summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--regress/cert-hostkey.sh23
-rw-r--r--regress/cert-userkey.sh31
-rw-r--r--regress/hostkey-agent.sh7
-rw-r--r--regress/hostkey-rotate.sh8
-rw-r--r--regress/keytype.sh14
-rw-r--r--regress/unittests/kex/test_kex.c7
6 files changed, 79 insertions, 11 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index c99c2b1c3..3f53922c8 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,11 +1,32 @@
1# $OpenBSD: cert-hostkey.sh,v 1.12 2015/07/03 04:39:23 djm Exp $ 1# $OpenBSD: cert-hostkey.sh,v 1.13 2015/07/10 06:23:25 markus Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified host keys" 4tid="certified host keys"
5 5
6rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/host_revoked_* 6rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/host_revoked_*
7rm -f $OBJ/cert_host_key* $OBJ/host_krl_* 7rm -f $OBJ/cert_host_key* $OBJ/host_krl_*
8
9# Allow all hostkey/pubkey types, prefer certs for the client
10types=""
11for i in `$SSH -Q key`; do
12 if [ -z "$types" ]; then
13 types="$i"
14 continue
15 fi
16 case "$i" in
17 *cert*) types="$i,$types";;
18 *) types="$types,$i";;
19 esac
20done
21(
22 echo "HostKeyAlgorithms ${types}"
23 echo "PubkeyAcceptedKeyTypes *"
24) >> $OBJ/ssh_proxy
8cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 25cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
26(
27 echo "HostKeyAlgorithms *"
28 echo "PubkeyAcceptedKeyTypes *"
29) >> $OBJ/sshd_proxy_bak
9 30
10HOSTS='localhost-with-alias,127.0.0.1,::1' 31HOSTS='localhost-with-alias,127.0.0.1,::1'
11 32
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index d461b9e34..739a036e2 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,13 +1,19 @@
1# $OpenBSD: cert-userkey.sh,v 1.13 2015/07/03 04:39:23 djm Exp $ 1# $OpenBSD: cert-userkey.sh,v 1.14 2015/07/10 06:23:25 markus Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified user keys" 4tid="certified user keys"
5 5
6rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* 6rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
8 9
9PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` 10PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
10 11
12kname() {
13 echo -n $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'
14 echo "*,ssh-rsa*,ssh-ed25519*"
15}
16
11# Create a CA key 17# Create a CA key
12${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ 18${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\
13 fail "ssh-keygen of user_ca_key failed" 19 fail "ssh-keygen of user_ca_key failed"
@@ -25,6 +31,7 @@ done
25 31
26# Test explicitly-specified principals 32# Test explicitly-specified principals
27for ktype in $PLAIN_TYPES ; do 33for ktype in $PLAIN_TYPES ; do
34 t=$(kname $ktype)
28 for privsep in yes no ; do 35 for privsep in yes no ; do
29 _prefix="${ktype} privsep $privsep" 36 _prefix="${ktype} privsep $privsep"
30 37
@@ -36,7 +43,12 @@ for ktype in $PLAIN_TYPES ; do
36 echo "AuthorizedPrincipalsFile " \ 43 echo "AuthorizedPrincipalsFile " \
37 "$OBJ/authorized_principals_%u" 44 "$OBJ/authorized_principals_%u"
38 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" 45 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
46 echo "PubkeyAcceptedKeyTypes ${t}"
39 ) > $OBJ/sshd_proxy 47 ) > $OBJ/sshd_proxy
48 (
49 cat $OBJ/ssh_proxy_bak
50 echo "PubkeyAcceptedKeyTypes ${t}"
51 ) > $OBJ/ssh_proxy
40 52
41 # Missing authorized_principals 53 # Missing authorized_principals
42 verbose "$tid: ${_prefix} missing authorized_principals" 54 verbose "$tid: ${_prefix} missing authorized_principals"
@@ -109,7 +121,12 @@ for ktype in $PLAIN_TYPES ; do
109 ( 121 (
110 cat $OBJ/sshd_proxy_bak 122 cat $OBJ/sshd_proxy_bak
111 echo "UsePrivilegeSeparation $privsep" 123 echo "UsePrivilegeSeparation $privsep"
124 echo "PubkeyAcceptedKeyTypes ${t}"
112 ) > $OBJ/sshd_proxy 125 ) > $OBJ/sshd_proxy
126 (
127 cat $OBJ/ssh_proxy_bak
128 echo "PubkeyAcceptedKeyTypes ${t}"
129 ) > $OBJ/ssh_proxy
113 130
114 # Wrong principals list 131 # Wrong principals list
115 verbose "$tid: ${_prefix} wrong principals key option" 132 verbose "$tid: ${_prefix} wrong principals key option"
@@ -151,6 +168,7 @@ basic_tests() {
151 fi 168 fi
152 169
153 for ktype in $PLAIN_TYPES ; do 170 for ktype in $PLAIN_TYPES ; do
171 t=$(kname $ktype)
154 for privsep in yes no ; do 172 for privsep in yes no ; do
155 _prefix="${ktype} privsep $privsep $auth" 173 _prefix="${ktype} privsep $privsep $auth"
156 # Simple connect 174 # Simple connect
@@ -158,8 +176,13 @@ basic_tests() {
158 ( 176 (
159 cat $OBJ/sshd_proxy_bak 177 cat $OBJ/sshd_proxy_bak
160 echo "UsePrivilegeSeparation $privsep" 178 echo "UsePrivilegeSeparation $privsep"
179 echo "PubkeyAcceptedKeyTypes ${t}"
161 echo "$extra_sshd" 180 echo "$extra_sshd"
162 ) > $OBJ/sshd_proxy 181 ) > $OBJ/sshd_proxy
182 (
183 cat $OBJ/ssh_proxy_bak
184 echo "PubkeyAcceptedKeyTypes ${t}"
185 ) > $OBJ/ssh_proxy
163 186
164 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 187 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
165 -F $OBJ/ssh_proxy somehost true 188 -F $OBJ/ssh_proxy somehost true
@@ -173,6 +196,7 @@ basic_tests() {
173 cat $OBJ/sshd_proxy_bak 196 cat $OBJ/sshd_proxy_bak
174 echo "UsePrivilegeSeparation $privsep" 197 echo "UsePrivilegeSeparation $privsep"
175 echo "RevokedKeys $OBJ/cert_user_key_revoked" 198 echo "RevokedKeys $OBJ/cert_user_key_revoked"
199 echo "PubkeyAcceptedKeyTypes ${t}"
176 echo "$extra_sshd" 200 echo "$extra_sshd"
177 ) > $OBJ/sshd_proxy 201 ) > $OBJ/sshd_proxy
178 cp $OBJ/cert_user_key_${ktype}.pub \ 202 cp $OBJ/cert_user_key_${ktype}.pub \
@@ -205,6 +229,7 @@ basic_tests() {
205 ( 229 (
206 cat $OBJ/sshd_proxy_bak 230 cat $OBJ/sshd_proxy_bak
207 echo "RevokedKeys $OBJ/user_ca_key.pub" 231 echo "RevokedKeys $OBJ/user_ca_key.pub"
232 echo "PubkeyAcceptedKeyTypes ${t}"
208 echo "$extra_sshd" 233 echo "$extra_sshd"
209 ) > $OBJ/sshd_proxy 234 ) > $OBJ/sshd_proxy
210 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ 235 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
@@ -217,6 +242,7 @@ basic_tests() {
217 verbose "$tid: $auth CA does not authenticate" 242 verbose "$tid: $auth CA does not authenticate"
218 ( 243 (
219 cat $OBJ/sshd_proxy_bak 244 cat $OBJ/sshd_proxy_bak
245 echo "PubkeyAcceptedKeyTypes ${t}"
220 echo "$extra_sshd" 246 echo "$extra_sshd"
221 ) > $OBJ/sshd_proxy 247 ) > $OBJ/sshd_proxy
222 verbose "$tid: ensure CA key does not authenticate user" 248 verbose "$tid: ensure CA key does not authenticate user"
@@ -254,6 +280,8 @@ test_one() {
254 echo > $OBJ/authorized_keys_$USER 280 echo > $OBJ/authorized_keys_$USER
255 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \ 281 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
256 >> $OBJ/sshd_proxy 282 >> $OBJ/sshd_proxy
283 echo "PubkeyAcceptedKeyTypes ${t}*" \
284 >> $OBJ/sshd_proxy
257 if test "x$auth_opt" != "x" ; then 285 if test "x$auth_opt" != "x" ; then
258 echo $auth_opt >> $OBJ/sshd_proxy 286 echo $auth_opt >> $OBJ/sshd_proxy
259 fi 287 fi
@@ -315,6 +343,7 @@ test_one "principals key option no principals" failure "" \
315# Wrong certificate 343# Wrong certificate
316cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 344cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
317for ktype in $PLAIN_TYPES ; do 345for ktype in $PLAIN_TYPES ; do
346 t=$(kname $ktype)
318 # Self-sign 347 # Self-sign
319 ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ 348 ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
320 "regress user key for $USER" \ 349 "regress user key for $USER" \
diff --git a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh
index a011ec831..094700da6 100644
--- a/regress/hostkey-agent.sh
+++ b/regress/hostkey-agent.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: hostkey-agent.sh,v 1.5 2015/02/21 20:51:02 djm Exp $ 1# $OpenBSD: hostkey-agent.sh,v 1.6 2015/07/10 06:23:25 markus Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="hostkey agent" 4tid="hostkey agent"
@@ -31,10 +31,11 @@ cp $OBJ/known_hosts.orig $OBJ/known_hosts
31unset SSH_AUTH_SOCK 31unset SSH_AUTH_SOCK
32 32
33for ps in no yes; do 33for ps in no yes; do
34 cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
35 echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
36 for k in `${SSH} -Q key-plain` ; do 34 for k in `${SSH} -Q key-plain` ; do
37 verbose "key type $k privsep=$ps" 35 verbose "key type $k privsep=$ps"
36 cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
37 echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
38 echo "HostKeyAlgorithms $k" >> $OBJ/sshd_proxy
38 opts="-oHostKeyAlgorithms=$k -F $OBJ/ssh_proxy" 39 opts="-oHostKeyAlgorithms=$k -F $OBJ/ssh_proxy"
39 cp $OBJ/known_hosts.orig $OBJ/known_hosts 40 cp $OBJ/known_hosts.orig $OBJ/known_hosts
40 SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'` 41 SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'`
diff --git a/regress/hostkey-rotate.sh b/regress/hostkey-rotate.sh
index cde6008f4..3aa8c40c0 100644
--- a/regress/hostkey-rotate.sh
+++ b/regress/hostkey-rotate.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: hostkey-rotate.sh,v 1.3 2015/03/24 20:22:17 markus Exp $ 1# $OpenBSD: hostkey-rotate.sh,v 1.4 2015/07/10 06:23:25 markus Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="hostkey rotate" 4tid="hostkey rotate"
@@ -56,7 +56,7 @@ check_key_present ssh-ed25519 || fail "unstrict didn't learn key"
56 56
57# Connect to sshd as usual 57# Connect to sshd as usual
58verbose "learn additional hostkeys" 58verbose "learn additional hostkeys"
59dossh -oStrictHostKeyChecking=yes 59dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs
60# Check that other keys learned 60# Check that other keys learned
61expect_nkeys $nkeys "learn hostkeys" 61expect_nkeys $nkeys "learn hostkeys"
62check_key_present ssh-rsa || fail "didn't learn keys" 62check_key_present ssh-rsa || fail "didn't learn keys"
@@ -74,7 +74,7 @@ verbose "learn changed non-primary hostkey"
74mv $OBJ/hkr.ssh-rsa.pub $OBJ/hkr.ssh-rsa.pub.old 74mv $OBJ/hkr.ssh-rsa.pub $OBJ/hkr.ssh-rsa.pub.old
75rm -f $OBJ/hkr.ssh-rsa 75rm -f $OBJ/hkr.ssh-rsa
76${SSHKEYGEN} -qt ssh-rsa -f $OBJ/hkr.ssh-rsa -N '' || fatal "ssh-keygen $k" 76${SSHKEYGEN} -qt ssh-rsa -f $OBJ/hkr.ssh-rsa -N '' || fatal "ssh-keygen $k"
77dossh -oStrictHostKeyChecking=yes 77dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs
78# Check that the key was replaced 78# Check that the key was replaced
79expect_nkeys $nkeys "learn hostkeys" 79expect_nkeys $nkeys "learn hostkeys"
80check_key_present ssh-rsa $OBJ/hkr.ssh-rsa.pub.old && fail "old key present" 80check_key_present ssh-rsa $OBJ/hkr.ssh-rsa.pub.old && fail "old key present"
@@ -109,7 +109,7 @@ dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa
109expect_nkeys 1 "learn hostkeys" 109expect_nkeys 1 "learn hostkeys"
110check_key_present ssh-rsa || fail "didn't learn changed key" 110check_key_present ssh-rsa || fail "didn't learn changed key"
111 111
112# $OpenBSD: hostkey-rotate.sh,v 1.3 2015/03/24 20:22:17 markus Exp $ 112# $OpenBSD: hostkey-rotate.sh,v 1.4 2015/07/10 06:23:25 markus Exp $
113# Placed in the Public Domain. 113# Placed in the Public Domain.
114 114
115tid="hostkey rotate" 115tid="hostkey rotate"
diff --git a/regress/keytype.sh b/regress/keytype.sh
index 9752acb0a..8f697788f 100644
--- a/regress/keytype.sh
+++ b/regress/keytype.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: keytype.sh,v 1.3 2013/12/06 13:52:46 markus Exp $ 1# $OpenBSD: keytype.sh,v 1.4 2015/07/10 06:23:25 markus Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="login with different key types" 4tid="login with different key types"
@@ -36,14 +36,26 @@ for ut in $ktypes; do
36 htypes=$ut 36 htypes=$ut
37 #htypes=$ktypes 37 #htypes=$ktypes
38 for ht in $htypes; do 38 for ht in $htypes; do
39 case $ht in
40 dsa-1024) t=ssh-dss;;
41 ecdsa-256) t=ecdsa-sha2-nistp256;;
42 ecdsa-384) t=ecdsa-sha2-nistp384;;
43 ecdsa-521) t=ecdsa-sha2-nistp521;;
44 ed25519-512) t=ssh-ed25519;;
45 rsa-*) t=ssh-rsa;;
46 esac
39 trace "ssh connect, userkey $ut, hostkey $ht" 47 trace "ssh connect, userkey $ut, hostkey $ht"
40 ( 48 (
41 grep -v HostKey $OBJ/sshd_proxy_bak 49 grep -v HostKey $OBJ/sshd_proxy_bak
42 echo HostKey $OBJ/key.$ht 50 echo HostKey $OBJ/key.$ht
51 echo PubkeyAcceptedKeyTypes $t
52 echo HostKeyAlgorithms $t
43 ) > $OBJ/sshd_proxy 53 ) > $OBJ/sshd_proxy
44 ( 54 (
45 grep -v IdentityFile $OBJ/ssh_proxy_bak 55 grep -v IdentityFile $OBJ/ssh_proxy_bak
46 echo IdentityFile $OBJ/key.$ut 56 echo IdentityFile $OBJ/key.$ut
57 echo PubkeyAcceptedKeyTypes $t
58 echo HostKeyAlgorithms $t
47 ) > $OBJ/ssh_proxy 59 ) > $OBJ/ssh_proxy
48 ( 60 (
49 printf 'localhost-with-alias,127.0.0.1,::1 ' 61 printf 'localhost-with-alias,127.0.0.1,::1 '
diff --git a/regress/unittests/kex/test_kex.c b/regress/unittests/kex/test_kex.c
index c61e2bdbb..6e5999bb9 100644
--- a/regress/unittests/kex/test_kex.c
+++ b/regress/unittests/kex/test_kex.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: test_kex.c,v 1.1 2015/01/15 23:41:29 markus Exp $ */ 1/* $OpenBSD: test_kex.c,v 1.2 2015/07/10 06:23:25 markus Exp $ */
2/* 2/*
3 * Regress test KEX 3 * Regress test KEX
4 * 4 *
@@ -85,6 +85,7 @@ do_kex_with_key(char *kex, int keytype, int bits)
85 struct sshbuf *state; 85 struct sshbuf *state;
86 struct kex_params kex_params; 86 struct kex_params kex_params;
87 char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; 87 char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
88 char *keyname = NULL;
88 89
89 TEST_START("sshkey_generate"); 90 TEST_START("sshkey_generate");
90 ASSERT_INT_EQ(sshkey_generate(keytype, bits, &private), 0); 91 ASSERT_INT_EQ(sshkey_generate(keytype, bits, &private), 0);
@@ -98,6 +99,9 @@ do_kex_with_key(char *kex, int keytype, int bits)
98 memcpy(kex_params.proposal, myproposal, sizeof(myproposal)); 99 memcpy(kex_params.proposal, myproposal, sizeof(myproposal));
99 if (kex != NULL) 100 if (kex != NULL)
100 kex_params.proposal[PROPOSAL_KEX_ALGS] = kex; 101 kex_params.proposal[PROPOSAL_KEX_ALGS] = kex;
102 keyname = strdup(sshkey_ssh_name(private));
103 ASSERT_PTR_NE(keyname, NULL);
104 kex_params.proposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = keyname;
101 ASSERT_INT_EQ(ssh_init(&client, 0, &kex_params), 0); 105 ASSERT_INT_EQ(ssh_init(&client, 0, &kex_params), 0);
102 ASSERT_INT_EQ(ssh_init(&server, 1, &kex_params), 0); 106 ASSERT_INT_EQ(ssh_init(&server, 1, &kex_params), 0);
103 ASSERT_PTR_NE(client, NULL); 107 ASSERT_PTR_NE(client, NULL);
@@ -167,6 +171,7 @@ do_kex_with_key(char *kex, int keytype, int bits)
167 ssh_free(client); 171 ssh_free(client);
168 ssh_free(server); 172 ssh_free(server);
169 ssh_free(server2); 173 ssh_free(server2);
174 free(keyname);
170 TEST_DONE(); 175 TEST_DONE();
171} 176}
172 177
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-29 08:42:47 +0000