summaryrefslogtreecommitdiff
path: root/regress
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2011-09-06 14:56:29 +0100
committerColin Watson <cjwatson@debian.org>2011-09-06 14:56:29 +0100
commit978e62d6f14c60747bddef2cc72d66a9c8b83b54 (patch)
tree89400a44e42d84937deba7864e4964d6c7734da5 /regress
parent87c685b8c6a49814fd782288097b3093f975aa72 (diff)
parent3a7e89697ca363de0f64e0d5704c57219294e41c (diff)
* New upstream release (http://www.openssh.org/txt/release-5.9).
- Introduce sandboxing of the pre-auth privsep child using an optional sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables mandatory restrictions on the syscalls the privsep child can perform. - Add new SHA256-based HMAC transport integrity modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt. - The pre-authentication sshd(8) privilege separation slave process now logs via a socket shared with the master process, avoiding the need to maintain /dev/log inside the chroot (closes: #75043, #429243, #599240). - ssh(1) now warns when a server refuses X11 forwarding (closes: #504757). - sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths, separated by whitespace (closes: #76312). The authorized_keys2 fallback is deprecated but documented (closes: #560156). - ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4 ToS/DSCP (closes: #498297). - ssh-add(1) now accepts keys piped from standard input. E.g. "ssh-add - < /path/to/key" (closes: #229124). - Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691). - Say "required" rather than "recommended" in unprotected-private-key warning (LP: #663455).
Diffstat (limited to 'regress')
-rw-r--r--regress/README.regress6
-rw-r--r--regress/cert-hostkey.sh2
-rw-r--r--regress/cert-userkey.sh4
-rw-r--r--regress/cfgmatch.sh66
-rw-r--r--regress/cipher-speed.sh10
-rw-r--r--regress/connect-privsep.sh14
-rw-r--r--regress/dynamic-forward.sh23
-rw-r--r--regress/test-exec.sh5
-rw-r--r--regress/try-ciphers.sh4
9 files changed, 83 insertions, 51 deletions
diff --git a/regress/README.regress b/regress/README.regress
index da9bb6a99..82e4cc751 100644
--- a/regress/README.regress
+++ b/regress/README.regress
@@ -93,10 +93,6 @@ Failed tests can be difficult to diagnose. Suggestions:
93 93
94Known Issues. 94Known Issues.
95 95
96- If your build requires ssh-rand-helper regress tests will fail
97 unless ssh-rand-helper is in pre-installed (the path to
98 ssh-rand-helper is hard coded).
99
100- Similarly, if you do not have "scp" in your system's $PATH then the 96- Similarly, if you do not have "scp" in your system's $PATH then the
101 multiplex scp tests will fail (since the system's shell startup scripts 97 multiplex scp tests will fail (since the system's shell startup scripts
102 will determine where the shell started by sshd will look for scp). 98 will determine where the shell started by sshd will look for scp).
@@ -105,4 +101,4 @@ Known Issues.
105 test to fail. The old behaviour can be restored by setting (and 101 test to fail. The old behaviour can be restored by setting (and
106 exporting) _POSIX2_VERSION=199209 before running the tests. 102 exporting) _POSIX2_VERSION=199209 before running the tests.
107 103
108$Id: README.regress,v 1.11 2010/08/16 21:04:29 djm Exp $ 104$Id: README.regress,v 1.12 2011/05/05 03:48:42 djm Exp $
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 3b147b9f7..6216abd87 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-hostkey.sh,v 1.5 2010/08/31 12:24:09 djm Exp $ 1# $OpenBSD: cert-hostkey.sh,v 1.6 2011/05/20 02:43:36 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified host keys" 4tid="certified host keys"
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index fcca3708b..6700db274 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-userkey.sh,v 1.7 2010/08/31 12:24:09 djm Exp $ 1# $OpenBSD: cert-userkey.sh,v 1.8 2011/05/17 07:13:31 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified user keys" 4tid="certified user keys"
@@ -27,7 +27,7 @@ for ktype in rsa dsa $ecdsa ; do
27 -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || 27 -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
28 fail "couldn't sign cert_user_key_${ktype}" 28 fail "couldn't sign cert_user_key_${ktype}"
29 # v00 ecdsa certs do not exist 29 # v00 ecdsa certs do not exist
30 test "{ktype}" = "ecdsa" && continue 30 test "${ktype}" = "ecdsa" && continue
31 cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 31 cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
32 cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub 32 cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
33 ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ 33 ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh
index 96badd51b..0603fab64 100644
--- a/regress/cfgmatch.sh
+++ b/regress/cfgmatch.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cfgmatch.sh,v 1.4 2006/12/13 08:36:36 dtucker Exp $ 1# $OpenBSD: cfgmatch.sh,v 1.6 2011/06/03 05:35:10 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="sshd_config match" 4tid="sshd_config match"
@@ -7,6 +7,28 @@ pidfile=$OBJ/remote_pid
7fwdport=3301 7fwdport=3301
8fwd="-L $fwdport:127.0.0.1:$PORT" 8fwd="-L $fwdport:127.0.0.1:$PORT"
9 9
10echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_config
11echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy
12
13start_client()
14{
15 rm -f $pidfile
16 ${SSH} -q -$p $fwd "$@" somehost \
17 exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \
18 >>$TEST_SSH_LOGFILE 2>&1 &
19 client_pid=$!
20 # Wait for remote end
21 n=0
22 while test ! -f $pidfile ; do
23 sleep 1
24 n=`expr $n + 1`
25 if test $n -gt 60; then
26 kill $client_pid
27 fatal "timeout waiting for background ssh"
28 fi
29 done
30}
31
10stop_client() 32stop_client()
11{ 33{
12 pid=`cat $pidfile` 34 pid=`cat $pidfile`
@@ -14,11 +36,15 @@ stop_client()
14 kill $pid 36 kill $pid
15 sleep 1 37 sleep 1
16 fi 38 fi
39 wait
17} 40}
18 41
19cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 42cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
20 43grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
44echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy
21echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config 45echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
46echo "Match user $USER" >>$OBJ/sshd_proxy
47echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy
22echo "Match Address 127.0.0.1" >>$OBJ/sshd_config 48echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
23echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config 49echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config
24 50
@@ -32,12 +58,8 @@ start_sshd
32 58
33# Test Match + PermitOpen in sshd_config. This should be permitted 59# Test Match + PermitOpen in sshd_config. This should be permitted
34for p in 1 2; do 60for p in 1 2; do
35 rm -f $pidfile
36 trace "match permitopen localhost proto $p" 61 trace "match permitopen localhost proto $p"
37 ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \ 62 start_client -F $OBJ/ssh_config
38 exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\
39 fail "match permitopen proto $p sshd failed"
40 sleep 1;
41 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ 63 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
42 fail "match permitopen permit proto $p" 64 fail "match permitopen permit proto $p"
43 stop_client 65 stop_client
@@ -45,12 +67,8 @@ done
45 67
46# Same but from different source. This should not be permitted 68# Same but from different source. This should not be permitted
47for p in 1 2; do 69for p in 1 2; do
48 rm -f $pidfile
49 trace "match permitopen proxy proto $p" 70 trace "match permitopen proxy proto $p"
50 ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ 71 start_client -F $OBJ/ssh_proxy
51 exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\
52 fail "match permitopen proxy proto $p sshd failed"
53 sleep 1;
54 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ 72 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
55 fail "match permitopen deny proto $p" 73 fail "match permitopen deny proto $p"
56 stop_client 74 stop_client
@@ -62,12 +80,8 @@ cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
62echon 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER 80echon 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER
63cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER 81cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
64for p in 1 2; do 82for p in 1 2; do
65 rm -f $pidfile
66 trace "match permitopen proxy w/key opts proto $p" 83 trace "match permitopen proxy w/key opts proto $p"
67 ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ 84 start_client -F $OBJ/ssh_proxy
68 exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\
69 fail "match permitopen w/key opt proto $p sshd failed"
70 sleep 1;
71 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ 85 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
72 fail "match permitopen deny w/key opt proto $p" 86 fail "match permitopen deny w/key opt proto $p"
73 stop_client 87 stop_client
@@ -76,12 +90,8 @@ done
76# Test both sshd_config and key options permitting the same dst/port pair. 90# Test both sshd_config and key options permitting the same dst/port pair.
77# Should be permitted. 91# Should be permitted.
78for p in 1 2; do 92for p in 1 2; do
79 rm -f $pidfile
80 trace "match permitopen localhost proto $p" 93 trace "match permitopen localhost proto $p"
81 ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \ 94 start_client -F $OBJ/ssh_config
82 exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\
83 fail "match permitopen proto $p sshd failed"
84 sleep 1;
85 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ 95 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
86 fail "match permitopen permit proto $p" 96 fail "match permitopen permit proto $p"
87 stop_client 97 stop_client
@@ -94,12 +104,8 @@ echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
94 104
95# Test that a Match overrides a PermitOpen in the global section 105# Test that a Match overrides a PermitOpen in the global section
96for p in 1 2; do 106for p in 1 2; do
97 rm -f $pidfile
98 trace "match permitopen proxy w/key opts proto $p" 107 trace "match permitopen proxy w/key opts proto $p"
99 ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ 108 start_client -F $OBJ/ssh_proxy
100 exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\
101 fail "match override permitopen proto $p sshd failed"
102 sleep 1;
103 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ 109 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
104 fail "match override permitopen proto $p" 110 fail "match override permitopen proto $p"
105 stop_client 111 stop_client
@@ -113,12 +119,8 @@ echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
113# Test that a rule that doesn't match doesn't override, plus test a 119# Test that a rule that doesn't match doesn't override, plus test a
114# PermitOpen entry that's not at the start of the list 120# PermitOpen entry that's not at the start of the list
115for p in 1 2; do 121for p in 1 2; do
116 rm -f $pidfile
117 trace "nomatch permitopen proxy w/key opts proto $p" 122 trace "nomatch permitopen proxy w/key opts proto $p"
118 ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ 123 start_client -F $OBJ/ssh_proxy
119 exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\
120 fail "nomatch override permitopen proto $p sshd failed"
121 sleep 1;
122 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ 124 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
123 fail "nomatch override permitopen proto $p" 125 fail "nomatch override permitopen proto $p"
124 stop_client 126 stop_client
diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh
index 85de6d585..257afd179 100644
--- a/regress/cipher-speed.sh
+++ b/regress/cipher-speed.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cipher-speed.sh,v 1.3 2007/06/07 19:41:46 pvalchev Exp $ 1# $OpenBSD: cipher-speed.sh,v 1.4 2011/08/02 01:23:41 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="cipher speed" 4tid="cipher speed"
@@ -12,9 +12,13 @@ tries="1 2"
12DATA=/bin/ls 12DATA=/bin/ls
13DATA=/bsd 13DATA=/bsd
14 14
15macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96"
16ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc 15ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc
17 arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc aes128-ctr" 16 arcfour128 arcfour256 arcfour
17 aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
18 aes128-ctr aes192-ctr aes256-ctr"
19macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96"
20config_defined HAVE_EVP_SHA256 &&
21 macs="$macs hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96"
18 22
19for c in $ciphers; do for m in $macs; do 23for c in $ciphers; do for m in $macs; do
20 trace "proto 2 cipher $c mac $m" 24 trace "proto 2 cipher $c mac $m"
diff --git a/regress/connect-privsep.sh b/regress/connect-privsep.sh
index d23cadba5..11fb9aef9 100644
--- a/regress/connect-privsep.sh
+++ b/regress/connect-privsep.sh
@@ -1,8 +1,9 @@
1# $OpenBSD: connect-privsep.sh,v 1.1 2002/03/21 21:45:07 markus Exp $ 1# $OpenBSD: connect-privsep.sh,v 1.2 2011/06/30 22:44:43 markus Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="proxy connect with privsep" 4tid="proxy connect with privsep"
5 5
6cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
6echo 'UsePrivilegeSeparation yes' >> $OBJ/sshd_proxy 7echo 'UsePrivilegeSeparation yes' >> $OBJ/sshd_proxy
7 8
8for p in 1 2; do 9for p in 1 2; do
@@ -11,3 +12,14 @@ for p in 1 2; do
11 fail "ssh privsep+proxyconnect protocol $p failed" 12 fail "ssh privsep+proxyconnect protocol $p failed"
12 fi 13 fi
13done 14done
15
16cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
17echo 'UsePrivilegeSeparation sandbox' >> $OBJ/sshd_proxy
18
19for p in 1 2; do
20 ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
21 if [ $? -ne 0 ]; then
22 # XXX replace this with fail once sandbox has stabilised
23 warn "ssh privsep/sandbox+proxyconnect protocol $p failed"
24 fi
25done
diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh
index 4674a7baf..d1ab8059b 100644
--- a/regress/dynamic-forward.sh
+++ b/regress/dynamic-forward.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: dynamic-forward.sh,v 1.4 2004/06/22 22:55:56 dtucker Exp $ 1# $OpenBSD: dynamic-forward.sh,v 1.9 2011/06/03 00:29:52 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="dynamic forwarding" 4tid="dynamic forwarding"
@@ -20,9 +20,23 @@ trace "will use ProxyCommand $proxycmd"
20start_sshd 20start_sshd
21 21
22for p in 1 2; do 22for p in 1 2; do
23 n=0
24 error="1"
23 trace "start dynamic forwarding, fork to background" 25 trace "start dynamic forwarding, fork to background"
24 ${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q somehost \ 26 while [ "$error" -ne 0 -a "$n" -lt 3 ]; do
25 exec sh -c \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' 27 n=`expr $n + 1`
28 ${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q \
29 -oExitOnForwardFailure=yes somehost exec sh -c \
30 \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\'
31 error=$?
32 if [ "$error" -ne 0 ]; then
33 trace "forward failed proto $p attempt $n err $error"
34 sleep $n
35 fi
36 done
37 if [ "$error" -ne 0 ]; then
38 fatal "failed to start dynamic forwarding proto $p"
39 fi
26 40
27 for s in 4 5; do 41 for s in 4 5; do
28 for h in 127.0.0.1 localhost; do 42 for h in 127.0.0.1 localhost; do
@@ -44,7 +58,4 @@ for p in 1 2; do
44 else 58 else
45 fail "no pid file: $OBJ/remote_pid" 59 fail "no pid file: $OBJ/remote_pid"
46 fi 60 fi
47
48 # Must allow time for connection tear-down
49 sleep 2
50done 61done
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 5c56aefff..092cfed5b 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -204,6 +204,11 @@ verbose ()
204 fi 204 fi
205} 205}
206 206
207warn ()
208{
209 echo "WARNING: $@" >>$TEST_SSH_LOGFILE
210 echo "WARNING: $@"
211}
207 212
208fail () 213fail ()
209{ 214{
diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh
index ef776d2ee..0918d2245 100644
--- a/regress/try-ciphers.sh
+++ b/regress/try-ciphers.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: try-ciphers.sh,v 1.11 2007/06/07 19:41:46 pvalchev Exp $ 1# $OpenBSD: try-ciphers.sh,v 1.12 2011/08/02 01:23:41 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="try ciphers" 4tid="try ciphers"
@@ -8,6 +8,8 @@ ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc
8 aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se 8 aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
9 aes128-ctr aes192-ctr aes256-ctr" 9 aes128-ctr aes192-ctr aes256-ctr"
10macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96" 10macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96"
11config_defined HAVE_EVP_SHA256 &&
12 macs="$macs hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96"
11 13
12for c in $ciphers; do 14for c in $ciphers; do
13 for m in $macs; do 15 for m in $macs; do