diff options
Diffstat (limited to 'regress')
| -rw-r--r-- | regress/cert-file.sh | 53 |
1 files changed, 11 insertions, 42 deletions
diff --git a/regress/cert-file.sh b/regress/cert-file.sh index 36f7d33f5..b184e7fea 100644 --- a/regress/cert-file.sh +++ b/regress/cert-file.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: cert-file.sh,v 1.3 2016/12/16 01:01:07 djm Exp $ | 1 | # $OpenBSD: cert-file.sh,v 1.4 2016/12/16 02:48:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="ssh with certificates" | 4 | tid="ssh with certificates" |
| @@ -17,59 +17,24 @@ ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 || \ | |||
| 17 | fatal "ssh-keygen failed" | 17 | fatal "ssh-keygen failed" |
| 18 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key2 || \ | 18 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key2 || \ |
| 19 | fatal "ssh-keygen failed" | 19 | fatal "ssh-keygen failed" |
| 20 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key3 || \ | ||
| 21 | fatal "ssh-keygen failed" | ||
| 22 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key4 || \ | ||
| 23 | fatal "ssh-keygen failed" | ||
| 24 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key5 || \ | ||
| 25 | fatal "ssh-keygen failed" | ||
| 26 | |||
| 27 | # Move the certificate to a different address to better control | 20 | # Move the certificate to a different address to better control |
| 28 | # when it is offered. | 21 | # when it is offered. |
| 29 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ | 22 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ |
| 30 | -z $$ -n ${USER} $OBJ/user_key1 || | 23 | -z $$ -n ${USER} $OBJ/user_key1 || |
| 31 | fatal "couldn't sign user_key1 with user_ca_key1" | 24 | fail "couldn't sign user_key1 with user_ca_key1" |
| 32 | mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_1.pub | 25 | mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_1.pub |
| 33 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key2 -I "regress user key for $USER" \ | 26 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key2 -I "regress user key for $USER" \ |
| 34 | -z $$ -n ${USER} $OBJ/user_key1 || | 27 | -z $$ -n ${USER} $OBJ/user_key1 || |
| 35 | fatal "couldn't sign user_key1 with user_ca_key2" | 28 | fail "couldn't sign user_key1 with user_ca_key2" |
| 36 | mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_2.pub | 29 | mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_2.pub |
| 37 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ | ||
| 38 | -z $$ -n ${USER} $OBJ/user_key3 || | ||
| 39 | fatal "couldn't sign user_key3 with user_ca_key1" | ||
| 40 | rm $OBJ/user_key3.pub # to test use of private key w/o public half. | ||
| 41 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ | ||
| 42 | -z $$ -n ${USER} $OBJ/user_key4 || | ||
| 43 | fatal "couldn't sign user_key4 with user_ca_key1" | ||
| 44 | rm $OBJ/user_key4 $OBJ/user_key4.pub # to test no matching pub/private key case. | ||
| 45 | 30 | ||
| 46 | trace 'try with identity files' | 31 | trace 'try with identity files' |
| 47 | opts="-F $OBJ/ssh_proxy -oIdentitiesOnly=yes" | 32 | opts="-F $OBJ/ssh_proxy -oIdentitiesOnly=yes" |
| 48 | opts2="$opts -i $OBJ/user_key1 -i $OBJ/user_key2" | 33 | opts2="$opts -i $OBJ/user_key1 -i $OBJ/user_key2" |
| 49 | echo "cert-authority $(cat $OBJ/user_ca_key1.pub)" > $OBJ/authorized_keys_$USER | 34 | echo "cert-authority $(cat $OBJ/user_ca_key1.pub)" > $OBJ/authorized_keys_$USER |
| 50 | 35 | ||
| 51 | # Make a clean config that doesn't have any pre-added identities. | ||
| 52 | cat $OBJ/ssh_proxy | grep -v IdentityFile > $OBJ/no_identity_config | ||
| 53 | |||
| 54 | # XXX: verify that certificate used was what we expect. Needs exposure of | ||
| 55 | # keys via enviornment variable or similar. | ||
| 56 | |||
| 57 | for p in ${SSH_PROTOCOLS}; do | 36 | for p in ${SSH_PROTOCOLS}; do |
| 58 | # Key with no .pub should work - finding the equivalent *-cert.pub. | ||
| 59 | verbose "protocol $p: identity cert with no plain public file" | ||
| 60 | ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ | ||
| 61 | -i $OBJ/user_key3 somehost exit 5$p | ||
| 62 | [ $? -ne 5$p ] && fail "ssh failed" | ||
| 63 | |||
| 64 | # CertificateFile matching private key with no .pub file should work. | ||
| 65 | verbose "protocol $p: CertificateFile with no plain public file" | ||
| 66 | ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ | ||
| 67 | -oCertificateFile=$OBJ/user_key3-cert.pub \ | ||
| 68 | -i $OBJ/user_key3 somehost exit 5$p | ||
| 69 | [ $? -ne 5$p ] && fail "ssh failed" | ||
| 70 | |||
| 71 | # Just keys should fail | 37 | # Just keys should fail |
| 72 | verbose "protocol $p: plain keys" | ||
| 73 | ${SSH} $opts2 somehost exit 5$p | 38 | ${SSH} $opts2 somehost exit 5$p |
| 74 | r=$? | 39 | r=$? |
| 75 | if [ $r -eq 5$p ]; then | 40 | if [ $r -eq 5$p ]; then |
| @@ -77,7 +42,6 @@ for p in ${SSH_PROTOCOLS}; do | |||
| 77 | fi | 42 | fi |
| 78 | 43 | ||
| 79 | # Keys with untrusted cert should fail. | 44 | # Keys with untrusted cert should fail. |
| 80 | verbose "protocol $p: untrusted cert" | ||
| 81 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" | 45 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" |
| 82 | ${SSH} $opts3 somehost exit 5$p | 46 | ${SSH} $opts3 somehost exit 5$p |
| 83 | r=$? | 47 | r=$? |
| @@ -86,7 +50,6 @@ for p in ${SSH_PROTOCOLS}; do | |||
| 86 | fi | 50 | fi |
| 87 | 51 | ||
| 88 | # Good cert with bad key should fail. | 52 | # Good cert with bad key should fail. |
| 89 | verbose "protocol $p: good cert, bad key" | ||
| 90 | opts3="$opts -i $OBJ/user_key2" | 53 | opts3="$opts -i $OBJ/user_key2" |
| 91 | opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" | 54 | opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" |
| 92 | ${SSH} $opts3 somehost exit 5$p | 55 | ${SSH} $opts3 somehost exit 5$p |
| @@ -96,7 +59,6 @@ for p in ${SSH_PROTOCOLS}; do | |||
| 96 | fi | 59 | fi |
| 97 | 60 | ||
| 98 | # Keys with one trusted cert, should succeed. | 61 | # Keys with one trusted cert, should succeed. |
| 99 | verbose "protocol $p: single trusted" | ||
| 100 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" | 62 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" |
| 101 | ${SSH} $opts3 somehost exit 5$p | 63 | ${SSH} $opts3 somehost exit 5$p |
| 102 | r=$? | 64 | r=$? |
| @@ -105,7 +67,6 @@ for p in ${SSH_PROTOCOLS}; do | |||
| 105 | fi | 67 | fi |
| 106 | 68 | ||
| 107 | # Multiple certs and keys, with one trusted cert, should succeed. | 69 | # Multiple certs and keys, with one trusted cert, should succeed. |
| 108 | verbose "protocol $p: multiple trusted" | ||
| 109 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" | 70 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" |
| 110 | opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" | 71 | opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" |
| 111 | ${SSH} $opts3 somehost exit 5$p | 72 | ${SSH} $opts3 somehost exit 5$p |
| @@ -113,6 +74,14 @@ for p in ${SSH_PROTOCOLS}; do | |||
| 113 | if [ $r -ne 5$p ]; then | 74 | if [ $r -ne 5$p ]; then |
| 114 | fail "ssh failed with multiple certs in protocol $p" | 75 | fail "ssh failed with multiple certs in protocol $p" |
| 115 | fi | 76 | fi |
| 77 | |||
| 78 | #Keys with trusted certificate specified in config options, should succeed. | ||
| 79 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" | ||
| 80 | ${SSH} $opts3 somehost exit 5$p | ||
| 81 | r=$? | ||
| 82 | if [ $r -ne 5$p ]; then | ||
| 83 | fail "ssh failed with trusted cert in config in protocol $p" | ||
| 84 | fi | ||
| 116 | done | 85 | done |
| 117 | 86 | ||
| 118 | #next, using an agent in combination with the keys | 87 | #next, using an agent in combination with the keys |