4 files changed, 219 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index fec38e028..703c347fb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -30,6 +30,9 @@
     PROTOCOL.certkeys
     
     feedback and ok markus@
+   - djm@cvs.openbsd.org 2010/02/26 20:33:21
+     [Makefile regress/cert-hostkey.sh regress/cert-userkey.sh]
+     regression tests for certified keys
 20100224
 - (djm) [pkcs11.h ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
diff --git a/regress/Makefile b/regress/Makefile
index 42e84d4c5..de8e9fd33 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.51 2010/02/09 06:29:02 djm Exp $
+#       $OpenBSD: Makefile,v 1.52 2010/02/26 20:33:21 djm Exp $
 REGRESS_TARGETS=        t1 t2 t3 t4 t5 t6 t7 t-exec
 tests:          $(REGRESS_TARGETS)
@@ -52,7 +52,9 @@ LTESTS= 	connect \
                addrmatch \
                localcommand \
                forcecommand \
-                portnum
+                portnum \
+                cert-hostkey \
+                cert-userkey
 INTEROP_TESTS=  putty-transfer putty-ciphers putty-kex conch-ciphers
 #INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
@@ -66,6 +68,7 @@ CLEANFILES=	t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
                ls.copy banner.in banner.out empty.in \
                scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
                sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \
+                known_hosts-cert host_ca_key* cert_host_key* \
                putty.rsa2
 # Enable all malloc(3) randomisations and checks
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
new file mode 100644
index 000000000..14cd2230b
--- /dev/null
+++ b/regress/cert-hostkey.sh
@@ -0,0 +1,122 @@
+#       $OpenBSD: cert-hostkey.sh,v 1.1 2010/02/26 20:33:21 djm Exp $
+#       Placed in the Public Domain.
+tid="certified host keys"
+rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+HOSTS='localhost-with-alias,127.0.0.1,::1'
+# Create a CA key and add it to known hosts
+${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/host_ca_key ||\
+        fail "ssh-keygen of host_ca_key failed"
+(
+        echo -n '@cert-authority '
+        echo -n "$HOSTS "
+        cat $OBJ/host_ca_key.pub
+) > $OBJ/known_hosts-cert
+# Generate and sign host keys
+for ktype in rsa dsa ; do 
+        verbose "$tid: sign host ${ktype} cert"
+        # Generate and sign a host key
+        ${SSHKEYGEN} -q -N '' -t ${ktype} \
+            -f $OBJ/cert_host_key_${ktype} || \
+                fail "ssh-keygen of cert_host_key_${ktype} failed"
+        ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key \
+            -I "regress host key for $USER" \
+            -n $HOSTS $OBJ/cert_host_key_${ktype} ||
+                fail "couldn't sign cert_host_key_${ktype}"
+done
+# Basic connect tests
+for privsep in yes no ; do
+        for ktype in rsa dsa ; do 
+                verbose "$tid: host ${ktype} cert connect privsep $privsep"
+                (
+                        cat $OBJ/sshd_proxy_bak
+                        echo HostKey $OBJ/cert_host_key_${ktype}
+                        echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+                        echo UsePrivilegeSeparation $privsep
+                ) > $OBJ/sshd_proxy
+                ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+                    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+                        -F $OBJ/ssh_proxy somehost true
+                if [ $? -ne 0 ]; then
+                        fail "ssh cert connect failed"
+                fi
+        done
+done
+test_one() {
+        ident=$1
+        result=$2
+        sign_opts=$3
+        
+        verbose "$tid: test host cert connect $ident expect $result"
+        ${SSHKEYGEN} -q -s $OBJ/host_ca_key -I "regress host key for $USER" \
+            $sign_opts \
+            $OBJ/cert_host_key_rsa ||
+                fail "couldn't sign cert_host_key_rsa"
+        (
+                cat $OBJ/sshd_proxy_bak
+                echo HostKey $OBJ/cert_host_key_rsa
+                echo HostCertificate $OBJ/cert_host_key_rsa-cert.pub
+        ) > $OBJ/sshd_proxy
+        ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+            -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+        rc=$?
+        if [ "x$result" = "xsuccess" ] ; then
+                if [ $rc -ne 0 ]; then
+                        fail "ssh cert connect $ident failed unexpectedly"
+                fi
+        else
+                if [ $rc -eq 0 ]; then
+                        fail "ssh cert connect $ident succeeded unexpectedly"
+                fi
+        fi
+}
+test_one "user-certificate"     failure "-n $HOSTS"
+test_one "empty principals"     success "-h"
+test_one "wrong principals"     failure "-h -n foo"
+test_one "cert not yet valid"   failure "-h -V20200101:20300101"
+test_one "cert expired"         failure "-h -V19800101:19900101"
+test_one "cert valid interval"  success "-h -V-1w:+2w"
+test_one "cert has constraints" failure "-h -Oforce-command=false"
+# Check downgrade of cert to raw key when no CA found
+rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
+for ktype in rsa dsa ; do 
+        verbose "$tid: host ${ktype} cert downgrade to raw key"
+        # Generate and sign a host key
+        ${SSHKEYGEN} -q -N '' -t ${ktype} \
+            -f $OBJ/cert_host_key_${ktype} || \
+                fail "ssh-keygen of cert_host_key_${ktype} failed"
+        ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -I "regress host key for $USER" \
+            -n $HOSTS $OBJ/cert_host_key_${ktype} ||
+                fail "couldn't sign cert_host_key_${ktype}"
+        (
+                echo -n "$HOSTS "
+                cat $OBJ/cert_host_key_${ktype}.pub
+        ) > $OBJ/known_hosts-cert
+        (
+                cat $OBJ/sshd_proxy_bak
+                echo HostKey $OBJ/cert_host_key_${ktype}
+                echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+        ) > $OBJ/sshd_proxy
+        
+        ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+            -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+                -F $OBJ/ssh_proxy somehost true
+        if [ $? -ne 0 ]; then
+                fail "ssh cert connect failed"
+        fi
+done
+rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
new file mode 100644
index 000000000..307e7236f
--- /dev/null
+++ b/regress/cert-userkey.sh
@@ -0,0 +1,89 @@
+#       $OpenBSD: cert-userkey.sh,v 1.1 2010/02/26 20:33:21 djm Exp $
+#       Placed in the Public Domain.
+tid="certified user keys"
+rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+# Create a CA key and add it to authorized_keys
+${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/user_ca_key ||\
+        fail "ssh-keygen of user_ca_key failed"
+(
+        echo -n 'cert-authority '
+        cat $OBJ/user_ca_key.pub
+) > $OBJ/authorized_keys_$USER
+# Generate and sign user keys
+for ktype in rsa dsa ; do 
+        verbose "$tid: sign user ${ktype} cert"
+        ${SSHKEYGEN} -q -N '' -t ${ktype} \
+            -f $OBJ/cert_user_key_${ktype} || \
+                fail "ssh-keygen of cert_user_key_${ktype} failed"
+        ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
+            "regress user key for $USER" \
+            -n $USER $OBJ/cert_user_key_${ktype} ||
+                fail "couldn't sign cert_user_key_${ktype}"
+done
+# Basic connect tests
+for privsep in yes no ; do
+        for ktype in rsa dsa ; do 
+                verbose "$tid: user ${ktype} cert connect privsep $privsep"
+                (
+                        cat $OBJ/sshd_proxy_bak
+                        echo "UsePrivilegeSeparation $privsep"
+                ) > $OBJ/sshd_proxy
+                ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
+                    somehost true
+                if [ $? -ne 0 ]; then
+                        fail "ssh cert connect failed"
+                fi
+        done
+done
+verbose "$tid: ensure CA key does not authenticate user"
+${SSH} -2i $OBJ/user_ca_key -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+        fail "ssh cert connect with CA key succeeded unexpectedly"
+fi
+test_one() {
+        ident=$1
+        result=$2
+        sign_opts=$3
+        
+        verbose "$tid: test user cert connect $ident expect $result"
+        ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
+            $sign_opts \
+            $OBJ/cert_user_key_rsa ||
+                fail "couldn't sign cert_user_key_rsa"
+        ${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
+            somehost true >/dev/null 2>&1
+        rc=$?
+        if [ "x$result" = "xsuccess" ] ; then
+                if [ $rc -ne 0 ]; then
+                        fail "ssh cert connect $ident failed unexpectedly"
+                fi
+        else
+                if [ $rc -eq 0 ]; then
+                        fail "ssh cert connect $ident succeeded unexpectedly"
+                fi
+        fi
+        cleanup
+}
+test_one "host-certificate"     failure "-h"
+test_one "empty principals"     success ""
+test_one "wrong principals"     failure "-n foo"
+test_one "cert not yet valid"   failure "-V20200101:20300101"
+test_one "cert expired"         failure "-V19800101:19900101"
+test_one "cert valid interval"  success "-V-1w:+2w"
+test_one "wrong source-address" failure "-Osource-address=10.0.0.0/8"
+test_one "force-command"        failure "-Oforce-command=false"
+rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*

diff --git a/ChangeLog b/ChangeLog index fec38e028..703c347fb 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -30,6 +30,9 @@
30	PROTOCOL.certkeys	30	PROTOCOL.certkeys
31		31
32	feedback and ok markus@	32	feedback and ok markus@
		33	- djm@cvs.openbsd.org 2010/02/26 20:33:21
		34	[Makefile regress/cert-hostkey.sh regress/cert-userkey.sh]
		35	regression tests for certified keys
33		36
34	20100224	37	20100224
35	- (djm) [pkcs11.h ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]	38	- (djm) [pkcs11.h ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]


diff --git a/regress/Makefile b/regress/Makefile index 42e84d4c5..de8e9fd33 100644 --- a/regress/Makefile +++ b/regress/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.51 2010/02/09 06:29:02 djm Exp $	1	# $OpenBSD: Makefile,v 1.52 2010/02/26 20:33:21 djm Exp $
2		2
3	REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec	3	REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec
4	tests: $(REGRESS_TARGETS)	4	tests: $(REGRESS_TARGETS)
@@ -52,7 +52,9 @@ LTESTS= connect \
52	addrmatch \	52	addrmatch \
53	localcommand \	53	localcommand \
54	forcecommand \	54	forcecommand \
55	portnum	55	portnum \
		56	cert-hostkey \
		57	cert-userkey
56		58
57	INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers	59	INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
58	#INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp	60	#INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
@@ -66,6 +68,7 @@ CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
66	ls.copy banner.in banner.out empty.in \	68	ls.copy banner.in banner.out empty.in \
67	scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \	69	scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
68	sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \	70	sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \
		71	known_hosts-cert host_ca_key* cert_host_key* \
69	putty.rsa2	72	putty.rsa2
70		73
71	# Enable all malloc(3) randomisations and checks	74	# Enable all malloc(3) randomisations and checks


diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh new file mode 100644 index 000000000..14cd2230b --- /dev/null +++ b/regress/cert-hostkey.sh
@@ -0,0 +1,122 @@
		1	# $OpenBSD: cert-hostkey.sh,v 1.1 2010/02/26 20:33:21 djm Exp $
		2	# Placed in the Public Domain.
		3
		4	tid="certified host keys"
		5
		6	rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
		7	cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
		8
		9	HOSTS='localhost-with-alias,127.0.0.1,::1'
		10
		11	# Create a CA key and add it to known hosts
		12	${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key \|\|\
		13	fail "ssh-keygen of host_ca_key failed"
		14	(
		15	echo -n '@cert-authority '
		16	echo -n "$HOSTS "
		17	cat $OBJ/host_ca_key.pub
		18	) > $OBJ/known_hosts-cert
		19
		20	# Generate and sign host keys
		21	for ktype in rsa dsa ; do
		22	verbose "$tid: sign host ${ktype} cert"
		23	# Generate and sign a host key
		24	${SSHKEYGEN} -q -N '' -t ${ktype} \
		25	-f $OBJ/cert_host_key_${ktype} \|\| \
		26	fail "ssh-keygen of cert_host_key_${ktype} failed"
		27	${SSHKEYGEN} -h -q -s $OBJ/host_ca_key \
		28	-I "regress host key for $USER" \
		29	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|
		30	fail "couldn't sign cert_host_key_${ktype}"
		31	done
		32
		33	# Basic connect tests
		34	for privsep in yes no ; do
		35	for ktype in rsa dsa ; do
		36	verbose "$tid: host ${ktype} cert connect privsep $privsep"
		37	(
		38	cat $OBJ/sshd_proxy_bak
		39	echo HostKey $OBJ/cert_host_key_${ktype}
		40	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
		41	echo UsePrivilegeSeparation $privsep
		42	) > $OBJ/sshd_proxy
		43
		44	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
		45	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
		46	-F $OBJ/ssh_proxy somehost true
		47	if [ $? -ne 0 ]; then
		48	fail "ssh cert connect failed"
		49	fi
		50	done
		51	done
		52
		53	test_one() {
		54	ident=$1
		55	result=$2
		56	sign_opts=$3
		57
		58	verbose "$tid: test host cert connect $ident expect $result"
		59
		60	${SSHKEYGEN} -q -s $OBJ/host_ca_key -I "regress host key for $USER" \
		61	$sign_opts \
		62	$OBJ/cert_host_key_rsa \|\|
		63	fail "couldn't sign cert_host_key_rsa"
		64	(
		65	cat $OBJ/sshd_proxy_bak
		66	echo HostKey $OBJ/cert_host_key_rsa
		67	echo HostCertificate $OBJ/cert_host_key_rsa-cert.pub
		68	) > $OBJ/sshd_proxy
		69
		70	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
		71	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
		72	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		73	rc=$?
		74	if [ "x$result" = "xsuccess" ] ; then
		75	if [ $rc -ne 0 ]; then
		76	fail "ssh cert connect $ident failed unexpectedly"
		77	fi
		78	else
		79	if [ $rc -eq 0 ]; then
		80	fail "ssh cert connect $ident succeeded unexpectedly"
		81	fi
		82	fi
		83	}
		84
		85	test_one "user-certificate" failure "-n $HOSTS"
		86	test_one "empty principals" success "-h"
		87	test_one "wrong principals" failure "-h -n foo"
		88	test_one "cert not yet valid" failure "-h -V20200101:20300101"
		89	test_one "cert expired" failure "-h -V19800101:19900101"
		90	test_one "cert valid interval" success "-h -V-1w:+2w"
		91	test_one "cert has constraints" failure "-h -Oforce-command=false"
		92
		93	# Check downgrade of cert to raw key when no CA found
		94	rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
		95	for ktype in rsa dsa ; do
		96	verbose "$tid: host ${ktype} cert downgrade to raw key"
		97	# Generate and sign a host key
		98	${SSHKEYGEN} -q -N '' -t ${ktype} \
		99	-f $OBJ/cert_host_key_${ktype} \|\| \
		100	fail "ssh-keygen of cert_host_key_${ktype} failed"
		101	${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -I "regress host key for $USER" \
		102	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|
		103	fail "couldn't sign cert_host_key_${ktype}"
		104	(
		105	echo -n "$HOSTS "
		106	cat $OBJ/cert_host_key_${ktype}.pub
		107	) > $OBJ/known_hosts-cert
		108	(
		109	cat $OBJ/sshd_proxy_bak
		110	echo HostKey $OBJ/cert_host_key_${ktype}
		111	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
		112	) > $OBJ/sshd_proxy
		113
		114	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
		115	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
		116	-F $OBJ/ssh_proxy somehost true
		117	if [ $? -ne 0 ]; then
		118	fail "ssh cert connect failed"
		119	fi
		120	done
		121
		122	rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*


diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh new file mode 100644 index 000000000..307e7236f --- /dev/null +++ b/regress/cert-userkey.sh
@@ -0,0 +1,89 @@
		1	# $OpenBSD: cert-userkey.sh,v 1.1 2010/02/26 20:33:21 djm Exp $
		2	# Placed in the Public Domain.
		3
		4	tid="certified user keys"
		5
		6	rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
		7	cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
		8
		9	# Create a CA key and add it to authorized_keys
		10	${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key \|\|\
		11	fail "ssh-keygen of user_ca_key failed"
		12	(
		13	echo -n 'cert-authority '
		14	cat $OBJ/user_ca_key.pub
		15	) > $OBJ/authorized_keys_$USER
		16
		17	# Generate and sign user keys
		18	for ktype in rsa dsa ; do
		19	verbose "$tid: sign user ${ktype} cert"
		20	${SSHKEYGEN} -q -N '' -t ${ktype} \
		21	-f $OBJ/cert_user_key_${ktype} \|\| \
		22	fail "ssh-keygen of cert_user_key_${ktype} failed"
		23	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
		24	"regress user key for $USER" \
		25	-n $USER $OBJ/cert_user_key_${ktype} \|\|
		26	fail "couldn't sign cert_user_key_${ktype}"
		27
		28	done
		29
		30	# Basic connect tests
		31	for privsep in yes no ; do
		32	for ktype in rsa dsa ; do
		33	verbose "$tid: user ${ktype} cert connect privsep $privsep"
		34	(
		35	cat $OBJ/sshd_proxy_bak
		36	echo "UsePrivilegeSeparation $privsep"
		37	) > $OBJ/sshd_proxy
		38
		39	${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
		40	somehost true
		41	if [ $? -ne 0 ]; then
		42	fail "ssh cert connect failed"
		43	fi
		44	done
		45	done
		46
		47	verbose "$tid: ensure CA key does not authenticate user"
		48	${SSH} -2i $OBJ/user_ca_key -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		49	if [ $? -eq 0 ]; then
		50	fail "ssh cert connect with CA key succeeded unexpectedly"
		51	fi
		52
		53	test_one() {
		54	ident=$1
		55	result=$2
		56	sign_opts=$3
		57
		58	verbose "$tid: test user cert connect $ident expect $result"
		59
		60	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
		61	$sign_opts \
		62	$OBJ/cert_user_key_rsa \|\|
		63	fail "couldn't sign cert_user_key_rsa"
		64
		65	${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
		66	somehost true >/dev/null 2>&1
		67	rc=$?
		68	if [ "x$result" = "xsuccess" ] ; then
		69	if [ $rc -ne 0 ]; then
		70	fail "ssh cert connect $ident failed unexpectedly"
		71	fi
		72	else
		73	if [ $rc -eq 0 ]; then
		74	fail "ssh cert connect $ident succeeded unexpectedly"
		75	fi
		76	fi
		77	cleanup
		78	}
		79
		80	test_one "host-certificate" failure "-h"
		81	test_one "empty principals" success ""
		82	test_one "wrong principals" failure "-n foo"
		83	test_one "cert not yet valid" failure "-V20200101:20300101"
		84	test_one "cert expired" failure "-V19800101:19900101"
		85	test_one "cert valid interval" success "-V-1w:+2w"
		86	test_one "wrong source-address" failure "-Osource-address=10.0.0.0/8"
		87	test_one "force-command" failure "-Oforce-command=false"
		88
		89	rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*