1 files changed, 79 insertions, 90 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 51685dc2b..3f53922c8 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,11 +1,32 @@
-#       $OpenBSD: cert-hostkey.sh,v 1.11 2015/01/19 06:01:32 djm Exp $
+#       $OpenBSD: cert-hostkey.sh,v 1.13 2015/07/10 06:23:25 markus Exp $
 #       Placed in the Public Domain.
 tid="certified host keys"
 rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/host_revoked_*
 rm -f $OBJ/cert_host_key* $OBJ/host_krl_*
+# Allow all hostkey/pubkey types, prefer certs for the client
+types=""
+for i in `$SSH -Q key`; do
+        if [ -z "$types" ]; then
+                types="$i"
+                continue
+        fi
+        case "$i" in
+        *cert*) types="$i,$types";;
+        *)      types="$types,$i";;
+        esac
+done
+(
+        echo "HostKeyAlgorithms ${types}"
+        echo "PubkeyAcceptedKeyTypes *"
+) >> $OBJ/ssh_proxy
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+(
+        echo "HostKeyAlgorithms *"
+        echo "PubkeyAcceptedKeyTypes *"
+) >> $OBJ/sshd_proxy_bak
 HOSTS='localhost-with-alias,127.0.0.1,::1'
@@ -27,13 +48,6 @@ cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
 PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
-type_has_legacy() {
-        case $1 in
-                ed25519*|ecdsa*) return 1 ;;
-        esac
-        return 0
-}
 # Prepare certificate, plain key and CA KRLs
 ${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed"
 ${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed"
@@ -61,18 +75,6 @@ for ktype in $PLAIN_TYPES ; do
                fatal "KRL update failed"
        cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert
        serial=`expr $serial + 1`
-        type_has_legacy $ktype || continue
-        cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
-        cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
-        verbose "$tid: sign host ${ktype}_v00 cert"
-        ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
-            -I "regress host key for $USER" \
-            -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
-                fatal "couldn't sign cert_host_key_${ktype}_v00"
-        ${SSHKEYGEN} -ukf $OBJ/host_krl_cert \
-            $OBJ/cert_host_key_${ktype}_v00-cert.pub || \
-                fatal "KRL update failed"
-        cat $OBJ/cert_host_key_${ktype}_v00-cert.pub >> $OBJ/host_revoked_cert
 done
 attempt_connect() {
@@ -98,7 +100,7 @@ attempt_connect() {
 # Basic connect and revocation tests.
 for privsep in yes no ; do
-        for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 
+        for ktype in $PLAIN_TYPES ; do 
                verbose "$tid: host ${ktype} cert connect privsep $privsep"
                (
                        cat $OBJ/sshd_proxy_bak
@@ -133,14 +135,14 @@ done
        printf '@cert-authority '
        printf "$HOSTS "
        cat $OBJ/host_ca_key.pub
-        for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do
+        for ktype in $PLAIN_TYPES ; do
                test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
                printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
        done
 ) > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
 for privsep in yes no ; do
-        for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 
+        for ktype in $PLAIN_TYPES ; do 
                verbose "$tid: host ${ktype} revoked cert privsep $privsep"
                (
                        cat $OBJ/sshd_proxy_bak
@@ -169,7 +171,7 @@ done
        cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
+for ktype in $PLAIN_TYPES ; do 
        verbose "$tid: host ${ktype} revoked cert"
        (
                cat $OBJ/sshd_proxy_bak
@@ -198,17 +200,10 @@ test_one() {
        result=$2
        sign_opts=$3
-        for kt in rsa rsa_v00 ; do
+        for kt in rsa ed25519 ; do
-                case $kt in
-                *_v00) args="-t v00" ;;
-                *) args="" ;;
-                esac
-                verbose "$tid: host cert connect $ident $kt expect $result"
                ${SSHKEYGEN} -q -s $OBJ/host_ca_key \
                    -I "regress host key for $USER" \
-                    $sign_opts $args \
+                    $sign_opts $OBJ/cert_host_key_${kt} ||
-                    $OBJ/cert_host_key_${kt} ||
                        fail "couldn't sign cert_host_key_${kt}"
                (
                        cat $OBJ/sshd_proxy_bak
@@ -242,36 +237,33 @@ test_one "cert valid interval"	success "-h -V-1w:+2w"
 test_one "cert has constraints" failure "-h -Oforce-command=false"
 # Check downgrade of cert to raw key when no CA found
-for v in v01 v00 ;  do 
+for ktype in $PLAIN_TYPES ; do 
-        for ktype in $PLAIN_TYPES ; do 
+        rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
-                type_has_legacy $ktype || continue
+        verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
-                rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
+        # Generate and sign a host key
-                verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
+        ${SSHKEYGEN} -q -N '' -t ${ktype} \
-                # Generate and sign a host key
+            -f $OBJ/cert_host_key_${ktype} || \
-                ${SSHKEYGEN} -q -N '' -t ${ktype} \
+                fail "ssh-keygen of cert_host_key_${ktype} failed"
-                    -f $OBJ/cert_host_key_${ktype} || \
+        ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
-                        fail "ssh-keygen of cert_host_key_${ktype} failed"
+            -I "regress host key for $USER" \
-                ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
+            -n $HOSTS $OBJ/cert_host_key_${ktype} ||
-                    -I "regress host key for $USER" \
+                fail "couldn't sign cert_host_key_${ktype}"
-                    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
+        (
-                        fail "couldn't sign cert_host_key_${ktype}"
+                printf "$HOSTS "
-                (
+                cat $OBJ/cert_host_key_${ktype}.pub
-                        printf "$HOSTS "
+        ) > $OBJ/known_hosts-cert
-                        cat $OBJ/cert_host_key_${ktype}.pub
+        (
-                ) > $OBJ/known_hosts-cert
+                cat $OBJ/sshd_proxy_bak
-                (
+                echo HostKey $OBJ/cert_host_key_${ktype}
-                        cat $OBJ/sshd_proxy_bak
+                echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
-                        echo HostKey $OBJ/cert_host_key_${ktype}
+        ) > $OBJ/sshd_proxy
-                        echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+        
-                ) > $OBJ/sshd_proxy
+        ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-                
+            -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-                ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+                -F $OBJ/ssh_proxy somehost true
-                    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+        if [ $? -ne 0 ]; then
-                        -F $OBJ/ssh_proxy somehost true
+                fail "ssh cert connect failed"
-                if [ $? -ne 0 ]; then
+        fi
-                        fail "ssh cert connect failed"
-                fi
-        done
 done
 # Wrong certificate
@@ -281,33 +273,30 @@ done
        cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-for v in v01 v00 ;  do 
+for kt in $PLAIN_TYPES ; do 
-        for kt in $PLAIN_TYPES ; do 
+        rm -f $OBJ/cert_host_key*
-                type_has_legacy $kt || continue
+        # Self-sign key
-                rm -f $OBJ/cert_host_key*
+        ${SSHKEYGEN} -q -N '' -t ${kt} \
-                # Self-sign key
+            -f $OBJ/cert_host_key_${kt} || \
-                ${SSHKEYGEN} -q -N '' -t ${kt} \
+                fail "ssh-keygen of cert_host_key_${kt} failed"
-                    -f $OBJ/cert_host_key_${kt} || \
+        ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
-                        fail "ssh-keygen of cert_host_key_${kt} failed"
+            -I "regress host key for $USER" \
-                ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
+            -n $HOSTS $OBJ/cert_host_key_${kt} ||
-                    -I "regress host key for $USER" \
+                fail "couldn't sign cert_host_key_${kt}"
-                    -n $HOSTS $OBJ/cert_host_key_${kt} ||
+        verbose "$tid: host ${kt} connect wrong cert"
-                        fail "couldn't sign cert_host_key_${kt}"
+        (
-                verbose "$tid: host ${kt} connect wrong cert"
+                cat $OBJ/sshd_proxy_bak
-                (
+                echo HostKey $OBJ/cert_host_key_${kt}
-                        cat $OBJ/sshd_proxy_bak
+                echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
-                        echo HostKey $OBJ/cert_host_key_${kt}
+        ) > $OBJ/sshd_proxy
-                        echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
-                ) > $OBJ/sshd_proxy
+        cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-        
+        ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-                cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
+            -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-                ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+                -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
-                    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+        if [ $? -eq 0 ]; then
-                        -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
+                fail "ssh cert connect $ident succeeded unexpectedly"
-                if [ $? -eq 0 ]; then
+        fi
-                        fail "ssh cert connect $ident succeeded unexpectedly"
-                fi
-        done
 done
 rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key*

diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 51685dc2b..3f53922c8 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh
@@ -1,11 +1,32 @@
1	# $OpenBSD: cert-hostkey.sh,v 1.11 2015/01/19 06:01:32 djm Exp $	1	# $OpenBSD: cert-hostkey.sh,v 1.13 2015/07/10 06:23:25 markus Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="certified host keys"	4	tid="certified host keys"
5		5
6	rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/host_revoked_*	6	rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/host_revoked_*
7	rm -f $OBJ/cert_host_key* $OBJ/host_krl_*	7	rm -f $OBJ/cert_host_key* $OBJ/host_krl_*
		8
		9	# Allow all hostkey/pubkey types, prefer certs for the client
		10	types=""
		11	for i in `$SSH -Q key`; do
		12	if [ -z "$types" ]; then
		13	types="$i"
		14	continue
		15	fi
		16	case "$i" in
		17	cert) types="$i,$types";;
		18	*) types="$types,$i";;
		19	esac
		20	done
		21	(
		22	echo "HostKeyAlgorithms ${types}"
		23	echo "PubkeyAcceptedKeyTypes *"
		24	) >> $OBJ/ssh_proxy
8	cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak	25	cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
		26	(
		27	echo "HostKeyAlgorithms *"
		28	echo "PubkeyAcceptedKeyTypes *"
		29	) >> $OBJ/sshd_proxy_bak
9		30
10	HOSTS='localhost-with-alias,127.0.0.1,::1'	31	HOSTS='localhost-with-alias,127.0.0.1,::1'
11		32
@@ -27,13 +48,6 @@ cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
27		48
28	PLAIN_TYPES=`$SSH -Q key-plain \| sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`	49	PLAIN_TYPES=`$SSH -Q key-plain \| sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
29		50
30	type_has_legacy() {
31	case $1 in
32	ed25519\|ecdsa) return 1 ;;
33	esac
34	return 0
35	}
36
37	# Prepare certificate, plain key and CA KRLs	51	# Prepare certificate, plain key and CA KRLs
38	${SSHKEYGEN} -kf $OBJ/host_krl_empty \|\| fatal "KRL init failed"	52	${SSHKEYGEN} -kf $OBJ/host_krl_empty \|\| fatal "KRL init failed"
39	${SSHKEYGEN} -kf $OBJ/host_krl_plain \|\| fatal "KRL init failed"	53	${SSHKEYGEN} -kf $OBJ/host_krl_plain \|\| fatal "KRL init failed"
@@ -61,18 +75,6 @@ for ktype in $PLAIN_TYPES ; do
61	fatal "KRL update failed"	75	fatal "KRL update failed"
62	cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert	76	cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert
63	serial=`expr $serial + 1`	77	serial=`expr $serial + 1`
64	type_has_legacy $ktype \|\| continue
65	cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
66	cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
67	verbose "$tid: sign host ${ktype}_v00 cert"
68	${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
69	-I "regress host key for $USER" \
70	-n $HOSTS $OBJ/cert_host_key_${ktype}_v00 \|\|
71	fatal "couldn't sign cert_host_key_${ktype}_v00"
72	${SSHKEYGEN} -ukf $OBJ/host_krl_cert \
73	$OBJ/cert_host_key_${ktype}_v00-cert.pub \|\| \
74	fatal "KRL update failed"
75	cat $OBJ/cert_host_key_${ktype}_v00-cert.pub >> $OBJ/host_revoked_cert
76	done	78	done
77		79
78	attempt_connect() {	80	attempt_connect() {
@@ -98,7 +100,7 @@ attempt_connect() {
98		100
99	# Basic connect and revocation tests.	101	# Basic connect and revocation tests.
100	for privsep in yes no ; do	102	for privsep in yes no ; do
101	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do	103	for ktype in $PLAIN_TYPES ; do
102	verbose "$tid: host ${ktype} cert connect privsep $privsep"	104	verbose "$tid: host ${ktype} cert connect privsep $privsep"
103	(	105	(
104	cat $OBJ/sshd_proxy_bak	106	cat $OBJ/sshd_proxy_bak
@@ -133,14 +135,14 @@ done
133	printf '@cert-authority '	135	printf '@cert-authority '
134	printf "$HOSTS "	136	printf "$HOSTS "
135	cat $OBJ/host_ca_key.pub	137	cat $OBJ/host_ca_key.pub
136	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do	138	for ktype in $PLAIN_TYPES ; do
137	test -f "$OBJ/cert_host_key_${ktype}.pub" \|\| fatal "no pubkey"	139	test -f "$OBJ/cert_host_key_${ktype}.pub" \|\| fatal "no pubkey"
138	printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"	140	printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
139	done	141	done
140	) > $OBJ/known_hosts-cert.orig	142	) > $OBJ/known_hosts-cert.orig
141	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert	143	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
142	for privsep in yes no ; do	144	for privsep in yes no ; do
143	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do	145	for ktype in $PLAIN_TYPES ; do
144	verbose "$tid: host ${ktype} revoked cert privsep $privsep"	146	verbose "$tid: host ${ktype} revoked cert privsep $privsep"
145	(	147	(
146	cat $OBJ/sshd_proxy_bak	148	cat $OBJ/sshd_proxy_bak
@@ -169,7 +171,7 @@ done
169	cat $OBJ/host_ca_key.pub	171	cat $OBJ/host_ca_key.pub
170	) > $OBJ/known_hosts-cert.orig	172	) > $OBJ/known_hosts-cert.orig
171	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert	173	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
172	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do	174	for ktype in $PLAIN_TYPES ; do
173	verbose "$tid: host ${ktype} revoked cert"	175	verbose "$tid: host ${ktype} revoked cert"
174	(	176	(
175	cat $OBJ/sshd_proxy_bak	177	cat $OBJ/sshd_proxy_bak
@@ -198,17 +200,10 @@ test_one() {
198	result=$2	200	result=$2
199	sign_opts=$3	201	sign_opts=$3
200		202
201	for kt in rsa rsa_v00 ; do	203	for kt in rsa ed25519 ; do
202	case $kt in
203	*_v00) args="-t v00" ;;
204	*) args="" ;;
205	esac
206
207	verbose "$tid: host cert connect $ident $kt expect $result"
208	${SSHKEYGEN} -q -s $OBJ/host_ca_key \	204	${SSHKEYGEN} -q -s $OBJ/host_ca_key \
209	-I "regress host key for $USER" \	205	-I "regress host key for $USER" \
210	$sign_opts $args \	206	$sign_opts $OBJ/cert_host_key_${kt} \|\|
211	$OBJ/cert_host_key_${kt} \|\|
212	fail "couldn't sign cert_host_key_${kt}"	207	fail "couldn't sign cert_host_key_${kt}"
213	(	208	(
214	cat $OBJ/sshd_proxy_bak	209	cat $OBJ/sshd_proxy_bak
@@ -242,36 +237,33 @@ test_one "cert valid interval" success "-h -V-1w:+2w"
242	test_one "cert has constraints" failure "-h -Oforce-command=false"	237	test_one "cert has constraints" failure "-h -Oforce-command=false"
243		238
244	# Check downgrade of cert to raw key when no CA found	239	# Check downgrade of cert to raw key when no CA found
245	for v in v01 v00 ; do	240	for ktype in $PLAIN_TYPES ; do
246	for ktype in $PLAIN_TYPES ; do	241	rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
247	type_has_legacy $ktype \|\| continue	242	verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
248	rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*	243	# Generate and sign a host key
249	verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"	244	${SSHKEYGEN} -q -N '' -t ${ktype} \
250	# Generate and sign a host key	245	-f $OBJ/cert_host_key_${ktype} \|\| \
251	${SSHKEYGEN} -q -N '' -t ${ktype} \	246	fail "ssh-keygen of cert_host_key_${ktype} failed"
252	-f $OBJ/cert_host_key_${ktype} \|\| \	247	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
253	fail "ssh-keygen of cert_host_key_${ktype} failed"	248	-I "regress host key for $USER" \
254	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \	249	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|
255	-I "regress host key for $USER" \	250	fail "couldn't sign cert_host_key_${ktype}"
256	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|	251	(
257	fail "couldn't sign cert_host_key_${ktype}"	252	printf "$HOSTS "
258	(	253	cat $OBJ/cert_host_key_${ktype}.pub
259	printf "$HOSTS "	254	) > $OBJ/known_hosts-cert
260	cat $OBJ/cert_host_key_${ktype}.pub	255	(
261	) > $OBJ/known_hosts-cert	256	cat $OBJ/sshd_proxy_bak
262	(	257	echo HostKey $OBJ/cert_host_key_${ktype}
263	cat $OBJ/sshd_proxy_bak	258	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
264	echo HostKey $OBJ/cert_host_key_${ktype}	259	) > $OBJ/sshd_proxy
265	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub	260
266	) > $OBJ/sshd_proxy	261	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
267		262	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
268	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \	263	-F $OBJ/ssh_proxy somehost true
269	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \	264	if [ $? -ne 0 ]; then
270	-F $OBJ/ssh_proxy somehost true	265	fail "ssh cert connect failed"
271	if [ $? -ne 0 ]; then	266	fi
272	fail "ssh cert connect failed"
273	fi
274	done
275	done	267	done
276		268
277	# Wrong certificate	269	# Wrong certificate
@@ -281,33 +273,30 @@ done
281	cat $OBJ/host_ca_key.pub	273	cat $OBJ/host_ca_key.pub
282	) > $OBJ/known_hosts-cert.orig	274	) > $OBJ/known_hosts-cert.orig
283	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert	275	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
284	for v in v01 v00 ; do	276	for kt in $PLAIN_TYPES ; do
285	for kt in $PLAIN_TYPES ; do	277	rm -f $OBJ/cert_host_key*
286	type_has_legacy $kt \|\| continue	278	# Self-sign key
287	rm -f $OBJ/cert_host_key*	279	${SSHKEYGEN} -q -N '' -t ${kt} \
288	# Self-sign key	280	-f $OBJ/cert_host_key_${kt} \|\| \
289	${SSHKEYGEN} -q -N '' -t ${kt} \	281	fail "ssh-keygen of cert_host_key_${kt} failed"
290	-f $OBJ/cert_host_key_${kt} \|\| \	282	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
291	fail "ssh-keygen of cert_host_key_${kt} failed"	283	-I "regress host key for $USER" \
292	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \	284	-n $HOSTS $OBJ/cert_host_key_${kt} \|\|
293	-I "regress host key for $USER" \	285	fail "couldn't sign cert_host_key_${kt}"
294	-n $HOSTS $OBJ/cert_host_key_${kt} \|\|	286	verbose "$tid: host ${kt} connect wrong cert"
295	fail "couldn't sign cert_host_key_${kt}"	287	(
296	verbose "$tid: host ${kt} connect wrong cert"	288	cat $OBJ/sshd_proxy_bak
297	(	289	echo HostKey $OBJ/cert_host_key_${kt}
298	cat $OBJ/sshd_proxy_bak	290	echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
299	echo HostKey $OBJ/cert_host_key_${kt}	291	) > $OBJ/sshd_proxy
300	echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub	292
301	) > $OBJ/sshd_proxy	293	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
302		294	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
303	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert	295	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
304	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \	296	-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
305	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \	297	if [ $? -eq 0 ]; then
306	-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1	298	fail "ssh cert connect $ident succeeded unexpectedly"
307	if [ $? -eq 0 ]; then	299	fi
308	fail "ssh cert connect $ident succeeded unexpectedly"
309	fi
310	done
311	done	300	done
312		301
313	rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key*	302	rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key*