diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2019-11-26 23:43:10 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2019-11-27 11:02:49 +1100 |
| commit | ad44ca81bea83657d558aaef5a1d789a9032bac3 (patch) | |
| tree | c4143c62227e817790c3362d409cdef93b5b52da /regress | |
| parent | c6efa8a91af1d4fdb43909a23a0a4ffa012155ad (diff) | |
upstream: test FIDO2/U2F key types; ok markus@
OpenBSD-Regress-ID: 367e06d5a260407619b4b113ea0bd7004a435474
Diffstat (limited to 'regress')
| -rw-r--r-- | regress/agent-getpeereid.sh | 4 | ||||
| -rw-r--r-- | regress/agent-pkcs11.sh | 4 | ||||
| -rw-r--r-- | regress/agent-ptrace.sh | 2 | ||||
| -rw-r--r-- | regress/agent-timeout.sh | 4 | ||||
| -rw-r--r-- | regress/agent.sh | 10 | ||||
| -rw-r--r-- | regress/cert-file.sh | 4 | ||||
| -rw-r--r-- | regress/cert-hostkey.sh | 6 | ||||
| -rw-r--r-- | regress/cert-userkey.sh | 10 | ||||
| -rw-r--r-- | regress/hostkey-agent.sh | 8 | ||||
| -rw-r--r-- | regress/hostkey-rotate.sh | 11 | ||||
| -rw-r--r-- | regress/keygen-change.sh | 5 | ||||
| -rw-r--r-- | regress/keyscan.sh | 4 | ||||
| -rw-r--r-- | regress/keytype.sh | 51 | ||||
| -rw-r--r-- | regress/krl.sh | 22 | ||||
| -rw-r--r-- | regress/limit-keytype.sh | 17 | ||||
| -rw-r--r-- | regress/principals-command.sh | 2 | ||||
| -rw-r--r-- | regress/sshsig.sh | 4 | ||||
| -rw-r--r-- | regress/test-exec.sh | 48 |
18 files changed, 142 insertions, 74 deletions
diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh index 769c29e8d..524340816 100644 --- a/regress/agent-getpeereid.sh +++ b/regress/agent-getpeereid.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: agent-getpeereid.sh,v 1.10 2018/02/09 03:40:22 dtucker Exp $ | 1 | # $OpenBSD: agent-getpeereid.sh,v 1.11 2019/11/26 23:43:10 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="disallow agent attach from other uid" | 4 | tid="disallow agent attach from other uid" |
| @@ -26,7 +26,7 @@ case "x$SUDO" in | |||
| 26 | esac | 26 | esac |
| 27 | 27 | ||
| 28 | trace "start agent" | 28 | trace "start agent" |
| 29 | eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null | 29 | eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s -a ${ASOCK}` > /dev/null |
| 30 | r=$? | 30 | r=$? |
| 31 | if [ $r -ne 0 ]; then | 31 | if [ $r -ne 0 ]; then |
| 32 | fail "could not start ssh-agent: exit code $r" | 32 | fail "could not start ssh-agent: exit code $r" |
diff --git a/regress/agent-pkcs11.sh b/regress/agent-pkcs11.sh index 5205d9067..fbbaea518 100644 --- a/regress/agent-pkcs11.sh +++ b/regress/agent-pkcs11.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: agent-pkcs11.sh,v 1.6 2019/01/21 09:13:41 djm Exp $ | 1 | # $OpenBSD: agent-pkcs11.sh,v 1.7 2019/11/26 23:43:10 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="pkcs11 agent test" | 4 | tid="pkcs11 agent test" |
| @@ -75,7 +75,7 @@ openssl pkcs8 -nocrypt -in $EC |\ | |||
| 75 | softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" --import /dev/stdin | 75 | softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" --import /dev/stdin |
| 76 | 76 | ||
| 77 | trace "start agent" | 77 | trace "start agent" |
| 78 | eval `${SSHAGENT} -s` > /dev/null | 78 | eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null |
| 79 | r=$? | 79 | r=$? |
| 80 | if [ $r -ne 0 ]; then | 80 | if [ $r -ne 0 ]; then |
| 81 | fail "could not start ssh-agent: exit code $r" | 81 | fail "could not start ssh-agent: exit code $r" |
diff --git a/regress/agent-ptrace.sh b/regress/agent-ptrace.sh index 2d795ee32..9cd68d7ec 100644 --- a/regress/agent-ptrace.sh +++ b/regress/agent-ptrace.sh | |||
| @@ -41,7 +41,7 @@ else | |||
| 41 | fi | 41 | fi |
| 42 | 42 | ||
| 43 | trace "start agent" | 43 | trace "start agent" |
| 44 | eval `${SSHAGENT} -s` > /dev/null | 44 | eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null |
| 45 | r=$? | 45 | r=$? |
| 46 | if [ $r -ne 0 ]; then | 46 | if [ $r -ne 0 ]; then |
| 47 | fail "could not start ssh-agent: exit code $r" | 47 | fail "could not start ssh-agent: exit code $r" |
diff --git a/regress/agent-timeout.sh b/regress/agent-timeout.sh index 311c7bcba..6dec09285 100644 --- a/regress/agent-timeout.sh +++ b/regress/agent-timeout.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: agent-timeout.sh,v 1.5 2019/09/03 08:37:06 djm Exp $ | 1 | # $OpenBSD: agent-timeout.sh,v 1.6 2019/11/26 23:43:10 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="agent timeout test" | 4 | tid="agent timeout test" |
| @@ -6,7 +6,7 @@ tid="agent timeout test" | |||
| 6 | SSHAGENT_TIMEOUT=10 | 6 | SSHAGENT_TIMEOUT=10 |
| 7 | 7 | ||
| 8 | trace "start agent" | 8 | trace "start agent" |
| 9 | eval `${SSHAGENT} -s` > /dev/null | 9 | eval `${SSHAGENT} -s ${EXTRA_AGENT_ARGS}` > /dev/null |
| 10 | r=$? | 10 | r=$? |
| 11 | if [ $r -ne 0 ]; then | 11 | if [ $r -ne 0 ]; then |
| 12 | fail "could not start ssh-agent: exit code $r" | 12 | fail "could not start ssh-agent: exit code $r" |
diff --git a/regress/agent.sh b/regress/agent.sh index 48fa12b0e..922d8436e 100644 --- a/regress/agent.sh +++ b/regress/agent.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: agent.sh,v 1.15 2019/07/23 07:39:43 dtucker Exp $ | 1 | # $OpenBSD: agent.sh,v 1.16 2019/11/26 23:43:10 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="simple agent test" | 4 | tid="simple agent test" |
| @@ -8,8 +8,8 @@ if [ $? -ne 2 ]; then | |||
| 8 | fail "ssh-add -l did not fail with exit code 2" | 8 | fail "ssh-add -l did not fail with exit code 2" |
| 9 | fi | 9 | fi |
| 10 | 10 | ||
| 11 | trace "start agent" | 11 | trace "start agent, args ${EXTRA_AGENT_ARGS} -s" |
| 12 | eval `${SSHAGENT} -s` > /dev/null | 12 | eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null |
| 13 | r=$? | 13 | r=$? |
| 14 | if [ $r -ne 0 ]; then | 14 | if [ $r -ne 0 ]; then |
| 15 | fatal "could not start ssh-agent: exit code $r" | 15 | fatal "could not start ssh-agent: exit code $r" |
| @@ -39,9 +39,9 @@ for t in ${SSH_KEYTYPES}; do | |||
| 39 | # add to authorized keys | 39 | # add to authorized keys |
| 40 | cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER | 40 | cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER |
| 41 | # add privat key to agent | 41 | # add privat key to agent |
| 42 | ${SSHADD} $OBJ/$t-agent > /dev/null 2>&1 | 42 | ${SSHADD} $OBJ/$t-agent #> /dev/null 2>&1 |
| 43 | if [ $? -ne 0 ]; then | 43 | if [ $? -ne 0 ]; then |
| 44 | fail "ssh-add did succeed exit code 0" | 44 | fail "ssh-add failed exit code $?" |
| 45 | fi | 45 | fi |
| 46 | # Remove private key to ensure that we aren't accidentally using it. | 46 | # Remove private key to ensure that we aren't accidentally using it. |
| 47 | rm -f $OBJ/$t-agent | 47 | rm -f $OBJ/$t-agent |
diff --git a/regress/cert-file.sh b/regress/cert-file.sh index 1157a3582..94e672a99 100644 --- a/regress/cert-file.sh +++ b/regress/cert-file.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: cert-file.sh,v 1.7 2018/04/10 00:14:10 djm Exp $ | 1 | # $OpenBSD: cert-file.sh,v 1.8 2019/11/26 23:43:10 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="ssh with certificates" | 4 | tid="ssh with certificates" |
| @@ -120,7 +120,7 @@ if [ $? -ne 2 ]; then | |||
| 120 | fi | 120 | fi |
| 121 | 121 | ||
| 122 | trace "start agent" | 122 | trace "start agent" |
| 123 | eval `${SSHAGENT} -s` > /dev/null | 123 | eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null |
| 124 | r=$? | 124 | r=$? |
| 125 | if [ $r -ne 0 ]; then | 125 | if [ $r -ne 0 ]; then |
| 126 | fatal "could not start ssh-agent: exit code $r" | 126 | fatal "could not start ssh-agent: exit code $r" |
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 82195b11b..dc40b782a 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: cert-hostkey.sh,v 1.19 2019/11/01 01:55:41 djm Exp $ | 1 | # $OpenBSD: cert-hostkey.sh,v 1.20 2019/11/26 23:43:10 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="certified host keys" | 4 | tid="certified host keys" |
| @@ -9,7 +9,7 @@ rm -f $OBJ/cert_host_key* $OBJ/host_krl_* | |||
| 9 | # Allow all hostkey/pubkey types, prefer certs for the client | 9 | # Allow all hostkey/pubkey types, prefer certs for the client |
| 10 | rsa=0 | 10 | rsa=0 |
| 11 | types="" | 11 | types="" |
| 12 | for i in `$SSH -Q key | grep -v ^sk-`; do | 12 | for i in `$SSH -Q key | filter_sk`; do |
| 13 | if [ -z "$types" ]; then | 13 | if [ -z "$types" ]; then |
| 14 | types="$i" | 14 | types="$i" |
| 15 | continue | 15 | continue |
| @@ -70,7 +70,7 @@ touch $OBJ/host_revoked_plain | |||
| 70 | touch $OBJ/host_revoked_cert | 70 | touch $OBJ/host_revoked_cert |
| 71 | cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca | 71 | cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca |
| 72 | 72 | ||
| 73 | PLAIN_TYPES=`$SSH -Q key-plain | grep -v ^sk- | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` | 73 | PLAIN_TYPES=`$SSH -Q key-plain | filter_sk | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` |
| 74 | 74 | ||
| 75 | if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then | 75 | if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then |
| 76 | PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" | 76 | PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" |
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 51ac8dcb9..d6e293d57 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: cert-userkey.sh,v 1.22 2019/11/01 01:55:41 djm Exp $ | 1 | # $OpenBSD: cert-userkey.sh,v 1.23 2019/11/26 23:43:10 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="certified user keys" | 4 | tid="certified user keys" |
| @@ -7,7 +7,7 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* | |||
| 7 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | 7 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak |
| 8 | cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak | 8 | cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak |
| 9 | 9 | ||
| 10 | PLAIN_TYPES=`$SSH -Q key-plain | grep -v ^sk- | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` | 10 | PLAIN_TYPES=`$SSH -Q key-plain | maybe_filter_sk | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` |
| 11 | EXTRA_TYPES="" | 11 | EXTRA_TYPES="" |
| 12 | rsa="" | 12 | rsa="" |
| 13 | 13 | ||
| @@ -17,8 +17,10 @@ if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then | |||
| 17 | fi | 17 | fi |
| 18 | 18 | ||
| 19 | kname() { | 19 | kname() { |
| 20 | case $ktype in | 20 | case $1 in |
| 21 | rsa-sha2-*) n="$ktype" ;; | 21 | rsa-sha2-*) n="$1" ;; |
| 22 | sk-ecdsa-*) n="sk-ecdsa" ;; | ||
| 23 | sk-ssh-ed25519*) n="sk-ssh-ed25519" ;; | ||
| 22 | # subshell because some seds will add a newline | 24 | # subshell because some seds will add a newline |
| 23 | *) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;; | 25 | *) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;; |
| 24 | esac | 26 | esac |
diff --git a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh index c581c7bfd..af2ed7806 100644 --- a/regress/hostkey-agent.sh +++ b/regress/hostkey-agent.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: hostkey-agent.sh,v 1.8 2019/11/01 01:55:41 djm Exp $ | 1 | # $OpenBSD: hostkey-agent.sh,v 1.9 2019/11/26 23:43:10 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="hostkey agent" | 4 | tid="hostkey agent" |
| @@ -6,7 +6,7 @@ tid="hostkey agent" | |||
| 6 | rm -f $OBJ/agent-key.* $OBJ/ssh_proxy.orig $OBJ/known_hosts.orig | 6 | rm -f $OBJ/agent-key.* $OBJ/ssh_proxy.orig $OBJ/known_hosts.orig |
| 7 | 7 | ||
| 8 | trace "start agent" | 8 | trace "start agent" |
| 9 | eval `${SSHAGENT} -s` > /dev/null | 9 | eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null |
| 10 | r=$? | 10 | r=$? |
| 11 | [ $r -ne 0 ] && fatal "could not start ssh-agent: exit code $r" | 11 | [ $r -ne 0 ] && fatal "could not start ssh-agent: exit code $r" |
| 12 | 12 | ||
| @@ -14,7 +14,7 @@ grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig | |||
| 14 | echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig | 14 | echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig |
| 15 | 15 | ||
| 16 | trace "load hostkeys" | 16 | trace "load hostkeys" |
| 17 | for k in `${SSH} -Q key-plain | grep -v ^sk-` ; do | 17 | for k in `${SSH} -Q key-plain | filter_sk` ; do |
| 18 | ${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k" | 18 | ${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k" |
| 19 | ( | 19 | ( |
| 20 | printf 'localhost-with-alias,127.0.0.1,::1 ' | 20 | printf 'localhost-with-alias,127.0.0.1,::1 ' |
| @@ -31,7 +31,7 @@ cp $OBJ/known_hosts.orig $OBJ/known_hosts | |||
| 31 | unset SSH_AUTH_SOCK | 31 | unset SSH_AUTH_SOCK |
| 32 | 32 | ||
| 33 | for ps in no yes; do | 33 | for ps in no yes; do |
| 34 | for k in `${SSH} -Q key-plain | grep -v ^sk-` ; do | 34 | for k in `${SSH} -Q key-plain | filter_sk` ; do |
| 35 | verbose "key type $k privsep=$ps" | 35 | verbose "key type $k privsep=$ps" |
| 36 | cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy | 36 | cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy |
| 37 | echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy | 37 | echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy |
diff --git a/regress/hostkey-rotate.sh b/regress/hostkey-rotate.sh index 707e32908..c3e100c3e 100644 --- a/regress/hostkey-rotate.sh +++ b/regress/hostkey-rotate.sh | |||
| @@ -1,11 +1,8 @@ | |||
| 1 | # $OpenBSD: hostkey-rotate.sh,v 1.7 2019/11/01 01:55:41 djm Exp $ | 1 | # $OpenBSD: hostkey-rotate.sh,v 1.8 2019/11/26 23:43:10 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="hostkey rotate" | 4 | tid="hostkey rotate" |
| 5 | 5 | ||
| 6 | # Need full names here since they are used in HostKeyAlgorithms | ||
| 7 | HOSTKEY_TYPES="`${SSH} -Q key-plain | grep -v ^sk-`" | ||
| 8 | |||
| 9 | rm -f $OBJ/hkr.* $OBJ/ssh_proxy.orig | 6 | rm -f $OBJ/hkr.* $OBJ/ssh_proxy.orig |
| 10 | 7 | ||
| 11 | grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig | 8 | grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig |
| @@ -20,7 +17,7 @@ secondary="$primary" | |||
| 20 | trace "prepare hostkeys" | 17 | trace "prepare hostkeys" |
| 21 | nkeys=0 | 18 | nkeys=0 |
| 22 | all_algs="" | 19 | all_algs="" |
| 23 | for k in $HOSTKEY_TYPES; do | 20 | for k in $SSH_HOSTKEY_TYPES; do |
| 24 | ${SSHKEYGEN} -qt $k -f $OBJ/hkr.$k -N '' || fatal "ssh-keygen $k" | 21 | ${SSHKEYGEN} -qt $k -f $OBJ/hkr.$k -N '' || fatal "ssh-keygen $k" |
| 25 | echo "Hostkey $OBJ/hkr.${k}" >> $OBJ/sshd_proxy.orig | 22 | echo "Hostkey $OBJ/hkr.${k}" >> $OBJ/sshd_proxy.orig |
| 26 | nkeys=`expr $nkeys + 1` | 23 | nkeys=`expr $nkeys + 1` |
| @@ -67,12 +64,12 @@ verbose "learn additional hostkeys" | |||
| 67 | dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs | 64 | dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs |
| 68 | # Check that other keys learned | 65 | # Check that other keys learned |
| 69 | expect_nkeys $nkeys "learn hostkeys" | 66 | expect_nkeys $nkeys "learn hostkeys" |
| 70 | for k in $HOSTKEY_TYPES; do | 67 | for k in $SSH_HOSTKEY_TYPES; do |
| 71 | check_key_present $k || fail "didn't learn keytype $k" | 68 | check_key_present $k || fail "didn't learn keytype $k" |
| 72 | done | 69 | done |
| 73 | 70 | ||
| 74 | # Check each key type | 71 | # Check each key type |
| 75 | for k in $HOSTKEY_TYPES; do | 72 | for k in $SSH_HOSTKEY_TYPES; do |
| 76 | verbose "learn additional hostkeys, type=$k" | 73 | verbose "learn additional hostkeys, type=$k" |
| 77 | dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$k,$all_algs | 74 | dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$k,$all_algs |
| 78 | expect_nkeys $nkeys "learn hostkeys $k" | 75 | expect_nkeys $nkeys "learn hostkeys $k" |
diff --git a/regress/keygen-change.sh b/regress/keygen-change.sh index c62f2c17c..dd1bfda80 100644 --- a/regress/keygen-change.sh +++ b/regress/keygen-change.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: keygen-change.sh,v 1.7 2019/11/01 01:55:41 djm Exp $ | 1 | # $OpenBSD: keygen-change.sh,v 1.8 2019/11/26 23:43:10 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="change passphrase for key" | 4 | tid="change passphrase for key" |
| @@ -6,10 +6,9 @@ tid="change passphrase for key" | |||
| 6 | S1="secret1" | 6 | S1="secret1" |
| 7 | S2="2secret" | 7 | S2="2secret" |
| 8 | 8 | ||
| 9 | KEYTYPES=`${SSH} -Q key-plain | grep -v ^sk-` | 9 | KEYTYPES=`${SSH} -Q key-plain | maybe_filter_sk` |
| 10 | 10 | ||
| 11 | for t in $KEYTYPES; do | 11 | for t in $KEYTYPES; do |
| 12 | # generate user key for agent | ||
| 13 | trace "generating $t key" | 12 | trace "generating $t key" |
| 14 | rm -f $OBJ/$t-key | 13 | rm -f $OBJ/$t-key |
| 15 | ${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key | 14 | ${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key |
diff --git a/regress/keyscan.sh b/regress/keyscan.sh index 4e16ecd87..0ce0c7410 100644 --- a/regress/keyscan.sh +++ b/regress/keyscan.sh | |||
| @@ -1,9 +1,9 @@ | |||
| 1 | # $OpenBSD: keyscan.sh,v 1.10 2019/11/01 01:55:41 djm Exp $ | 1 | # $OpenBSD: keyscan.sh,v 1.11 2019/11/26 23:43:10 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="keyscan" | 4 | tid="keyscan" |
| 5 | 5 | ||
| 6 | KEYTYPES=`${SSH} -Q key-plain | grep -v ^sk-` | 6 | KEYTYPES=`${SSH} -Q key-plain | filter_sk` |
| 7 | for i in $KEYTYPES; do | 7 | for i in $KEYTYPES; do |
| 8 | if [ -z "$algs" ]; then | 8 | if [ -z "$algs" ]; then |
| 9 | algs="$i" | 9 | algs="$i" |
diff --git a/regress/keytype.sh b/regress/keytype.sh index 13095088e..91c5aca1b 100644 --- a/regress/keytype.sh +++ b/regress/keytype.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: keytype.sh,v 1.8 2019/07/23 13:49:14 dtucker Exp $ | 1 | # $OpenBSD: keytype.sh,v 1.9 2019/11/26 23:43:10 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="login with different key types" | 4 | tid="login with different key types" |
| @@ -16,43 +16,60 @@ for i in ${SSH_KEYTYPES}; do | |||
| 16 | ecdsa-sha2-nistp256) ktypes="$ktypes ecdsa-256" ;; | 16 | ecdsa-sha2-nistp256) ktypes="$ktypes ecdsa-256" ;; |
| 17 | ecdsa-sha2-nistp384) ktypes="$ktypes ecdsa-384" ;; | 17 | ecdsa-sha2-nistp384) ktypes="$ktypes ecdsa-384" ;; |
| 18 | ecdsa-sha2-nistp521) ktypes="$ktypes ecdsa-521" ;; | 18 | ecdsa-sha2-nistp521) ktypes="$ktypes ecdsa-521" ;; |
| 19 | sk-ssh-ed25519*) ktypes="$ktypes ed25519-sk" ;; | ||
| 20 | sk-ecdsa-sha2-nistp256*) ktypes="$ktypes ecdsa-sk" ;; | ||
| 19 | esac | 21 | esac |
| 20 | done | 22 | done |
| 21 | 23 | ||
| 22 | for kt in $ktypes; do | 24 | for kt in $ktypes; do |
| 23 | rm -f $OBJ/key.$kt | 25 | rm -f $OBJ/key.$kt |
| 24 | bits=`echo ${kt} | awk -F- '{print $2}'` | 26 | xbits=`echo ${kt} | awk -F- '{print $2}'` |
| 25 | type=`echo ${kt} | awk -F- '{print $1}'` | 27 | xtype=`echo ${kt} | awk -F- '{print $1}'` |
| 28 | case "$kt" in | ||
| 29 | *sk) type="$kt"; bits="n/a"; bits_arg="";; | ||
| 30 | *) type=$xtype; bits=$xbits; bits_arg="-b $bits";; | ||
| 31 | esac | ||
| 26 | verbose "keygen $type, $bits bits" | 32 | verbose "keygen $type, $bits bits" |
| 27 | ${SSHKEYGEN} -b $bits -q -N '' -t $type -f $OBJ/key.$kt ||\ | 33 | ${SSHKEYGEN} $bits_arg -q -N '' -t $type -f $OBJ/key.$kt || \ |
| 28 | fail "ssh-keygen for type $type, $bits bits failed" | 34 | fail "ssh-keygen for type $type, $bits bits failed" |
| 29 | done | 35 | done |
| 30 | 36 | ||
| 37 | kname_to_ktype() { | ||
| 38 | case $1 in | ||
| 39 | dsa-1024) echo ssh-dss;; | ||
| 40 | ecdsa-256) echo ecdsa-sha2-nistp256;; | ||
| 41 | ecdsa-384) echo ecdsa-sha2-nistp384;; | ||
| 42 | ecdsa-521) echo ecdsa-sha2-nistp521;; | ||
| 43 | ed25519-512) echo ssh-ed25519;; | ||
| 44 | rsa-*) echo rsa-sha2-512,rsa-sha2-256,ssh-rsa;; | ||
| 45 | ed25519-sk) echo sk-ssh-ed25519@openssh.com;; | ||
| 46 | ecdsa-sk) echo sk-ecdsa-sha2-nistp256@openssh.com;; | ||
| 47 | esac | ||
| 48 | } | ||
| 49 | |||
| 31 | tries="1 2 3" | 50 | tries="1 2 3" |
| 32 | for ut in $ktypes; do | 51 | for ut in $ktypes; do |
| 33 | htypes=$ut | 52 | user_type=`kname_to_ktype "$ut"` |
| 53 | # SK keys are not supported for hostkeys. | ||
| 54 | case "$ut" in | ||
| 55 | *sk) htypes=ed25519-512;; | ||
| 56 | *) htypes="$ut";; | ||
| 57 | esac | ||
| 34 | #htypes=$ktypes | 58 | #htypes=$ktypes |
| 35 | for ht in $htypes; do | 59 | for ht in $htypes; do |
| 36 | case $ht in | 60 | host_type=`kname_to_ktype "$ht"` |
| 37 | dsa-1024) t=ssh-dss;; | ||
| 38 | ecdsa-256) t=ecdsa-sha2-nistp256;; | ||
| 39 | ecdsa-384) t=ecdsa-sha2-nistp384;; | ||
| 40 | ecdsa-521) t=ecdsa-sha2-nistp521;; | ||
| 41 | ed25519-512) t=ssh-ed25519;; | ||
| 42 | rsa-*) t=rsa-sha2-512,rsa-sha2-256,ssh-rsa;; | ||
| 43 | esac | ||
| 44 | trace "ssh connect, userkey $ut, hostkey $ht" | 61 | trace "ssh connect, userkey $ut, hostkey $ht" |
| 45 | ( | 62 | ( |
| 46 | grep -v HostKey $OBJ/sshd_proxy_bak | 63 | grep -v HostKey $OBJ/sshd_proxy_bak |
| 47 | echo HostKey $OBJ/key.$ht | 64 | echo HostKey $OBJ/key.$ht |
| 48 | echo PubkeyAcceptedKeyTypes $t | 65 | echo PubkeyAcceptedKeyTypes $user_type |
| 49 | echo HostKeyAlgorithms $t | 66 | echo HostKeyAlgorithms $host_type |
| 50 | ) > $OBJ/sshd_proxy | 67 | ) > $OBJ/sshd_proxy |
| 51 | ( | 68 | ( |
| 52 | grep -v IdentityFile $OBJ/ssh_proxy_bak | 69 | grep -v IdentityFile $OBJ/ssh_proxy_bak |
| 53 | echo IdentityFile $OBJ/key.$ut | 70 | echo IdentityFile $OBJ/key.$ut |
| 54 | echo PubkeyAcceptedKeyTypes $t | 71 | echo PubkeyAcceptedKeyTypes $user_type |
| 55 | echo HostKeyAlgorithms $t | 72 | echo HostKeyAlgorithms $host_type |
| 56 | ) > $OBJ/ssh_proxy | 73 | ) > $OBJ/ssh_proxy |
| 57 | ( | 74 | ( |
| 58 | printf 'localhost-with-alias,127.0.0.1,::1 ' | 75 | printf 'localhost-with-alias,127.0.0.1,::1 ' |
diff --git a/regress/krl.sh b/regress/krl.sh index c9b2e67eb..1efd80bfe 100644 --- a/regress/krl.sh +++ b/regress/krl.sh | |||
| @@ -1,16 +1,19 @@ | |||
| 1 | # $OpenBSD: krl.sh,v 1.9 2019/11/01 01:55:41 djm Exp $ | 1 | # $OpenBSD: krl.sh,v 1.10 2019/11/26 23:43:10 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="key revocation lists" | 4 | tid="key revocation lists" |
| 5 | 5 | ||
| 6 | # Use ed25519 by default since it's fast and it's supported when building | 6 | # Use ed25519 by default since it's fast and it's supported when building |
| 7 | # w/out OpenSSL. Populate ktype[2-4] with the other types if supported. | 7 | # w/out OpenSSL. Populate ktype[2-4] with the other types if supported. |
| 8 | ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; ktype4=ed25519 | 8 | ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; |
| 9 | for t in `${SSH} -Q key-plain | grep -v ^sk-`; do | 9 | ktype4=ed25519; ktype5=ed25519; ktype6=ed25519; |
| 10 | for t in `${SSH} -Q key-plain | maybe_filter_sk`; do | ||
| 10 | case "$t" in | 11 | case "$t" in |
| 11 | ecdsa*) ktype2=ecdsa ;; | 12 | ecdsa*) ktype2=ecdsa ;; |
| 12 | ssh-rsa) ktype3=rsa ;; | 13 | ssh-rsa) ktype3=rsa ;; |
| 13 | ssh-dss) ktype4=dsa ;; | 14 | ssh-dss) ktype4=dsa ;; |
| 15 | sk-ssh-ed25519@openssh.com) ktype5=ed25519-sk ;; | ||
| 16 | sk-ecdsa-sha2-nistp256@openssh.com) ktype6=ecdsa-sk ;; | ||
| 14 | esac | 17 | esac |
| 15 | done | 18 | done |
| 16 | 19 | ||
| @@ -34,6 +37,7 @@ serial: 10 | |||
| 34 | serial: 15 | 37 | serial: 15 |
| 35 | serial: 30 | 38 | serial: 30 |
| 36 | serial: 50 | 39 | serial: 50 |
| 40 | serial: 90 | ||
| 37 | serial: 999 | 41 | serial: 999 |
| 38 | # The following sum to 500-799 | 42 | # The following sum to 500-799 |
| 39 | serial: 500 | 43 | serial: 500 |
| @@ -51,7 +55,7 @@ EOF | |||
| 51 | 55 | ||
| 52 | # A specification that revokes some certificated by key ID. | 56 | # A specification that revokes some certificated by key ID. |
| 53 | touch $OBJ/revoked-keyid | 57 | touch $OBJ/revoked-keyid |
| 54 | for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do | 58 | for n in 1 2 3 4 10 15 30 50 90 `jot 500 300` 999 1000 1001 1002; do |
| 55 | test "x$n" = "x499" && continue | 59 | test "x$n" = "x499" && continue |
| 56 | # Fill in by-ID revocation spec. | 60 | # Fill in by-ID revocation spec. |
| 57 | echo "id: revoked $n" >> $OBJ/revoked-keyid | 61 | echo "id: revoked $n" >> $OBJ/revoked-keyid |
| @@ -64,9 +68,11 @@ keygen() { | |||
| 64 | # supported. | 68 | # supported. |
| 65 | keytype=$ktype1 | 69 | keytype=$ktype1 |
| 66 | case $N in | 70 | case $N in |
| 67 | 2 | 10 | 510 | 1001) keytype=$ktype2 ;; | 71 | 2 | 10 | 510 | 1001) keytype=$ktype2 ;; |
| 68 | 4 | 30 | 520 | 1002) keytype=$ktype3 ;; | 72 | 4 | 30 | 520 | 1002) keytype=$ktype3 ;; |
| 69 | 8 | 50 | 530 | 1003) keytype=$ktype4 ;; | 73 | 8 | 50 | 530 | 1003) keytype=$ktype4 ;; |
| 74 | 16 | 70 | 540 | 1004) keytype=$ktype5 ;; | ||
| 75 | 32 | 90 | 550 | 1005) keytype=$ktype6 ;; | ||
| 70 | esac | 76 | esac |
| 71 | $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \ | 77 | $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \ |
| 72 | || fatal "$SSHKEYGEN failed" | 78 | || fatal "$SSHKEYGEN failed" |
| @@ -78,7 +84,7 @@ keygen() { | |||
| 78 | 84 | ||
| 79 | # Generate some keys. | 85 | # Generate some keys. |
| 80 | verbose "$tid: generating test keys" | 86 | verbose "$tid: generating test keys" |
| 81 | REVOKED_SERIALS="1 4 10 50 500 510 520 799 999" | 87 | REVOKED_SERIALS="1 4 10 50 90 500 510 520 550 799 999" |
| 82 | for n in $REVOKED_SERIALS ; do | 88 | for n in $REVOKED_SERIALS ; do |
| 83 | f=`keygen $n` | 89 | f=`keygen $n` |
| 84 | RKEYS="$RKEYS ${f}.pub" | 90 | RKEYS="$RKEYS ${f}.pub" |
diff --git a/regress/limit-keytype.sh b/regress/limit-keytype.sh index 6eb255c24..abac05c0c 100644 --- a/regress/limit-keytype.sh +++ b/regress/limit-keytype.sh | |||
| @@ -1,20 +1,25 @@ | |||
| 1 | # $OpenBSD: limit-keytype.sh,v 1.7 2019/11/01 01:55:41 djm Exp $ | 1 | # $OpenBSD: limit-keytype.sh,v 1.8 2019/11/26 23:43:10 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="restrict pubkey type" | 4 | tid="restrict pubkey type" |
| 5 | 5 | ||
| 6 | # XXX sk-* keys aren't actually tested ATM. | ||
| 7 | |||
| 6 | rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/user_key* | 8 | rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/user_key* |
| 7 | rm -f $OBJ/authorized_principals_$USER $OBJ/cert_user_key* | 9 | rm -f $OBJ/authorized_principals_$USER $OBJ/cert_user_key* |
| 8 | 10 | ||
| 9 | mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig | 11 | mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig |
| 10 | mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig | 12 | mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig |
| 11 | 13 | ||
| 12 | ktype1=ed25519; ktype2=$ktype1; ktype3=$ktype1; ktype4=$ktype1 | 14 | ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; |
| 13 | for t in `${SSH} -Q key-plain | grep -v ^sk-`; do | 15 | ktype4=ed25519; ktype5=ed25519; ktype6=ed25519; |
| 16 | for t in `${SSH} -Q key-plain | maybe_filter_sk`; do | ||
| 14 | case "$t" in | 17 | case "$t" in |
| 15 | ssh-rsa) ktype2=rsa ;; | 18 | ssh-rsa) ktype2=rsa ;; |
| 16 | ecdsa*) ktype3=ecdsa ;; # unused | 19 | ecdsa*) ktype3=ecdsa ;; # unused |
| 17 | ssh-dss) ktype4=dsa ;; | 20 | ssh-dss) ktype4=dsa ;; |
| 21 | sk-ssh-ed25519@openssh.com) ktype5=ed25519-sk ;; | ||
| 22 | sk-ecdsa-sha2-nistp256@openssh.com) ktype6=ecdsa-sk ;; | ||
| 18 | esac | 23 | esac |
| 19 | done | 24 | done |
| 20 | 25 | ||
| @@ -31,6 +36,10 @@ ${SSHKEYGEN} -q -N '' -t $ktype2 -f $OBJ/user_key3 || \ | |||
| 31 | fatal "ssh-keygen failed" | 36 | fatal "ssh-keygen failed" |
| 32 | ${SSHKEYGEN} -q -N '' -t $ktype4 -f $OBJ/user_key4 || \ | 37 | ${SSHKEYGEN} -q -N '' -t $ktype4 -f $OBJ/user_key4 || \ |
| 33 | fatal "ssh-keygen failed" | 38 | fatal "ssh-keygen failed" |
| 39 | ${SSHKEYGEN} -q -N '' -t $ktype5 -f $OBJ/user_key5 || \ | ||
| 40 | fatal "ssh-keygen failed" | ||
| 41 | ${SSHKEYGEN} -q -N '' -t $ktype6 -f $OBJ/user_key6 || \ | ||
| 42 | fatal "ssh-keygen failed" | ||
| 34 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ | 43 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ |
| 35 | -z $$ -n ${USER},mekmitasdigoat $OBJ/user_key3 || | 44 | -z $$ -n ${USER},mekmitasdigoat $OBJ/user_key3 || |
| 36 | fatal "couldn't sign user_key1" | 45 | fatal "couldn't sign user_key1" |
| @@ -68,6 +77,8 @@ keytype() { | |||
| 68 | ed25519) printf "ssh-ed25519" ;; | 77 | ed25519) printf "ssh-ed25519" ;; |
| 69 | dsa) printf "ssh-dss" ;; | 78 | dsa) printf "ssh-dss" ;; |
| 70 | rsa) printf "rsa-sha2-256,rsa-sha2-512,ssh-rsa" ;; | 79 | rsa) printf "rsa-sha2-256,rsa-sha2-512,ssh-rsa" ;; |
| 80 | sk-ecdsa) printf "sk-ecdsa-*" ;; | ||
| 81 | sk-ssh-ed25519) printf "sk-ssh-ed25519-*" ;; | ||
| 71 | esac | 82 | esac |
| 72 | } | 83 | } |
| 73 | 84 | ||
diff --git a/regress/principals-command.sh b/regress/principals-command.sh index 005c6b7d6..a91858cbb 100644 --- a/regress/principals-command.sh +++ b/regress/principals-command.sh | |||
| @@ -12,7 +12,7 @@ if [ -z "$SUDO" -a ! -w /var/run ]; then | |||
| 12 | exit 0 | 12 | exit 0 |
| 13 | fi | 13 | fi |
| 14 | 14 | ||
| 15 | case "`${SSH} -Q key-plain | grep -v ^sk-`" in | 15 | case "`${SSH} -Q key-plain`" in |
| 16 | *ssh-rsa*) userkeytype=rsa ;; | 16 | *ssh-rsa*) userkeytype=rsa ;; |
| 17 | *) userkeytype=ed25519 ;; | 17 | *) userkeytype=ed25519 ;; |
| 18 | esac | 18 | esac |
diff --git a/regress/sshsig.sh b/regress/sshsig.sh index eb99486ae..da362c179 100644 --- a/regress/sshsig.sh +++ b/regress/sshsig.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: sshsig.sh,v 1.2 2019/10/04 03:39:19 djm Exp $ | 1 | # $OpenBSD: sshsig.sh,v 1.3 2019/11/26 23:43:10 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="sshsig" | 4 | tid="sshsig" |
| @@ -23,7 +23,7 @@ CA_PRIV=$OBJ/sigca-key | |||
| 23 | CA_PUB=$OBJ/sigca-key.pub | 23 | CA_PUB=$OBJ/sigca-key.pub |
| 24 | 24 | ||
| 25 | trace "start agent" | 25 | trace "start agent" |
| 26 | eval `${SSHAGENT} -s` > /dev/null | 26 | eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null |
| 27 | r=$? | 27 | r=$? |
| 28 | if [ $r -ne 0 ]; then | 28 | if [ $r -ne 0 ]; then |
| 29 | fatal "could not start ssh-agent: exit code $r" | 29 | fatal "could not start ssh-agent: exit code $r" |
diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 3f1685bb0..4bf4059fc 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: test-exec.sh,v 1.67 2019/11/01 01:55:41 djm Exp $ | 1 | # $OpenBSD: test-exec.sh,v 1.68 2019/11/26 23:43:10 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | #SUDO=sudo | 4 | #SUDO=sudo |
| @@ -128,6 +128,12 @@ if [ "x$TEST_SSH_CONCH" != "x" ]; then | |||
| 128 | *) CONCH=`which ${TEST_SSH_CONCH} 2>/dev/null` ;; | 128 | *) CONCH=`which ${TEST_SSH_CONCH} 2>/dev/null` ;; |
| 129 | esac | 129 | esac |
| 130 | fi | 130 | fi |
| 131 | if [ "x$TEST_SSH_PKCS11_HELPER" != "x" ]; then | ||
| 132 | SSH_PKCS11_HELPER="${TEST_SSH_PKCS11_HELPER}" | ||
| 133 | fi | ||
| 134 | if [ "x$TEST_SSH_SK_HELPER" != "x" ]; then | ||
| 135 | SSH_SK_HELPER="${TEST_SSH_SK_HELPER}" | ||
| 136 | fi | ||
| 131 | 137 | ||
| 132 | # Path to sshd must be absolute for rexec | 138 | # Path to sshd must be absolute for rexec |
| 133 | case "$SSHD" in | 139 | case "$SSHD" in |
| @@ -252,6 +258,7 @@ increase_datafile_size() | |||
| 252 | 258 | ||
| 253 | # these should be used in tests | 259 | # these should be used in tests |
| 254 | export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP | 260 | export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP |
| 261 | export SSH_PKCS11_HELPER SSH_SK_HELPER | ||
| 255 | #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP | 262 | #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP |
| 256 | 263 | ||
| 257 | # Portable specific functions | 264 | # Portable specific functions |
| @@ -475,8 +482,35 @@ fi | |||
| 475 | 482 | ||
| 476 | rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER | 483 | rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER |
| 477 | 484 | ||
| 478 | SSH_KEYTYPES=`$SSH -Q key-plain | grep -v ^sk` | 485 | SSH_SK_PROVIDER= |
| 486 | if [ -f "${SRC}/misc/sk-dummy/obj/sk-dummy.so" ] ; then | ||
| 487 | SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/obj/sk-dummy.so" | ||
| 488 | elif [ -f "${SRC}/misc/sk-dummy/sk-dummy.so" ] ; then | ||
| 489 | SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/sk-dummy.so" | ||
| 490 | fi | ||
| 491 | export SSH_SK_PROVIDER | ||
| 492 | |||
| 493 | if ! test -z "$SSH_SK_PROVIDER"; then | ||
| 494 | EXTRA_AGENT_ARGS='-P/*' # XXX want realpath(1)... | ||
| 495 | echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/ssh_config | ||
| 496 | fi | ||
| 497 | export EXTRA_AGENT_ARGS | ||
| 498 | |||
| 499 | filter_sk() { | ||
| 500 | grep -v ^sk | ||
| 501 | } | ||
| 502 | |||
| 503 | maybe_filter_sk() { | ||
| 504 | if test -z "$SSH_SK_PROVIDER" ; then | ||
| 505 | filter_sk | ||
| 506 | else | ||
| 507 | cat | ||
| 508 | fi | ||
| 509 | } | ||
| 479 | 510 | ||
| 511 | SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk` | ||
| 512 | SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | filter_sk` | ||
| 513 | |||
| 480 | for t in ${SSH_KEYTYPES}; do | 514 | for t in ${SSH_KEYTYPES}; do |
| 481 | # generate user key | 515 | # generate user key |
| 482 | trace "generating key type $t" | 516 | trace "generating key type $t" |
| @@ -486,16 +520,18 @@ for t in ${SSH_KEYTYPES}; do | |||
| 486 | fail "ssh-keygen for $t failed" | 520 | fail "ssh-keygen for $t failed" |
| 487 | fi | 521 | fi |
| 488 | 522 | ||
| 523 | # setup authorized keys | ||
| 524 | cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER | ||
| 525 | echo IdentityFile $OBJ/$t >> $OBJ/ssh_config | ||
| 526 | done | ||
| 527 | |||
| 528 | for t in ${SSH_HOSTKEY_TYPES}; do | ||
| 489 | # known hosts file for client | 529 | # known hosts file for client |
| 490 | ( | 530 | ( |
| 491 | printf 'localhost-with-alias,127.0.0.1,::1 ' | 531 | printf 'localhost-with-alias,127.0.0.1,::1 ' |
| 492 | cat $OBJ/$t.pub | 532 | cat $OBJ/$t.pub |
| 493 | ) >> $OBJ/known_hosts | 533 | ) >> $OBJ/known_hosts |
| 494 | 534 | ||
| 495 | # setup authorized keys | ||
| 496 | cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER | ||
| 497 | echo IdentityFile $OBJ/$t >> $OBJ/ssh_config | ||
| 498 | |||
| 499 | # use key as host key, too | 535 | # use key as host key, too |
| 500 | $SUDO cp $OBJ/$t $OBJ/host.$t | 536 | $SUDO cp $OBJ/$t $OBJ/host.$t |
| 501 | echo HostKey $OBJ/host.$t >> $OBJ/sshd_config | 537 | echo HostKey $OBJ/host.$t >> $OBJ/sshd_config |