diff options
| author | dtucker@openbsd.org <dtucker@openbsd.org> | 2019-07-26 04:22:21 +0000 |
|---|---|---|
| committer | Darren Tucker <dtucker@dtucker.net> | 2019-07-26 14:51:25 +1000 |
| commit | d31e7c937ba0b97534f373cf5dea34675bcec602 (patch) | |
| tree | cc0d31a08bebcc92657d8abe7a949f3ca8d86eb8 /regress/limit-keytype.sh | |
| parent | 0967a233b8a28907ae8a4a6773c89f21d2ace11b (diff) | |
upstream: Restrict limit-keytype to types supported by build. This
means we have to skip a couple tests when only one key type is supported.
OpenBSD-Regress-ID: 22d05befb9c7ce21ce8dc22acf1ffe9e2ef2e95e
Diffstat (limited to 'regress/limit-keytype.sh')
| -rw-r--r-- | regress/limit-keytype.sh | 56 |
1 files changed, 40 insertions, 16 deletions
diff --git a/regress/limit-keytype.sh b/regress/limit-keytype.sh index 04f11977e..5c30af006 100644 --- a/regress/limit-keytype.sh +++ b/regress/limit-keytype.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: limit-keytype.sh,v 1.5 2018/03/12 00:52:57 djm Exp $ | 1 | # $OpenBSD: limit-keytype.sh,v 1.6 2019/07/26 04:22:21 dtucker Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="restrict pubkey type" | 4 | tid="restrict pubkey type" |
| @@ -9,18 +9,27 @@ rm -f $OBJ/authorized_principals_$USER $OBJ/cert_user_key* | |||
| 9 | mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig | 9 | mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig |
| 10 | mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig | 10 | mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig |
| 11 | 11 | ||
| 12 | ktype1=ed25519; ktype2=$ktype1; ktype3=$ktype1; ktype4=$ktype1 | ||
| 13 | for t in `${SSH} -Q key-plain`; do | ||
| 14 | case "$t" in | ||
| 15 | ssh-rsa) ktype2=rsa ;; | ||
| 16 | ecdsa*) ktype3=ecdsa ;; # unused | ||
| 17 | ssh-dss) ktype4=dsa ;; | ||
| 18 | esac | ||
| 19 | done | ||
| 20 | |||
| 12 | # Create a CA key | 21 | # Create a CA key |
| 13 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key ||\ | 22 | ${SSHKEYGEN} -q -N '' -t $ktype1 -f $OBJ/user_ca_key ||\ |
| 14 | fatal "ssh-keygen failed" | 23 | fatal "ssh-keygen failed" |
| 15 | 24 | ||
| 16 | # Make some keys and a certificate. | 25 | # Make some keys and a certificate. |
| 17 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 || \ | 26 | ${SSHKEYGEN} -q -N '' -t $ktype1 -f $OBJ/user_key1 || \ |
| 18 | fatal "ssh-keygen failed" | 27 | fatal "ssh-keygen failed" |
| 19 | ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_key2 || \ | 28 | ${SSHKEYGEN} -q -N '' -t $ktype2 -f $OBJ/user_key2 || \ |
| 20 | fatal "ssh-keygen failed" | 29 | fatal "ssh-keygen failed" |
| 21 | ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_key3 || \ | 30 | ${SSHKEYGEN} -q -N '' -t $ktype2 -f $OBJ/user_key3 || \ |
| 22 | fatal "ssh-keygen failed" | 31 | fatal "ssh-keygen failed" |
| 23 | ${SSHKEYGEN} -q -N '' -t dsa -f $OBJ/user_key4 || \ | 32 | ${SSHKEYGEN} -q -N '' -t $ktype4 -f $OBJ/user_key4 || \ |
| 24 | fatal "ssh-keygen failed" | 33 | fatal "ssh-keygen failed" |
| 25 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ | 34 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ |
| 26 | -z $$ -n ${USER},mekmitasdigoat $OBJ/user_key3 || | 35 | -z $$ -n ${USER},mekmitasdigoat $OBJ/user_key3 || |
| @@ -51,6 +60,17 @@ prepare_config() { | |||
| 51 | ) > $OBJ/sshd_proxy | 60 | ) > $OBJ/sshd_proxy |
| 52 | } | 61 | } |
| 53 | 62 | ||
| 63 | # Return the required parameter for PubkeyAcceptedKeyTypes corresponding to | ||
| 64 | # the supplied key type. | ||
| 65 | keytype() { | ||
| 66 | case "$1" in | ||
| 67 | ecdsa) printf "ecdsa-sha2-*" ;; | ||
| 68 | ed25519) printf "ssh-ed25519" ;; | ||
| 69 | dsa) printf "ssh-dss" ;; | ||
| 70 | rsa) printf "rsa-sha2-256,rsa-sha2-512,ssh-rsa" ;; | ||
| 71 | esac | ||
| 72 | } | ||
| 73 | |||
| 54 | prepare_config | 74 | prepare_config |
| 55 | 75 | ||
| 56 | # Check we can log in with all key types. | 76 | # Check we can log in with all key types. |
| @@ -59,19 +79,21 @@ ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" | |||
| 59 | ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" | 79 | ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" |
| 60 | 80 | ||
| 61 | # Allow plain Ed25519 and RSA. The certificate should fail. | 81 | # Allow plain Ed25519 and RSA. The certificate should fail. |
| 62 | verbose "allow rsa,ed25519" | 82 | verbose "allow $ktype2,$ktype1" |
| 63 | prepare_config \ | 83 | prepare_config \ |
| 64 | "PubkeyAcceptedKeyTypes rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-ed25519" | 84 | "PubkeyAcceptedKeyTypes `keytype $ktype2`,`keytype $ktype1`" |
| 65 | ${SSH} $certopts proxy true && fatal "cert succeeded" | 85 | ${SSH} $certopts proxy true && fatal "cert succeeded" |
| 66 | ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" | 86 | ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" |
| 67 | ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" | 87 | ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" |
| 68 | 88 | ||
| 69 | # Allow Ed25519 only. | 89 | # Allow Ed25519 only. |
| 70 | verbose "allow ed25519" | 90 | verbose "allow $ktype1" |
| 71 | prepare_config "PubkeyAcceptedKeyTypes ssh-ed25519" | 91 | prepare_config "PubkeyAcceptedKeyTypes `keytype $ktype1`" |
| 72 | ${SSH} $certopts proxy true && fatal "cert succeeded" | 92 | ${SSH} $certopts proxy true && fatal "cert succeeded" |
| 73 | ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" | 93 | ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" |
| 74 | ${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded" | 94 | if [ "$ktype1" != "$ktype2" ]; then |
| 95 | ${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded" | ||
| 96 | fi | ||
| 75 | 97 | ||
| 76 | # Allow all certs. Plain keys should fail. | 98 | # Allow all certs. Plain keys should fail. |
| 77 | verbose "allow cert only" | 99 | verbose "allow cert only" |
| @@ -82,16 +104,18 @@ ${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded" | |||
| 82 | 104 | ||
| 83 | # Allow RSA in main config, Ed25519 for non-existent user. | 105 | # Allow RSA in main config, Ed25519 for non-existent user. |
| 84 | verbose "match w/ no match" | 106 | verbose "match w/ no match" |
| 85 | prepare_config "PubkeyAcceptedKeyTypes rsa-sha2-256,rsa-sha2-512,ssh-rsa" \ | 107 | prepare_config "PubkeyAcceptedKeyTypes `keytype $ktype2`" \ |
| 86 | "Match user x$USER" "PubkeyAcceptedKeyTypes +ssh-ed25519" | 108 | "Match user x$USER" "PubkeyAcceptedKeyTypes +`keytype $ktype1`" |
| 87 | ${SSH} $certopts proxy true && fatal "cert succeeded" | 109 | ${SSH} $certopts proxy true && fatal "cert succeeded" |
| 88 | ${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded" | 110 | if [ "$ktype1" != "$ktype2" ]; then |
| 111 | ${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded" | ||
| 112 | fi | ||
| 89 | ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" | 113 | ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" |
| 90 | 114 | ||
| 91 | # Allow only DSA in main config, Ed25519 for user. | 115 | # Allow only DSA in main config, Ed25519 for user. |
| 92 | verbose "match w/ matching" | 116 | verbose "match w/ matching" |
| 93 | prepare_config "PubkeyAcceptedKeyTypes ssh-dss" \ | 117 | prepare_config "PubkeyAcceptedKeyTypes `keytype $ktype4`" \ |
| 94 | "Match user $USER" "PubkeyAcceptedKeyTypes +ssh-ed25519" | 118 | "Match user $USER" "PubkeyAcceptedKeyTypes +`keytype $ktype1`" |
| 95 | ${SSH} $certopts proxy true || fatal "cert failed" | 119 | ${SSH} $certopts proxy true || fatal "cert failed" |
| 96 | ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" | 120 | ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" |
| 97 | ${SSH} $opts -i $OBJ/user_key4 proxy true && fatal "key4 succeeded" | 121 | ${SSH} $opts -i $OBJ/user_key4 proxy true && fatal "key4 succeeded" |