diff options
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | regress/cert-hostkey.sh | 29 | ||||
-rw-r--r-- | regress/cert-userkey.sh | 18 |
3 files changed, 48 insertions, 3 deletions
@@ -35,6 +35,10 @@ | |||
35 | authentication. | 35 | authentication. |
36 | 36 | ||
37 | feedback and ok markus@ | 37 | feedback and ok markus@ |
38 | - djm@cvs.openbsd.org 2010/03/03 00:47:23 | ||
39 | [regress/cert-hostkey.sh regress/cert-userkey.sh] | ||
40 | add an extra test to ensure that authentication with the wrong | ||
41 | certificate fails as it should (and it does) | ||
38 | 42 | ||
39 | 20100303 | 43 | 20100303 |
40 | - (djm) [PROTOCOL.certkeys] Add RCS Ident | 44 | - (djm) [PROTOCOL.certkeys] Add RCS Ident |
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 9539a927f..9097a1359 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: cert-hostkey.sh,v 1.1 2010/02/26 20:33:21 djm Exp $ | 1 | # $OpenBSD: cert-hostkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="certified host keys" | 4 | tid="certified host keys" |
@@ -119,4 +119,31 @@ for ktype in rsa dsa ; do | |||
119 | fi | 119 | fi |
120 | done | 120 | done |
121 | 121 | ||
122 | # Wrong certificate | ||
123 | ( | ||
124 | echon '@cert-authority ' | ||
125 | echon "$HOSTS " | ||
126 | cat $OBJ/host_ca_key.pub | ||
127 | ) > $OBJ/known_hosts-cert | ||
128 | for ktype in rsa dsa ; do | ||
129 | # Self-sign key | ||
130 | ${SSHKEYGEN} -h -q -s $OBJ/cert_host_key_${ktype} \ | ||
131 | -I "regress host key for $USER" \ | ||
132 | -n $HOSTS $OBJ/cert_host_key_${ktype} || | ||
133 | fail "couldn't sign cert_host_key_${ktype}" | ||
134 | verbose "$tid: host ${ktype} connect wrong cert" | ||
135 | ( | ||
136 | cat $OBJ/sshd_proxy_bak | ||
137 | echo HostKey $OBJ/cert_host_key_${ktype} | ||
138 | echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub | ||
139 | ) > $OBJ/sshd_proxy | ||
140 | |||
141 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | ||
142 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | ||
143 | -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 | ||
144 | if [ $? -eq 0 ]; then | ||
145 | fail "ssh cert connect $ident succeeded unexpectedly" | ||
146 | fi | ||
147 | done | ||
148 | |||
122 | rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* | 149 | rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* |
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 9588e0b6b..874915205 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: cert-userkey.sh,v 1.1 2010/02/26 20:33:21 djm Exp $ | 1 | # $OpenBSD: cert-userkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="certified user keys" | 4 | tid="certified user keys" |
@@ -24,7 +24,6 @@ for ktype in rsa dsa ; do | |||
24 | "regress user key for $USER" \ | 24 | "regress user key for $USER" \ |
25 | -n $USER $OBJ/cert_user_key_${ktype} || | 25 | -n $USER $OBJ/cert_user_key_${ktype} || |
26 | fail "couldn't sign cert_user_key_${ktype}" | 26 | fail "couldn't sign cert_user_key_${ktype}" |
27 | |||
28 | done | 27 | done |
29 | 28 | ||
30 | # Basic connect tests | 29 | # Basic connect tests |
@@ -86,4 +85,19 @@ test_one "cert valid interval" success "-V-1w:+2w" | |||
86 | test_one "wrong source-address" failure "-Osource-address=10.0.0.0/8" | 85 | test_one "wrong source-address" failure "-Osource-address=10.0.0.0/8" |
87 | test_one "force-command" failure "-Oforce-command=false" | 86 | test_one "force-command" failure "-Oforce-command=false" |
88 | 87 | ||
88 | # Wrong certificate | ||
89 | for ktype in rsa dsa ; do | ||
90 | # Self-sign | ||
91 | ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ | ||
92 | "regress user key for $USER" \ | ||
93 | -n $USER $OBJ/cert_user_key_${ktype} || | ||
94 | fail "couldn't sign cert_user_key_${ktype}" | ||
95 | verbose "$tid: user ${ktype} connect wrong cert" | ||
96 | ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ | ||
97 | somehost true >/dev/null 2>&1 | ||
98 | if [ $? -eq 0 ]; then | ||
99 | fail "ssh cert connect $ident succeeded unexpectedly" | ||
100 | fi | ||
101 | done | ||
102 | |||
89 | rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* | 103 | rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* |