't sign cert_user_key_${ktype}"
author	Colin Watson <cjwatson@debian.org>	2015-08-22 10:05:45 +0100
committer	Colin Watson <cjwatson@debian.org>	2015-08-22 10:05:45 +0100
commit	58ddb8ad21f21f5358db0204c4ba9abf94a1ca11 (patch)
tree	c55df1f23e6fa0fb87a96d8ec4c06a68c3a82b45 /regress/cert-userkey.sh
parent	544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 (diff)
parent	1dc8d93ce69d6565747eb44446ed117187621b26 (diff)