diff options
author | djm@openbsd.org <djm@openbsd.org> | 2018-03-12 00:52:57 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2018-03-14 18:55:47 +1100 |
commit | 3a43297ce29d37c64e37c7e21282cb219e28d3d1 (patch) | |
tree | 0e4876890dbc800a303e7a0d57a4f2c52fe57966 /regress | |
parent | 037fdc1dc2d68e1d43f9c9e2586c02cabc8f7cc8 (diff) |
upstream: exlicitly include RSA/SHA-2 keytypes in
PubkeyAcceptedKeyTypes here
OpenBSD-Regress-ID: 954d19e0032a74e31697fb1dc7e7d3d1b2d65fe9
Diffstat (limited to 'regress')
-rw-r--r-- | regress/limit-keytype.sh | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/regress/limit-keytype.sh b/regress/limit-keytype.sh index c0cf2fed6..04f11977e 100644 --- a/regress/limit-keytype.sh +++ b/regress/limit-keytype.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: limit-keytype.sh,v 1.4 2015/10/29 08:05:17 djm Exp $ | 1 | # $OpenBSD: limit-keytype.sh,v 1.5 2018/03/12 00:52:57 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="restrict pubkey type" | 4 | tid="restrict pubkey type" |
@@ -60,7 +60,8 @@ ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" | |||
60 | 60 | ||
61 | # Allow plain Ed25519 and RSA. The certificate should fail. | 61 | # Allow plain Ed25519 and RSA. The certificate should fail. |
62 | verbose "allow rsa,ed25519" | 62 | verbose "allow rsa,ed25519" |
63 | prepare_config "PubkeyAcceptedKeyTypes ssh-rsa,ssh-ed25519" | 63 | prepare_config \ |
64 | "PubkeyAcceptedKeyTypes rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-ed25519" | ||
64 | ${SSH} $certopts proxy true && fatal "cert succeeded" | 65 | ${SSH} $certopts proxy true && fatal "cert succeeded" |
65 | ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" | 66 | ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" |
66 | ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" | 67 | ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" |
@@ -74,14 +75,14 @@ ${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded" | |||
74 | 75 | ||
75 | # Allow all certs. Plain keys should fail. | 76 | # Allow all certs. Plain keys should fail. |
76 | verbose "allow cert only" | 77 | verbose "allow cert only" |
77 | prepare_config "PubkeyAcceptedKeyTypes ssh-*-cert-v01@openssh.com" | 78 | prepare_config "PubkeyAcceptedKeyTypes *-cert-v01@openssh.com" |
78 | ${SSH} $certopts proxy true || fatal "cert failed" | 79 | ${SSH} $certopts proxy true || fatal "cert failed" |
79 | ${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded" | 80 | ${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded" |
80 | ${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded" | 81 | ${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded" |
81 | 82 | ||
82 | # Allow RSA in main config, Ed25519 for non-existent user. | 83 | # Allow RSA in main config, Ed25519 for non-existent user. |
83 | verbose "match w/ no match" | 84 | verbose "match w/ no match" |
84 | prepare_config "PubkeyAcceptedKeyTypes ssh-rsa" \ | 85 | prepare_config "PubkeyAcceptedKeyTypes rsa-sha2-256,rsa-sha2-512,ssh-rsa" \ |
85 | "Match user x$USER" "PubkeyAcceptedKeyTypes +ssh-ed25519" | 86 | "Match user x$USER" "PubkeyAcceptedKeyTypes +ssh-ed25519" |
86 | ${SSH} $certopts proxy true && fatal "cert succeeded" | 87 | ${SSH} $certopts proxy true && fatal "cert succeeded" |
87 | ${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded" | 88 | ${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded" |