diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2018-03-12 00:52:57 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2018-03-14 18:55:47 +1100 |
| commit | 3a43297ce29d37c64e37c7e21282cb219e28d3d1 (patch) | |
| tree | 0e4876890dbc800a303e7a0d57a4f2c52fe57966 /regress/limit-keytype.sh | |
| parent | 037fdc1dc2d68e1d43f9c9e2586c02cabc8f7cc8 (diff) | |
upstream: exlicitly include RSA/SHA-2 keytypes in
PubkeyAcceptedKeyTypes here
OpenBSD-Regress-ID: 954d19e0032a74e31697fb1dc7e7d3d1b2d65fe9
Diffstat (limited to 'regress/limit-keytype.sh')
| -rw-r--r-- | regress/limit-keytype.sh | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/regress/limit-keytype.sh b/regress/limit-keytype.sh index c0cf2fed6..04f11977e 100644 --- a/regress/limit-keytype.sh +++ b/regress/limit-keytype.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: limit-keytype.sh,v 1.4 2015/10/29 08:05:17 djm Exp $ | 1 | # $OpenBSD: limit-keytype.sh,v 1.5 2018/03/12 00:52:57 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="restrict pubkey type" | 4 | tid="restrict pubkey type" |
| @@ -60,7 +60,8 @@ ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" | |||
| 60 | 60 | ||
| 61 | # Allow plain Ed25519 and RSA. The certificate should fail. | 61 | # Allow plain Ed25519 and RSA. The certificate should fail. |
| 62 | verbose "allow rsa,ed25519" | 62 | verbose "allow rsa,ed25519" |
| 63 | prepare_config "PubkeyAcceptedKeyTypes ssh-rsa,ssh-ed25519" | 63 | prepare_config \ |
| 64 | "PubkeyAcceptedKeyTypes rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-ed25519" | ||
| 64 | ${SSH} $certopts proxy true && fatal "cert succeeded" | 65 | ${SSH} $certopts proxy true && fatal "cert succeeded" |
| 65 | ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" | 66 | ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" |
| 66 | ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" | 67 | ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" |
| @@ -74,14 +75,14 @@ ${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded" | |||
| 74 | 75 | ||
| 75 | # Allow all certs. Plain keys should fail. | 76 | # Allow all certs. Plain keys should fail. |
| 76 | verbose "allow cert only" | 77 | verbose "allow cert only" |
| 77 | prepare_config "PubkeyAcceptedKeyTypes ssh-*-cert-v01@openssh.com" | 78 | prepare_config "PubkeyAcceptedKeyTypes *-cert-v01@openssh.com" |
| 78 | ${SSH} $certopts proxy true || fatal "cert failed" | 79 | ${SSH} $certopts proxy true || fatal "cert failed" |
| 79 | ${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded" | 80 | ${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded" |
| 80 | ${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded" | 81 | ${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded" |
| 81 | 82 | ||
| 82 | # Allow RSA in main config, Ed25519 for non-existent user. | 83 | # Allow RSA in main config, Ed25519 for non-existent user. |
| 83 | verbose "match w/ no match" | 84 | verbose "match w/ no match" |
| 84 | prepare_config "PubkeyAcceptedKeyTypes ssh-rsa" \ | 85 | prepare_config "PubkeyAcceptedKeyTypes rsa-sha2-256,rsa-sha2-512,ssh-rsa" \ |
| 85 | "Match user x$USER" "PubkeyAcceptedKeyTypes +ssh-ed25519" | 86 | "Match user x$USER" "PubkeyAcceptedKeyTypes +ssh-ed25519" |
| 86 | ${SSH} $certopts proxy true && fatal "cert succeeded" | 87 | ${SSH} $certopts proxy true && fatal "cert succeeded" |
| 87 | ${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded" | 88 | ${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded" |