diff options
Diffstat (limited to 'regress/cert-userkey.sh')
| -rw-r--r-- | regress/cert-userkey.sh | 31 |
1 files changed, 30 insertions, 1 deletions
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index d461b9e34..739a036e2 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh | |||
| @@ -1,13 +1,19 @@ | |||
| 1 | # $OpenBSD: cert-userkey.sh,v 1.13 2015/07/03 04:39:23 djm Exp $ | 1 | # $OpenBSD: cert-userkey.sh,v 1.14 2015/07/10 06:23:25 markus Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="certified user keys" | 4 | tid="certified user keys" |
| 5 | 5 | ||
| 6 | rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* | 6 | rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* |
| 7 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | 7 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak |
| 8 | cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak | ||
| 8 | 9 | ||
| 9 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` | 10 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` |
| 10 | 11 | ||
| 12 | kname() { | ||
| 13 | echo -n $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/' | ||
| 14 | echo "*,ssh-rsa*,ssh-ed25519*" | ||
| 15 | } | ||
| 16 | |||
| 11 | # Create a CA key | 17 | # Create a CA key |
| 12 | ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ | 18 | ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ |
| 13 | fail "ssh-keygen of user_ca_key failed" | 19 | fail "ssh-keygen of user_ca_key failed" |
| @@ -25,6 +31,7 @@ done | |||
| 25 | 31 | ||
| 26 | # Test explicitly-specified principals | 32 | # Test explicitly-specified principals |
| 27 | for ktype in $PLAIN_TYPES ; do | 33 | for ktype in $PLAIN_TYPES ; do |
| 34 | t=$(kname $ktype) | ||
| 28 | for privsep in yes no ; do | 35 | for privsep in yes no ; do |
| 29 | _prefix="${ktype} privsep $privsep" | 36 | _prefix="${ktype} privsep $privsep" |
| 30 | 37 | ||
| @@ -36,7 +43,12 @@ for ktype in $PLAIN_TYPES ; do | |||
| 36 | echo "AuthorizedPrincipalsFile " \ | 43 | echo "AuthorizedPrincipalsFile " \ |
| 37 | "$OBJ/authorized_principals_%u" | 44 | "$OBJ/authorized_principals_%u" |
| 38 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" | 45 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" |
| 46 | echo "PubkeyAcceptedKeyTypes ${t}" | ||
| 39 | ) > $OBJ/sshd_proxy | 47 | ) > $OBJ/sshd_proxy |
| 48 | ( | ||
| 49 | cat $OBJ/ssh_proxy_bak | ||
| 50 | echo "PubkeyAcceptedKeyTypes ${t}" | ||
| 51 | ) > $OBJ/ssh_proxy | ||
| 40 | 52 | ||
| 41 | # Missing authorized_principals | 53 | # Missing authorized_principals |
| 42 | verbose "$tid: ${_prefix} missing authorized_principals" | 54 | verbose "$tid: ${_prefix} missing authorized_principals" |
| @@ -109,7 +121,12 @@ for ktype in $PLAIN_TYPES ; do | |||
| 109 | ( | 121 | ( |
| 110 | cat $OBJ/sshd_proxy_bak | 122 | cat $OBJ/sshd_proxy_bak |
| 111 | echo "UsePrivilegeSeparation $privsep" | 123 | echo "UsePrivilegeSeparation $privsep" |
| 124 | echo "PubkeyAcceptedKeyTypes ${t}" | ||
| 112 | ) > $OBJ/sshd_proxy | 125 | ) > $OBJ/sshd_proxy |
| 126 | ( | ||
| 127 | cat $OBJ/ssh_proxy_bak | ||
| 128 | echo "PubkeyAcceptedKeyTypes ${t}" | ||
| 129 | ) > $OBJ/ssh_proxy | ||
| 113 | 130 | ||
| 114 | # Wrong principals list | 131 | # Wrong principals list |
| 115 | verbose "$tid: ${_prefix} wrong principals key option" | 132 | verbose "$tid: ${_prefix} wrong principals key option" |
| @@ -151,6 +168,7 @@ basic_tests() { | |||
| 151 | fi | 168 | fi |
| 152 | 169 | ||
| 153 | for ktype in $PLAIN_TYPES ; do | 170 | for ktype in $PLAIN_TYPES ; do |
| 171 | t=$(kname $ktype) | ||
| 154 | for privsep in yes no ; do | 172 | for privsep in yes no ; do |
| 155 | _prefix="${ktype} privsep $privsep $auth" | 173 | _prefix="${ktype} privsep $privsep $auth" |
| 156 | # Simple connect | 174 | # Simple connect |
| @@ -158,8 +176,13 @@ basic_tests() { | |||
| 158 | ( | 176 | ( |
| 159 | cat $OBJ/sshd_proxy_bak | 177 | cat $OBJ/sshd_proxy_bak |
| 160 | echo "UsePrivilegeSeparation $privsep" | 178 | echo "UsePrivilegeSeparation $privsep" |
| 179 | echo "PubkeyAcceptedKeyTypes ${t}" | ||
| 161 | echo "$extra_sshd" | 180 | echo "$extra_sshd" |
| 162 | ) > $OBJ/sshd_proxy | 181 | ) > $OBJ/sshd_proxy |
| 182 | ( | ||
| 183 | cat $OBJ/ssh_proxy_bak | ||
| 184 | echo "PubkeyAcceptedKeyTypes ${t}" | ||
| 185 | ) > $OBJ/ssh_proxy | ||
| 163 | 186 | ||
| 164 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 187 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ |
| 165 | -F $OBJ/ssh_proxy somehost true | 188 | -F $OBJ/ssh_proxy somehost true |
| @@ -173,6 +196,7 @@ basic_tests() { | |||
| 173 | cat $OBJ/sshd_proxy_bak | 196 | cat $OBJ/sshd_proxy_bak |
| 174 | echo "UsePrivilegeSeparation $privsep" | 197 | echo "UsePrivilegeSeparation $privsep" |
| 175 | echo "RevokedKeys $OBJ/cert_user_key_revoked" | 198 | echo "RevokedKeys $OBJ/cert_user_key_revoked" |
| 199 | echo "PubkeyAcceptedKeyTypes ${t}" | ||
| 176 | echo "$extra_sshd" | 200 | echo "$extra_sshd" |
| 177 | ) > $OBJ/sshd_proxy | 201 | ) > $OBJ/sshd_proxy |
| 178 | cp $OBJ/cert_user_key_${ktype}.pub \ | 202 | cp $OBJ/cert_user_key_${ktype}.pub \ |
| @@ -205,6 +229,7 @@ basic_tests() { | |||
| 205 | ( | 229 | ( |
| 206 | cat $OBJ/sshd_proxy_bak | 230 | cat $OBJ/sshd_proxy_bak |
| 207 | echo "RevokedKeys $OBJ/user_ca_key.pub" | 231 | echo "RevokedKeys $OBJ/user_ca_key.pub" |
| 232 | echo "PubkeyAcceptedKeyTypes ${t}" | ||
| 208 | echo "$extra_sshd" | 233 | echo "$extra_sshd" |
| 209 | ) > $OBJ/sshd_proxy | 234 | ) > $OBJ/sshd_proxy |
| 210 | ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ | 235 | ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ |
| @@ -217,6 +242,7 @@ basic_tests() { | |||
| 217 | verbose "$tid: $auth CA does not authenticate" | 242 | verbose "$tid: $auth CA does not authenticate" |
| 218 | ( | 243 | ( |
| 219 | cat $OBJ/sshd_proxy_bak | 244 | cat $OBJ/sshd_proxy_bak |
| 245 | echo "PubkeyAcceptedKeyTypes ${t}" | ||
| 220 | echo "$extra_sshd" | 246 | echo "$extra_sshd" |
| 221 | ) > $OBJ/sshd_proxy | 247 | ) > $OBJ/sshd_proxy |
| 222 | verbose "$tid: ensure CA key does not authenticate user" | 248 | verbose "$tid: ensure CA key does not authenticate user" |
| @@ -254,6 +280,8 @@ test_one() { | |||
| 254 | echo > $OBJ/authorized_keys_$USER | 280 | echo > $OBJ/authorized_keys_$USER |
| 255 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \ | 281 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \ |
| 256 | >> $OBJ/sshd_proxy | 282 | >> $OBJ/sshd_proxy |
| 283 | echo "PubkeyAcceptedKeyTypes ${t}*" \ | ||
| 284 | >> $OBJ/sshd_proxy | ||
| 257 | if test "x$auth_opt" != "x" ; then | 285 | if test "x$auth_opt" != "x" ; then |
| 258 | echo $auth_opt >> $OBJ/sshd_proxy | 286 | echo $auth_opt >> $OBJ/sshd_proxy |
| 259 | fi | 287 | fi |
| @@ -315,6 +343,7 @@ test_one "principals key option no principals" failure "" \ | |||
| 315 | # Wrong certificate | 343 | # Wrong certificate |
| 316 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy | 344 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy |
| 317 | for ktype in $PLAIN_TYPES ; do | 345 | for ktype in $PLAIN_TYPES ; do |
| 346 | t=$(kname $ktype) | ||
| 318 | # Self-sign | 347 | # Self-sign |
| 319 | ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ | 348 | ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ |
| 320 | "regress user key for $USER" \ | 349 | "regress user key for $USER" \ |