summaryrefslogtreecommitdiff
path: root/regress
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2018-03-12 00:52:57 +0000
committerDamien Miller <djm@mindrot.org>2018-03-14 18:55:47 +1100
commit3a43297ce29d37c64e37c7e21282cb219e28d3d1 (patch)
tree0e4876890dbc800a303e7a0d57a4f2c52fe57966 /regress
parent037fdc1dc2d68e1d43f9c9e2586c02cabc8f7cc8 (diff)
upstream: exlicitly include RSA/SHA-2 keytypes in
PubkeyAcceptedKeyTypes here OpenBSD-Regress-ID: 954d19e0032a74e31697fb1dc7e7d3d1b2d65fe9
Diffstat (limited to 'regress')
-rw-r--r--regress/limit-keytype.sh9
1 files changed, 5 insertions, 4 deletions
diff --git a/regress/limit-keytype.sh b/regress/limit-keytype.sh
index c0cf2fed6..04f11977e 100644
--- a/regress/limit-keytype.sh
+++ b/regress/limit-keytype.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: limit-keytype.sh,v 1.4 2015/10/29 08:05:17 djm Exp $ 1# $OpenBSD: limit-keytype.sh,v 1.5 2018/03/12 00:52:57 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="restrict pubkey type" 4tid="restrict pubkey type"
@@ -60,7 +60,8 @@ ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed"
60 60
61# Allow plain Ed25519 and RSA. The certificate should fail. 61# Allow plain Ed25519 and RSA. The certificate should fail.
62verbose "allow rsa,ed25519" 62verbose "allow rsa,ed25519"
63prepare_config "PubkeyAcceptedKeyTypes ssh-rsa,ssh-ed25519" 63prepare_config \
64 "PubkeyAcceptedKeyTypes rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-ed25519"
64${SSH} $certopts proxy true && fatal "cert succeeded" 65${SSH} $certopts proxy true && fatal "cert succeeded"
65${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" 66${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
66${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" 67${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed"
@@ -74,14 +75,14 @@ ${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded"
74 75
75# Allow all certs. Plain keys should fail. 76# Allow all certs. Plain keys should fail.
76verbose "allow cert only" 77verbose "allow cert only"
77prepare_config "PubkeyAcceptedKeyTypes ssh-*-cert-v01@openssh.com" 78prepare_config "PubkeyAcceptedKeyTypes *-cert-v01@openssh.com"
78${SSH} $certopts proxy true || fatal "cert failed" 79${SSH} $certopts proxy true || fatal "cert failed"
79${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded" 80${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded"
80${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded" 81${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded"
81 82
82# Allow RSA in main config, Ed25519 for non-existent user. 83# Allow RSA in main config, Ed25519 for non-existent user.
83verbose "match w/ no match" 84verbose "match w/ no match"
84prepare_config "PubkeyAcceptedKeyTypes ssh-rsa" \ 85prepare_config "PubkeyAcceptedKeyTypes rsa-sha2-256,rsa-sha2-512,ssh-rsa" \
85 "Match user x$USER" "PubkeyAcceptedKeyTypes +ssh-ed25519" 86 "Match user x$USER" "PubkeyAcceptedKeyTypes +ssh-ed25519"
86${SSH} $certopts proxy true && fatal "cert succeeded" 87${SSH} $certopts proxy true && fatal "cert succeeded"
87${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded" 88${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded"