diff options
Diffstat (limited to 'regress/cert-userkey.sh')
| -rw-r--r-- | regress/cert-userkey.sh | 64 |
1 files changed, 34 insertions, 30 deletions
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index b093a9196..c38c00a02 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh | |||
| @@ -1,18 +1,17 @@ | |||
| 1 | # $OpenBSD: cert-userkey.sh,v 1.12 2013/12/06 13:52:46 markus Exp $ | 1 | # $OpenBSD: cert-userkey.sh,v 1.14 2015/07/10 06:23:25 markus Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="certified user keys" | 4 | tid="certified user keys" |
| 5 | 5 | ||
| 6 | rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* | 6 | rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* |
| 7 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | 7 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak |
| 8 | cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak | ||
| 8 | 9 | ||
| 9 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` | 10 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` |
| 10 | 11 | ||
| 11 | type_has_legacy() { | 12 | kname() { |
| 12 | case $1 in | 13 | n=`echo "$1" | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'` |
| 13 | ed25519*|ecdsa*) return 1 ;; | 14 | echo "$n*,ssh-rsa*,ssh-ed25519*" |
| 14 | esac | ||
| 15 | return 0 | ||
| 16 | } | 15 | } |
| 17 | 16 | ||
| 18 | # Create a CA key | 17 | # Create a CA key |
| @@ -28,18 +27,11 @@ for ktype in $PLAIN_TYPES ; do | |||
| 28 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ | 27 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ |
| 29 | -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || | 28 | -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || |
| 30 | fail "couldn't sign cert_user_key_${ktype}" | 29 | fail "couldn't sign cert_user_key_${ktype}" |
| 31 | type_has_legacy $ktype || continue | ||
| 32 | cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 | ||
| 33 | cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub | ||
| 34 | verbose "$tid: sign host ${ktype}_v00 cert" | ||
| 35 | ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ | ||
| 36 | "regress user key for $USER" \ | ||
| 37 | -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 || | ||
| 38 | fatal "couldn't sign cert_user_key_${ktype}_v00" | ||
| 39 | done | 30 | done |
| 40 | 31 | ||
| 41 | # Test explicitly-specified principals | 32 | # Test explicitly-specified principals |
| 42 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do | 33 | for ktype in $PLAIN_TYPES ; do |
| 34 | t=$(kname $ktype) | ||
| 43 | for privsep in yes no ; do | 35 | for privsep in yes no ; do |
| 44 | _prefix="${ktype} privsep $privsep" | 36 | _prefix="${ktype} privsep $privsep" |
| 45 | 37 | ||
| @@ -51,7 +43,12 @@ for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do | |||
| 51 | echo "AuthorizedPrincipalsFile " \ | 43 | echo "AuthorizedPrincipalsFile " \ |
| 52 | "$OBJ/authorized_principals_%u" | 44 | "$OBJ/authorized_principals_%u" |
| 53 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" | 45 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" |
| 46 | echo "PubkeyAcceptedKeyTypes ${t}" | ||
| 54 | ) > $OBJ/sshd_proxy | 47 | ) > $OBJ/sshd_proxy |
| 48 | ( | ||
| 49 | cat $OBJ/ssh_proxy_bak | ||
| 50 | echo "PubkeyAcceptedKeyTypes ${t}" | ||
| 51 | ) > $OBJ/ssh_proxy | ||
| 55 | 52 | ||
| 56 | # Missing authorized_principals | 53 | # Missing authorized_principals |
| 57 | verbose "$tid: ${_prefix} missing authorized_principals" | 54 | verbose "$tid: ${_prefix} missing authorized_principals" |
| @@ -124,7 +121,12 @@ for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do | |||
| 124 | ( | 121 | ( |
| 125 | cat $OBJ/sshd_proxy_bak | 122 | cat $OBJ/sshd_proxy_bak |
| 126 | echo "UsePrivilegeSeparation $privsep" | 123 | echo "UsePrivilegeSeparation $privsep" |
| 124 | echo "PubkeyAcceptedKeyTypes ${t}" | ||
| 127 | ) > $OBJ/sshd_proxy | 125 | ) > $OBJ/sshd_proxy |
| 126 | ( | ||
| 127 | cat $OBJ/ssh_proxy_bak | ||
| 128 | echo "PubkeyAcceptedKeyTypes ${t}" | ||
| 129 | ) > $OBJ/ssh_proxy | ||
| 128 | 130 | ||
| 129 | # Wrong principals list | 131 | # Wrong principals list |
| 130 | verbose "$tid: ${_prefix} wrong principals key option" | 132 | verbose "$tid: ${_prefix} wrong principals key option" |
| @@ -165,7 +167,8 @@ basic_tests() { | |||
| 165 | extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" | 167 | extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" |
| 166 | fi | 168 | fi |
| 167 | 169 | ||
| 168 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do | 170 | for ktype in $PLAIN_TYPES ; do |
| 171 | t=$(kname $ktype) | ||
| 169 | for privsep in yes no ; do | 172 | for privsep in yes no ; do |
| 170 | _prefix="${ktype} privsep $privsep $auth" | 173 | _prefix="${ktype} privsep $privsep $auth" |
| 171 | # Simple connect | 174 | # Simple connect |
| @@ -173,8 +176,13 @@ basic_tests() { | |||
| 173 | ( | 176 | ( |
| 174 | cat $OBJ/sshd_proxy_bak | 177 | cat $OBJ/sshd_proxy_bak |
| 175 | echo "UsePrivilegeSeparation $privsep" | 178 | echo "UsePrivilegeSeparation $privsep" |
| 179 | echo "PubkeyAcceptedKeyTypes ${t}" | ||
| 176 | echo "$extra_sshd" | 180 | echo "$extra_sshd" |
| 177 | ) > $OBJ/sshd_proxy | 181 | ) > $OBJ/sshd_proxy |
| 182 | ( | ||
| 183 | cat $OBJ/ssh_proxy_bak | ||
| 184 | echo "PubkeyAcceptedKeyTypes ${t}" | ||
| 185 | ) > $OBJ/ssh_proxy | ||
| 178 | 186 | ||
| 179 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 187 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ |
| 180 | -F $OBJ/ssh_proxy somehost true | 188 | -F $OBJ/ssh_proxy somehost true |
| @@ -188,6 +196,7 @@ basic_tests() { | |||
| 188 | cat $OBJ/sshd_proxy_bak | 196 | cat $OBJ/sshd_proxy_bak |
| 189 | echo "UsePrivilegeSeparation $privsep" | 197 | echo "UsePrivilegeSeparation $privsep" |
| 190 | echo "RevokedKeys $OBJ/cert_user_key_revoked" | 198 | echo "RevokedKeys $OBJ/cert_user_key_revoked" |
| 199 | echo "PubkeyAcceptedKeyTypes ${t}" | ||
| 191 | echo "$extra_sshd" | 200 | echo "$extra_sshd" |
| 192 | ) > $OBJ/sshd_proxy | 201 | ) > $OBJ/sshd_proxy |
| 193 | cp $OBJ/cert_user_key_${ktype}.pub \ | 202 | cp $OBJ/cert_user_key_${ktype}.pub \ |
| @@ -220,6 +229,7 @@ basic_tests() { | |||
| 220 | ( | 229 | ( |
| 221 | cat $OBJ/sshd_proxy_bak | 230 | cat $OBJ/sshd_proxy_bak |
| 222 | echo "RevokedKeys $OBJ/user_ca_key.pub" | 231 | echo "RevokedKeys $OBJ/user_ca_key.pub" |
| 232 | echo "PubkeyAcceptedKeyTypes ${t}" | ||
| 223 | echo "$extra_sshd" | 233 | echo "$extra_sshd" |
| 224 | ) > $OBJ/sshd_proxy | 234 | ) > $OBJ/sshd_proxy |
| 225 | ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ | 235 | ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ |
| @@ -232,6 +242,7 @@ basic_tests() { | |||
| 232 | verbose "$tid: $auth CA does not authenticate" | 242 | verbose "$tid: $auth CA does not authenticate" |
| 233 | ( | 243 | ( |
| 234 | cat $OBJ/sshd_proxy_bak | 244 | cat $OBJ/sshd_proxy_bak |
| 245 | echo "PubkeyAcceptedKeyTypes ${t}" | ||
| 235 | echo "$extra_sshd" | 246 | echo "$extra_sshd" |
| 236 | ) > $OBJ/sshd_proxy | 247 | ) > $OBJ/sshd_proxy |
| 237 | verbose "$tid: ensure CA key does not authenticate user" | 248 | verbose "$tid: ensure CA key does not authenticate user" |
| @@ -257,12 +268,7 @@ test_one() { | |||
| 257 | fi | 268 | fi |
| 258 | 269 | ||
| 259 | for auth in $auth_choice ; do | 270 | for auth in $auth_choice ; do |
| 260 | for ktype in rsa rsa_v00 ; do | 271 | for ktype in rsa ed25519 ; do |
| 261 | case $ktype in | ||
| 262 | *_v00) keyv="-t v00" ;; | ||
| 263 | *) keyv="" ;; | ||
| 264 | esac | ||
| 265 | |||
| 266 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy | 272 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy |
| 267 | if test "x$auth" = "xauthorized_keys" ; then | 273 | if test "x$auth" = "xauthorized_keys" ; then |
| 268 | # Add CA to authorized_keys | 274 | # Add CA to authorized_keys |
| @@ -274,6 +280,8 @@ test_one() { | |||
| 274 | echo > $OBJ/authorized_keys_$USER | 280 | echo > $OBJ/authorized_keys_$USER |
| 275 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \ | 281 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \ |
| 276 | >> $OBJ/sshd_proxy | 282 | >> $OBJ/sshd_proxy |
| 283 | echo "PubkeyAcceptedKeyTypes ${t}*" \ | ||
| 284 | >> $OBJ/sshd_proxy | ||
| 277 | if test "x$auth_opt" != "x" ; then | 285 | if test "x$auth_opt" != "x" ; then |
| 278 | echo $auth_opt >> $OBJ/sshd_proxy | 286 | echo $auth_opt >> $OBJ/sshd_proxy |
| 279 | fi | 287 | fi |
| @@ -282,8 +290,7 @@ test_one() { | |||
| 282 | verbose "$tid: $ident auth $auth expect $result $ktype" | 290 | verbose "$tid: $ident auth $auth expect $result $ktype" |
| 283 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ | 291 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ |
| 284 | -I "regress user key for $USER" \ | 292 | -I "regress user key for $USER" \ |
| 285 | $sign_opts $keyv \ | 293 | $sign_opts $OBJ/cert_user_key_${ktype} || |
| 286 | $OBJ/cert_user_key_${ktype} || | ||
| 287 | fail "couldn't sign cert_user_key_${ktype}" | 294 | fail "couldn't sign cert_user_key_${ktype}" |
| 288 | 295 | ||
| 289 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 296 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ |
| @@ -335,13 +342,10 @@ test_one "principals key option no principals" failure "" \ | |||
| 335 | 342 | ||
| 336 | # Wrong certificate | 343 | # Wrong certificate |
| 337 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy | 344 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy |
| 338 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do | 345 | for ktype in $PLAIN_TYPES ; do |
| 339 | case $ktype in | 346 | t=$(kname $ktype) |
| 340 | *_v00) args="-t v00" ;; | ||
| 341 | *) args="" ;; | ||
| 342 | esac | ||
| 343 | # Self-sign | 347 | # Self-sign |
| 344 | ${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \ | 348 | ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ |
| 345 | "regress user key for $USER" \ | 349 | "regress user key for $USER" \ |
| 346 | -n $USER $OBJ/cert_user_key_${ktype} || | 350 | -n $USER $OBJ/cert_user_key_${ktype} || |
| 347 | fail "couldn't sign cert_user_key_${ktype}" | 351 | fail "couldn't sign cert_user_key_${ktype}" |