summaryrefslogtreecommitdiff
path: root/regress/cert-userkey.sh
diff options
context:
space:
mode:
Diffstat (limited to 'regress/cert-userkey.sh')
-rw-r--r--regress/cert-userkey.sh31
1 files changed, 30 insertions, 1 deletions
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index d461b9e34..739a036e2 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,13 +1,19 @@
1# $OpenBSD: cert-userkey.sh,v 1.13 2015/07/03 04:39:23 djm Exp $ 1# $OpenBSD: cert-userkey.sh,v 1.14 2015/07/10 06:23:25 markus Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified user keys" 4tid="certified user keys"
5 5
6rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* 6rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
8 9
9PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` 10PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
10 11
12kname() {
13 echo -n $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'
14 echo "*,ssh-rsa*,ssh-ed25519*"
15}
16
11# Create a CA key 17# Create a CA key
12${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ 18${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\
13 fail "ssh-keygen of user_ca_key failed" 19 fail "ssh-keygen of user_ca_key failed"
@@ -25,6 +31,7 @@ done
25 31
26# Test explicitly-specified principals 32# Test explicitly-specified principals
27for ktype in $PLAIN_TYPES ; do 33for ktype in $PLAIN_TYPES ; do
34 t=$(kname $ktype)
28 for privsep in yes no ; do 35 for privsep in yes no ; do
29 _prefix="${ktype} privsep $privsep" 36 _prefix="${ktype} privsep $privsep"
30 37
@@ -36,7 +43,12 @@ for ktype in $PLAIN_TYPES ; do
36 echo "AuthorizedPrincipalsFile " \ 43 echo "AuthorizedPrincipalsFile " \
37 "$OBJ/authorized_principals_%u" 44 "$OBJ/authorized_principals_%u"
38 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" 45 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
46 echo "PubkeyAcceptedKeyTypes ${t}"
39 ) > $OBJ/sshd_proxy 47 ) > $OBJ/sshd_proxy
48 (
49 cat $OBJ/ssh_proxy_bak
50 echo "PubkeyAcceptedKeyTypes ${t}"
51 ) > $OBJ/ssh_proxy
40 52
41 # Missing authorized_principals 53 # Missing authorized_principals
42 verbose "$tid: ${_prefix} missing authorized_principals" 54 verbose "$tid: ${_prefix} missing authorized_principals"
@@ -109,7 +121,12 @@ for ktype in $PLAIN_TYPES ; do
109 ( 121 (
110 cat $OBJ/sshd_proxy_bak 122 cat $OBJ/sshd_proxy_bak
111 echo "UsePrivilegeSeparation $privsep" 123 echo "UsePrivilegeSeparation $privsep"
124 echo "PubkeyAcceptedKeyTypes ${t}"
112 ) > $OBJ/sshd_proxy 125 ) > $OBJ/sshd_proxy
126 (
127 cat $OBJ/ssh_proxy_bak
128 echo "PubkeyAcceptedKeyTypes ${t}"
129 ) > $OBJ/ssh_proxy
113 130
114 # Wrong principals list 131 # Wrong principals list
115 verbose "$tid: ${_prefix} wrong principals key option" 132 verbose "$tid: ${_prefix} wrong principals key option"
@@ -151,6 +168,7 @@ basic_tests() {
151 fi 168 fi
152 169
153 for ktype in $PLAIN_TYPES ; do 170 for ktype in $PLAIN_TYPES ; do
171 t=$(kname $ktype)
154 for privsep in yes no ; do 172 for privsep in yes no ; do
155 _prefix="${ktype} privsep $privsep $auth" 173 _prefix="${ktype} privsep $privsep $auth"
156 # Simple connect 174 # Simple connect
@@ -158,8 +176,13 @@ basic_tests() {
158 ( 176 (
159 cat $OBJ/sshd_proxy_bak 177 cat $OBJ/sshd_proxy_bak
160 echo "UsePrivilegeSeparation $privsep" 178 echo "UsePrivilegeSeparation $privsep"
179 echo "PubkeyAcceptedKeyTypes ${t}"
161 echo "$extra_sshd" 180 echo "$extra_sshd"
162 ) > $OBJ/sshd_proxy 181 ) > $OBJ/sshd_proxy
182 (
183 cat $OBJ/ssh_proxy_bak
184 echo "PubkeyAcceptedKeyTypes ${t}"
185 ) > $OBJ/ssh_proxy
163 186
164 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 187 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
165 -F $OBJ/ssh_proxy somehost true 188 -F $OBJ/ssh_proxy somehost true
@@ -173,6 +196,7 @@ basic_tests() {
173 cat $OBJ/sshd_proxy_bak 196 cat $OBJ/sshd_proxy_bak
174 echo "UsePrivilegeSeparation $privsep" 197 echo "UsePrivilegeSeparation $privsep"
175 echo "RevokedKeys $OBJ/cert_user_key_revoked" 198 echo "RevokedKeys $OBJ/cert_user_key_revoked"
199 echo "PubkeyAcceptedKeyTypes ${t}"
176 echo "$extra_sshd" 200 echo "$extra_sshd"
177 ) > $OBJ/sshd_proxy 201 ) > $OBJ/sshd_proxy
178 cp $OBJ/cert_user_key_${ktype}.pub \ 202 cp $OBJ/cert_user_key_${ktype}.pub \
@@ -205,6 +229,7 @@ basic_tests() {
205 ( 229 (
206 cat $OBJ/sshd_proxy_bak 230 cat $OBJ/sshd_proxy_bak
207 echo "RevokedKeys $OBJ/user_ca_key.pub" 231 echo "RevokedKeys $OBJ/user_ca_key.pub"
232 echo "PubkeyAcceptedKeyTypes ${t}"
208 echo "$extra_sshd" 233 echo "$extra_sshd"
209 ) > $OBJ/sshd_proxy 234 ) > $OBJ/sshd_proxy
210 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ 235 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
@@ -217,6 +242,7 @@ basic_tests() {
217 verbose "$tid: $auth CA does not authenticate" 242 verbose "$tid: $auth CA does not authenticate"
218 ( 243 (
219 cat $OBJ/sshd_proxy_bak 244 cat $OBJ/sshd_proxy_bak
245 echo "PubkeyAcceptedKeyTypes ${t}"
220 echo "$extra_sshd" 246 echo "$extra_sshd"
221 ) > $OBJ/sshd_proxy 247 ) > $OBJ/sshd_proxy
222 verbose "$tid: ensure CA key does not authenticate user" 248 verbose "$tid: ensure CA key does not authenticate user"
@@ -254,6 +280,8 @@ test_one() {
254 echo > $OBJ/authorized_keys_$USER 280 echo > $OBJ/authorized_keys_$USER
255 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \ 281 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
256 >> $OBJ/sshd_proxy 282 >> $OBJ/sshd_proxy
283 echo "PubkeyAcceptedKeyTypes ${t}*" \
284 >> $OBJ/sshd_proxy
257 if test "x$auth_opt" != "x" ; then 285 if test "x$auth_opt" != "x" ; then
258 echo $auth_opt >> $OBJ/sshd_proxy 286 echo $auth_opt >> $OBJ/sshd_proxy
259 fi 287 fi
@@ -315,6 +343,7 @@ test_one "principals key option no principals" failure "" \
315# Wrong certificate 343# Wrong certificate
316cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 344cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
317for ktype in $PLAIN_TYPES ; do 345for ktype in $PLAIN_TYPES ; do
346 t=$(kname $ktype)
318 # Self-sign 347 # Self-sign
319 ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ 348 ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
320 "regress user key for $USER" \ 349 "regress user key for $USER" \