diff options
Diffstat (limited to 'regress')
| -rw-r--r-- | regress/Makefile | 9 | ||||
| -rw-r--r-- | regress/README.regress | 4 | ||||
| -rw-r--r-- | regress/cert-hostkey.sh | 174 | ||||
| -rw-r--r-- | regress/cert-userkey.sh | 221 | ||||
| -rw-r--r-- | regress/login-timeout.sh | 2 | ||||
| -rw-r--r-- | regress/reconfigure.sh | 2 | ||||
| -rw-r--r-- | regress/reexec.sh | 6 | ||||
| -rw-r--r-- | regress/test-exec.sh | 2 |
8 files changed, 299 insertions, 121 deletions
diff --git a/regress/Makefile b/regress/Makefile index d25a64555..9762ab204 100644 --- a/regress/Makefile +++ b/regress/Makefile | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: Makefile,v 1.52 2010/02/26 20:33:21 djm Exp $ | 1 | # $OpenBSD: Makefile,v 1.54 2010/06/27 19:19:56 phessler Exp $ |
| 2 | 2 | ||
| 3 | REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec | 3 | REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec |
| 4 | tests: $(REGRESS_TARGETS) | 4 | tests: $(REGRESS_TARGETS) |
| @@ -69,7 +69,8 @@ CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ | |||
| 69 | scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \ | 69 | scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \ |
| 70 | sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \ | 70 | sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \ |
| 71 | known_hosts-cert host_ca_key* cert_host_key* \ | 71 | known_hosts-cert host_ca_key* cert_host_key* \ |
| 72 | putty.rsa2 sshd_proxy_orig | 72 | putty.rsa2 sshd_proxy_orig \ |
| 73 | authorized_principals_${USER} | ||
| 73 | 74 | ||
| 74 | # Enable all malloc(3) randomisations and checks | 75 | # Enable all malloc(3) randomisations and checks |
| 75 | TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" | 76 | TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" |
| @@ -112,13 +113,13 @@ t-exec: ${LTESTS:=.sh} | |||
| 112 | @if [ "x$?" = "x" ]; then exit 0; fi; \ | 113 | @if [ "x$?" = "x" ]; then exit 0; fi; \ |
| 113 | for TEST in ""$?; do \ | 114 | for TEST in ""$?; do \ |
| 114 | echo "run test $${TEST}" ... 1>&2; \ | 115 | echo "run test $${TEST}" ... 1>&2; \ |
| 115 | (env SUDO=${SUDO} TEST_ENV=${TEST_ENV} sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ | 116 | (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ |
| 116 | done | 117 | done |
| 117 | 118 | ||
| 118 | t-exec-interop: ${INTEROP_TESTS:=.sh} | 119 | t-exec-interop: ${INTEROP_TESTS:=.sh} |
| 119 | @if [ "x$?" = "x" ]; then exit 0; fi; \ | 120 | @if [ "x$?" = "x" ]; then exit 0; fi; \ |
| 120 | for TEST in ""$?; do \ | 121 | for TEST in ""$?; do \ |
| 121 | echo "run test $${TEST}" ... 1>&2; \ | 122 | echo "run test $${TEST}" ... 1>&2; \ |
| 122 | (env SUDO=${SUDO} TEST_ENV=${TEST_ENV} sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ | 123 | (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ |
| 123 | done | 124 | done |
| 124 | 125 | ||
diff --git a/regress/README.regress b/regress/README.regress index 5aaf734bd..da9bb6a99 100644 --- a/regress/README.regress +++ b/regress/README.regress | |||
| @@ -29,7 +29,7 @@ TEST_SSH_x: path to "ssh" command under test, where x=SSH,SSHD,SSHAGENT,SSHADD | |||
| 29 | OBJ: used by test scripts to access build dir. | 29 | OBJ: used by test scripts to access build dir. |
| 30 | TEST_SHELL: shell used for running the test scripts. | 30 | TEST_SHELL: shell used for running the test scripts. |
| 31 | TEST_SSH_PORT: TCP port to be used for the listening tests. | 31 | TEST_SSH_PORT: TCP port to be used for the listening tests. |
| 32 | TEST_SSH_SSH_CONFOTPS: Configuration directives to be added to ssh_config | 32 | TEST_SSH_SSH_CONFOPTS: Configuration directives to be added to ssh_config |
| 33 | before running each test. | 33 | before running each test. |
| 34 | TEST_SSH_SSHD_CONFOTPS: Configuration directives to be added to sshd_config | 34 | TEST_SSH_SSHD_CONFOTPS: Configuration directives to be added to sshd_config |
| 35 | before running each test. | 35 | before running each test. |
| @@ -105,4 +105,4 @@ Known Issues. | |||
| 105 | test to fail. The old behaviour can be restored by setting (and | 105 | test to fail. The old behaviour can be restored by setting (and |
| 106 | exporting) _POSIX2_VERSION=199209 before running the tests. | 106 | exporting) _POSIX2_VERSION=199209 before running the tests. |
| 107 | 107 | ||
| 108 | $Id: README.regress,v 1.10 2005/10/03 10:14:18 dtucker Exp $ | 108 | $Id: README.regress,v 1.11 2010/08/16 21:04:29 djm Exp $ |
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 3fda667cb..0265e8f6b 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: cert-hostkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $ | 1 | # $OpenBSD: cert-hostkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="certified host keys" | 4 | tid="certified host keys" |
| @@ -28,11 +28,17 @@ for ktype in rsa dsa ; do | |||
| 28 | -I "regress host key for $USER" \ | 28 | -I "regress host key for $USER" \ |
| 29 | -n $HOSTS $OBJ/cert_host_key_${ktype} || | 29 | -n $HOSTS $OBJ/cert_host_key_${ktype} || |
| 30 | fail "couldn't sign cert_host_key_${ktype}" | 30 | fail "couldn't sign cert_host_key_${ktype}" |
| 31 | cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00 | ||
| 32 | cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub | ||
| 33 | ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \ | ||
| 34 | -I "regress host key for $USER" \ | ||
| 35 | -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 || | ||
| 36 | fail "couldn't sign cert_host_key_${ktype}_v00" | ||
| 31 | done | 37 | done |
| 32 | 38 | ||
| 33 | # Basic connect tests | 39 | # Basic connect tests |
| 34 | for privsep in yes no ; do | 40 | for privsep in yes no ; do |
| 35 | for ktype in rsa dsa ; do | 41 | for ktype in rsa dsa rsa_v00 dsa_v00; do |
| 36 | verbose "$tid: host ${ktype} cert connect privsep $privsep" | 42 | verbose "$tid: host ${ktype} cert connect privsep $privsep" |
| 37 | ( | 43 | ( |
| 38 | cat $OBJ/sshd_proxy_bak | 44 | cat $OBJ/sshd_proxy_bak |
| @@ -61,9 +67,15 @@ done | |||
| 61 | echon '@revoked ' | 67 | echon '@revoked ' |
| 62 | echon "* " | 68 | echon "* " |
| 63 | cat $OBJ/cert_host_key_dsa.pub | 69 | cat $OBJ/cert_host_key_dsa.pub |
| 70 | echon '@revoked ' | ||
| 71 | echon "* " | ||
| 72 | cat $OBJ/cert_host_key_rsa_v00.pub | ||
| 73 | echon '@revoked ' | ||
| 74 | echon "* " | ||
| 75 | cat $OBJ/cert_host_key_dsa_v00.pub | ||
| 64 | ) > $OBJ/known_hosts-cert | 76 | ) > $OBJ/known_hosts-cert |
| 65 | for privsep in yes no ; do | 77 | for privsep in yes no ; do |
| 66 | for ktype in rsa dsa ; do | 78 | for ktype in rsa dsa rsa_v00 dsa_v00; do |
| 67 | verbose "$tid: host ${ktype} revoked cert privsep $privsep" | 79 | verbose "$tid: host ${ktype} revoked cert privsep $privsep" |
| 68 | ( | 80 | ( |
| 69 | cat $OBJ/sshd_proxy_bak | 81 | cat $OBJ/sshd_proxy_bak |
| @@ -90,7 +102,7 @@ done | |||
| 90 | echon "* " | 102 | echon "* " |
| 91 | cat $OBJ/host_ca_key.pub | 103 | cat $OBJ/host_ca_key.pub |
| 92 | ) > $OBJ/known_hosts-cert | 104 | ) > $OBJ/known_hosts-cert |
| 93 | for ktype in rsa dsa ; do | 105 | for ktype in rsa dsa rsa_v00 dsa_v00 ; do |
| 94 | verbose "$tid: host ${ktype} revoked cert" | 106 | verbose "$tid: host ${ktype} revoked cert" |
| 95 | ( | 107 | ( |
| 96 | cat $OBJ/sshd_proxy_bak | 108 | cat $OBJ/sshd_proxy_bak |
| @@ -116,32 +128,39 @@ test_one() { | |||
| 116 | ident=$1 | 128 | ident=$1 |
| 117 | result=$2 | 129 | result=$2 |
| 118 | sign_opts=$3 | 130 | sign_opts=$3 |
| 119 | |||
| 120 | verbose "$tid: test host cert connect $ident expect $result" | ||
| 121 | |||
| 122 | ${SSHKEYGEN} -q -s $OBJ/host_ca_key -I "regress host key for $USER" \ | ||
| 123 | $sign_opts \ | ||
| 124 | $OBJ/cert_host_key_rsa || | ||
| 125 | fail "couldn't sign cert_host_key_rsa" | ||
| 126 | ( | ||
| 127 | cat $OBJ/sshd_proxy_bak | ||
| 128 | echo HostKey $OBJ/cert_host_key_rsa | ||
| 129 | echo HostCertificate $OBJ/cert_host_key_rsa-cert.pub | ||
| 130 | ) > $OBJ/sshd_proxy | ||
| 131 | 131 | ||
| 132 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 132 | for kt in rsa rsa_v00 ; do |
| 133 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 133 | case $kt in |
| 134 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 134 | *_v00) args="-t v00" ;; |
| 135 | rc=$? | 135 | *) args="" ;; |
| 136 | if [ "x$result" = "xsuccess" ] ; then | 136 | esac |
| 137 | if [ $rc -ne 0 ]; then | 137 | |
| 138 | fail "ssh cert connect $ident failed unexpectedly" | 138 | verbose "$tid: host cert connect $ident $kt expect $result" |
| 139 | fi | 139 | ${SSHKEYGEN} -q -s $OBJ/host_ca_key \ |
| 140 | else | 140 | -I "regress host key for $USER" \ |
| 141 | if [ $rc -eq 0 ]; then | 141 | $sign_opts $args \ |
| 142 | fail "ssh cert connect $ident succeeded unexpectedly" | 142 | $OBJ/cert_host_key_${kt} || |
| 143 | fail "couldn't sign cert_host_key_${kt}" | ||
| 144 | ( | ||
| 145 | cat $OBJ/sshd_proxy_bak | ||
| 146 | echo HostKey $OBJ/cert_host_key_${kt} | ||
| 147 | echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub | ||
| 148 | ) > $OBJ/sshd_proxy | ||
| 149 | |||
| 150 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | ||
| 151 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | ||
| 152 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
| 153 | rc=$? | ||
| 154 | if [ "x$result" = "xsuccess" ] ; then | ||
| 155 | if [ $rc -ne 0 ]; then | ||
| 156 | fail "ssh cert connect $ident failed unexpectedly" | ||
| 157 | fi | ||
| 158 | else | ||
| 159 | if [ $rc -eq 0 ]; then | ||
| 160 | fail "ssh cert connect $ident succeeded unexpectedly" | ||
| 161 | fi | ||
| 143 | fi | 162 | fi |
| 144 | fi | 163 | done |
| 145 | } | 164 | } |
| 146 | 165 | ||
| 147 | test_one "user-certificate" failure "-n $HOSTS" | 166 | test_one "user-certificate" failure "-n $HOSTS" |
| @@ -153,32 +172,35 @@ test_one "cert valid interval" success "-h -V-1w:+2w" | |||
| 153 | test_one "cert has constraints" failure "-h -Oforce-command=false" | 172 | test_one "cert has constraints" failure "-h -Oforce-command=false" |
| 154 | 173 | ||
| 155 | # Check downgrade of cert to raw key when no CA found | 174 | # Check downgrade of cert to raw key when no CA found |
| 156 | rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* | 175 | for v in v01 v00 ; do |
| 157 | for ktype in rsa dsa ; do | 176 | for ktype in rsa dsa ; do |
| 158 | verbose "$tid: host ${ktype} cert downgrade to raw key" | 177 | rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* |
| 159 | # Generate and sign a host key | 178 | verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" |
| 160 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ | 179 | # Generate and sign a host key |
| 161 | -f $OBJ/cert_host_key_${ktype} || \ | 180 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ |
| 162 | fail "ssh-keygen of cert_host_key_${ktype} failed" | 181 | -f $OBJ/cert_host_key_${ktype} || \ |
| 163 | ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -I "regress host key for $USER" \ | 182 | fail "ssh-keygen of cert_host_key_${ktype} failed" |
| 164 | -n $HOSTS $OBJ/cert_host_key_${ktype} || | 183 | ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \ |
| 165 | fail "couldn't sign cert_host_key_${ktype}" | 184 | -I "regress host key for $USER" \ |
| 166 | ( | 185 | -n $HOSTS $OBJ/cert_host_key_${ktype} || |
| 167 | echon "$HOSTS " | 186 | fail "couldn't sign cert_host_key_${ktype}" |
| 168 | cat $OBJ/cert_host_key_${ktype}.pub | 187 | ( |
| 169 | ) > $OBJ/known_hosts-cert | 188 | echon "$HOSTS " |
| 170 | ( | 189 | cat $OBJ/cert_host_key_${ktype}.pub |
| 171 | cat $OBJ/sshd_proxy_bak | 190 | ) > $OBJ/known_hosts-cert |
| 172 | echo HostKey $OBJ/cert_host_key_${ktype} | 191 | ( |
| 173 | echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub | 192 | cat $OBJ/sshd_proxy_bak |
| 174 | ) > $OBJ/sshd_proxy | 193 | echo HostKey $OBJ/cert_host_key_${ktype} |
| 175 | 194 | echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub | |
| 176 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 195 | ) > $OBJ/sshd_proxy |
| 177 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 196 | |
| 178 | -F $OBJ/ssh_proxy somehost true | 197 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ |
| 179 | if [ $? -ne 0 ]; then | 198 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ |
| 180 | fail "ssh cert connect failed" | 199 | -F $OBJ/ssh_proxy somehost true |
| 181 | fi | 200 | if [ $? -ne 0 ]; then |
| 201 | fail "ssh cert connect failed" | ||
| 202 | fi | ||
| 203 | done | ||
| 182 | done | 204 | done |
| 183 | 205 | ||
| 184 | # Wrong certificate | 206 | # Wrong certificate |
| @@ -187,25 +209,31 @@ done | |||
| 187 | echon "$HOSTS " | 209 | echon "$HOSTS " |
| 188 | cat $OBJ/host_ca_key.pub | 210 | cat $OBJ/host_ca_key.pub |
| 189 | ) > $OBJ/known_hosts-cert | 211 | ) > $OBJ/known_hosts-cert |
| 190 | for ktype in rsa dsa ; do | 212 | for v in v01 v00 ; do |
| 191 | # Self-sign key | 213 | for kt in rsa dsa ; do |
| 192 | ${SSHKEYGEN} -h -q -s $OBJ/cert_host_key_${ktype} \ | 214 | rm -f $OBJ/cert_host_key* |
| 193 | -I "regress host key for $USER" \ | 215 | # Self-sign key |
| 194 | -n $HOSTS $OBJ/cert_host_key_${ktype} || | 216 | ${SSHKEYGEN} -q -N '' -t ${kt} \ |
| 195 | fail "couldn't sign cert_host_key_${ktype}" | 217 | -f $OBJ/cert_host_key_${kt} || \ |
| 196 | verbose "$tid: host ${ktype} connect wrong cert" | 218 | fail "ssh-keygen of cert_host_key_${kt} failed" |
| 197 | ( | 219 | ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \ |
| 198 | cat $OBJ/sshd_proxy_bak | 220 | -I "regress host key for $USER" \ |
| 199 | echo HostKey $OBJ/cert_host_key_${ktype} | 221 | -n $HOSTS $OBJ/cert_host_key_${kt} || |
| 200 | echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub | 222 | fail "couldn't sign cert_host_key_${kt}" |
| 201 | ) > $OBJ/sshd_proxy | 223 | verbose "$tid: host ${kt} connect wrong cert" |
| 202 | 224 | ( | |
| 203 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 225 | cat $OBJ/sshd_proxy_bak |
| 204 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 226 | echo HostKey $OBJ/cert_host_key_${kt} |
| 205 | -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 | 227 | echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub |
| 206 | if [ $? -eq 0 ]; then | 228 | ) > $OBJ/sshd_proxy |
| 207 | fail "ssh cert connect $ident succeeded unexpectedly" | 229 | |
| 208 | fi | 230 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ |
| 231 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | ||
| 232 | -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 | ||
| 233 | if [ $? -eq 0 ]; then | ||
| 234 | fail "ssh cert connect $ident succeeded unexpectedly" | ||
| 235 | fi | ||
| 236 | done | ||
| 209 | done | 237 | done |
| 210 | 238 | ||
| 211 | rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* | 239 | rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* |
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 7a58e7b75..a41a9a9c0 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: cert-userkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $ | 1 | # $OpenBSD: cert-userkey.sh,v 1.6 2010/06/29 23:59:54 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="certified user keys" | 4 | tid="certified user keys" |
| @@ -18,8 +18,128 @@ for ktype in rsa dsa ; do | |||
| 18 | fail "ssh-keygen of cert_user_key_${ktype} failed" | 18 | fail "ssh-keygen of cert_user_key_${ktype} failed" |
| 19 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \ | 19 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \ |
| 20 | "regress user key for $USER" \ | 20 | "regress user key for $USER" \ |
| 21 | -n $USER $OBJ/cert_user_key_${ktype} || | 21 | -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || |
| 22 | fail "couldn't sign cert_user_key_${ktype}" | 22 | fail "couldn't sign cert_user_key_${ktype}" |
| 23 | cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 | ||
| 24 | cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub | ||
| 25 | ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ | ||
| 26 | "regress user key for $USER" \ | ||
| 27 | -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 || | ||
| 28 | fail "couldn't sign cert_user_key_${ktype}_v00" | ||
| 29 | done | ||
| 30 | |||
| 31 | # Test explicitly-specified principals | ||
| 32 | for ktype in rsa dsa rsa_v00 dsa_v00 ; do | ||
| 33 | for privsep in yes no ; do | ||
| 34 | _prefix="${ktype} privsep $privsep" | ||
| 35 | |||
| 36 | # Setup for AuthorizedPrincipalsFile | ||
| 37 | rm -f $OBJ/authorized_keys_$USER | ||
| 38 | ( | ||
| 39 | cat $OBJ/sshd_proxy_bak | ||
| 40 | echo "UsePrivilegeSeparation $privsep" | ||
| 41 | echo "AuthorizedPrincipalsFile " \ | ||
| 42 | "$OBJ/authorized_principals_%u" | ||
| 43 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" | ||
| 44 | ) > $OBJ/sshd_proxy | ||
| 45 | |||
| 46 | # Missing authorized_principals | ||
| 47 | verbose "$tid: ${_prefix} missing authorized_principals" | ||
| 48 | rm -f $OBJ/authorized_principals_$USER | ||
| 49 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | ||
| 50 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
| 51 | if [ $? -eq 0 ]; then | ||
| 52 | fail "ssh cert connect succeeded unexpectedly" | ||
| 53 | fi | ||
| 54 | |||
| 55 | # Empty authorized_principals | ||
| 56 | verbose "$tid: ${_prefix} empty authorized_principals" | ||
| 57 | echo > $OBJ/authorized_principals_$USER | ||
| 58 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | ||
| 59 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
| 60 | if [ $? -eq 0 ]; then | ||
| 61 | fail "ssh cert connect succeeded unexpectedly" | ||
| 62 | fi | ||
| 63 | |||
| 64 | # Wrong authorized_principals | ||
| 65 | verbose "$tid: ${_prefix} wrong authorized_principals" | ||
| 66 | echo gregorsamsa > $OBJ/authorized_principals_$USER | ||
| 67 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | ||
| 68 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
| 69 | if [ $? -eq 0 ]; then | ||
| 70 | fail "ssh cert connect succeeded unexpectedly" | ||
| 71 | fi | ||
| 72 | |||
| 73 | # Correct authorized_principals | ||
| 74 | verbose "$tid: ${_prefix} correct authorized_principals" | ||
| 75 | echo mekmitasdigoat > $OBJ/authorized_principals_$USER | ||
| 76 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | ||
| 77 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
| 78 | if [ $? -ne 0 ]; then | ||
| 79 | fail "ssh cert connect failed" | ||
| 80 | fi | ||
| 81 | |||
| 82 | # authorized_principals with bad key option | ||
| 83 | verbose "$tid: ${_prefix} authorized_principals bad key opt" | ||
| 84 | echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER | ||
| 85 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | ||
| 86 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
| 87 | if [ $? -eq 0 ]; then | ||
| 88 | fail "ssh cert connect succeeded unexpectedly" | ||
| 89 | fi | ||
| 90 | |||
| 91 | # authorized_principals with command=false | ||
| 92 | verbose "$tid: ${_prefix} authorized_principals command=false" | ||
| 93 | echo 'command="false" mekmitasdigoat' > \ | ||
| 94 | $OBJ/authorized_principals_$USER | ||
| 95 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | ||
| 96 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
| 97 | if [ $? -eq 0 ]; then | ||
| 98 | fail "ssh cert connect succeeded unexpectedly" | ||
| 99 | fi | ||
| 100 | |||
| 101 | |||
| 102 | # authorized_principals with command=true | ||
| 103 | verbose "$tid: ${_prefix} authorized_principals command=true" | ||
| 104 | echo 'command="true" mekmitasdigoat' > \ | ||
| 105 | $OBJ/authorized_principals_$USER | ||
| 106 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | ||
| 107 | -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 | ||
| 108 | if [ $? -ne 0 ]; then | ||
| 109 | fail "ssh cert connect failed" | ||
| 110 | fi | ||
| 111 | |||
| 112 | # Setup for principals= key option | ||
| 113 | rm -f $OBJ/authorized_principals_$USER | ||
| 114 | ( | ||
| 115 | cat $OBJ/sshd_proxy_bak | ||
| 116 | echo "UsePrivilegeSeparation $privsep" | ||
| 117 | ) > $OBJ/sshd_proxy | ||
| 118 | |||
| 119 | # Wrong principals list | ||
| 120 | verbose "$tid: ${_prefix} wrong principals key option" | ||
| 121 | ( | ||
| 122 | echon 'cert-authority,principals="gregorsamsa" ' | ||
| 123 | cat $OBJ/user_ca_key.pub | ||
| 124 | ) > $OBJ/authorized_keys_$USER | ||
| 125 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | ||
| 126 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
| 127 | if [ $? -eq 0 ]; then | ||
| 128 | fail "ssh cert connect succeeded unexpectedly" | ||
| 129 | fi | ||
| 130 | |||
| 131 | # Correct principals list | ||
| 132 | verbose "$tid: ${_prefix} correct principals key option" | ||
| 133 | ( | ||
| 134 | echon 'cert-authority,principals="mekmitasdigoat" ' | ||
| 135 | cat $OBJ/user_ca_key.pub | ||
| 136 | ) > $OBJ/authorized_keys_$USER | ||
| 137 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | ||
| 138 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
| 139 | if [ $? -ne 0 ]; then | ||
| 140 | fail "ssh cert connect failed" | ||
| 141 | fi | ||
| 142 | done | ||
| 23 | done | 143 | done |
| 24 | 144 | ||
| 25 | basic_tests() { | 145 | basic_tests() { |
| @@ -35,7 +155,7 @@ basic_tests() { | |||
| 35 | extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" | 155 | extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" |
| 36 | fi | 156 | fi |
| 37 | 157 | ||
| 38 | for ktype in rsa dsa ; do | 158 | for ktype in rsa dsa rsa_v00 dsa_v00 ; do |
| 39 | for privsep in yes no ; do | 159 | for privsep in yes no ; do |
| 40 | _prefix="${ktype} privsep $privsep $auth" | 160 | _prefix="${ktype} privsep $privsep $auth" |
| 41 | # Simple connect | 161 | # Simple connect |
| @@ -102,45 +222,50 @@ test_one() { | |||
| 102 | result=$2 | 222 | result=$2 |
| 103 | sign_opts=$3 | 223 | sign_opts=$3 |
| 104 | auth_choice=$4 | 224 | auth_choice=$4 |
| 225 | auth_opt=$5 | ||
| 105 | 226 | ||
| 106 | if test "x$auth_choice" = "x" ; then | 227 | if test "x$auth_choice" = "x" ; then |
| 107 | auth_choice="authorized_keys TrustedUserCAKeys" | 228 | auth_choice="authorized_keys TrustedUserCAKeys" |
| 108 | fi | 229 | fi |
| 109 | 230 | ||
| 110 | for auth in $auth_choice ; do | 231 | for auth in $auth_choice ; do |
| 111 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy | 232 | for ktype in rsa rsa_v00 ; do |
| 112 | if test "x$auth" = "xauthorized_keys" ; then | 233 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy |
| 113 | # Add CA to authorized_keys | 234 | if test "x$auth" = "xauthorized_keys" ; then |
| 114 | ( | 235 | # Add CA to authorized_keys |
| 115 | echon 'cert-authority ' | 236 | ( |
| 116 | cat $OBJ/user_ca_key.pub | 237 | echon "cert-authority${auth_opt} " |
| 117 | ) > $OBJ/authorized_keys_$USER | 238 | cat $OBJ/user_ca_key.pub |
| 118 | else | 239 | ) > $OBJ/authorized_keys_$USER |
| 119 | echo > $OBJ/authorized_keys_$USER | 240 | else |
| 120 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" >> \ | 241 | echo > $OBJ/authorized_keys_$USER |
| 121 | $OBJ/sshd_proxy | 242 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \ |
| 122 | 243 | >> $OBJ/sshd_proxy | |
| 123 | fi | 244 | if test "x$auth_opt" != "x" ; then |
| 124 | 245 | echo $auth_opt >> $OBJ/sshd_proxy | |
| 125 | verbose "$tid: $ident auth $auth expect $result" | 246 | fi |
| 126 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ | ||
| 127 | -I "regress user key for $USER" \ | ||
| 128 | $sign_opts \ | ||
| 129 | $OBJ/cert_user_key_rsa || | ||
| 130 | fail "couldn't sign cert_user_key_rsa" | ||
| 131 | |||
| 132 | ${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \ | ||
| 133 | somehost true >/dev/null 2>&1 | ||
| 134 | rc=$? | ||
| 135 | if [ "x$result" = "xsuccess" ] ; then | ||
| 136 | if [ $rc -ne 0 ]; then | ||
| 137 | fail "$ident failed unexpectedly" | ||
| 138 | fi | 247 | fi |
| 139 | else | 248 | |
| 140 | if [ $rc -eq 0 ]; then | 249 | verbose "$tid: $ident auth $auth expect $result $ktype" |
| 141 | fail "$ident succeeded unexpectedly" | 250 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ |
| 251 | -I "regress user key for $USER" \ | ||
| 252 | $sign_opts \ | ||
| 253 | $OBJ/cert_user_key_${ktype} || | ||
| 254 | fail "couldn't sign cert_user_key_${ktype}" | ||
| 255 | |||
| 256 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | ||
| 257 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
| 258 | rc=$? | ||
| 259 | if [ "x$result" = "xsuccess" ] ; then | ||
| 260 | if [ $rc -ne 0 ]; then | ||
| 261 | fail "$ident failed unexpectedly" | ||
| 262 | fi | ||
| 263 | else | ||
| 264 | if [ $rc -eq 0 ]; then | ||
| 265 | fail "$ident succeeded unexpectedly" | ||
| 266 | fi | ||
| 142 | fi | 267 | fi |
| 143 | fi | 268 | done |
| 144 | done | 269 | done |
| 145 | } | 270 | } |
| 146 | 271 | ||
| @@ -157,10 +282,33 @@ test_one "force-command" failure "-n ${USER} -Oforce-command=false" | |||
| 157 | test_one "empty principals" success "" authorized_keys | 282 | test_one "empty principals" success "" authorized_keys |
| 158 | test_one "empty principals" failure "" TrustedUserCAKeys | 283 | test_one "empty principals" failure "" TrustedUserCAKeys |
| 159 | 284 | ||
| 285 | # Check explicitly-specified principals: an empty principals list in the cert | ||
| 286 | # should always be refused. | ||
| 287 | |||
| 288 | # AuthorizedPrincipalsFile | ||
| 289 | rm -f $OBJ/authorized_keys_$USER | ||
| 290 | echo mekmitasdigoat > $OBJ/authorized_principals_$USER | ||
| 291 | test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \ | ||
| 292 | TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u" | ||
| 293 | test_one "AuthorizedPrincipalsFile no principals" failure "" \ | ||
| 294 | TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u" | ||
| 295 | |||
| 296 | # principals= key option | ||
| 297 | rm -f $OBJ/authorized_principals_$USER | ||
| 298 | test_one "principals key option principals" success "-n mekmitasdigoat" \ | ||
| 299 | authorized_keys ',principals="mekmitasdigoat"' | ||
| 300 | test_one "principals key option no principals" failure "" \ | ||
| 301 | authorized_keys ',principals="mekmitasdigoat"' | ||
| 302 | |||
| 160 | # Wrong certificate | 303 | # Wrong certificate |
| 161 | for ktype in rsa dsa ; do | 304 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy |
| 305 | for ktype in rsa dsa rsa_v00 dsa_v00 ; do | ||
| 306 | case $ktype in | ||
| 307 | *_v00) args="-t v00" ;; | ||
| 308 | *) args="" ;; | ||
| 309 | esac | ||
| 162 | # Self-sign | 310 | # Self-sign |
| 163 | ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ | 311 | ${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \ |
| 164 | "regress user key for $USER" \ | 312 | "regress user key for $USER" \ |
| 165 | -n $USER $OBJ/cert_user_key_${ktype} || | 313 | -n $USER $OBJ/cert_user_key_${ktype} || |
| 166 | fail "couldn't sign cert_user_key_${ktype}" | 314 | fail "couldn't sign cert_user_key_${ktype}" |
| @@ -173,4 +321,5 @@ for ktype in rsa dsa ; do | |||
| 173 | done | 321 | done |
| 174 | 322 | ||
| 175 | rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* | 323 | rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* |
| 324 | rm -f $OBJ/authorized_principals_$USER | ||
| 176 | 325 | ||
diff --git a/regress/login-timeout.sh b/regress/login-timeout.sh index 15a887f74..55fbb324d 100644 --- a/regress/login-timeout.sh +++ b/regress/login-timeout.sh | |||
| @@ -15,7 +15,7 @@ if [ $? -ne 0 ]; then | |||
| 15 | fail "ssh connect after login grace timeout failed with privsep" | 15 | fail "ssh connect after login grace timeout failed with privsep" |
| 16 | fi | 16 | fi |
| 17 | 17 | ||
| 18 | $SUDO kill `cat $PIDFILE` | 18 | $SUDO kill `$SUDO cat $PIDFILE` |
| 19 | 19 | ||
| 20 | trace "test login grace without privsep" | 20 | trace "test login grace without privsep" |
| 21 | echo "UsePrivilegeSeparation no" >> $OBJ/sshd_config | 21 | echo "UsePrivilegeSeparation no" >> $OBJ/sshd_config |
diff --git a/regress/reconfigure.sh b/regress/reconfigure.sh index 1daf29f9a..9fd289531 100644 --- a/regress/reconfigure.sh +++ b/regress/reconfigure.sh | |||
| @@ -15,7 +15,7 @@ esac | |||
| 15 | 15 | ||
| 16 | start_sshd | 16 | start_sshd |
| 17 | 17 | ||
| 18 | PID=`cat $PIDFILE` | 18 | PID=`$SUDO cat $PIDFILE` |
| 19 | rm -f $PIDFILE | 19 | rm -f $PIDFILE |
| 20 | $SUDO kill -HUP $PID | 20 | $SUDO kill -HUP $PID |
| 21 | 21 | ||
diff --git a/regress/reexec.sh b/regress/reexec.sh index 4f824a31d..6edfc318e 100644 --- a/regress/reexec.sh +++ b/regress/reexec.sh | |||
| @@ -41,7 +41,7 @@ echo "InvalidXXX=no" >> $OBJ/sshd_config | |||
| 41 | 41 | ||
| 42 | copy_tests | 42 | copy_tests |
| 43 | 43 | ||
| 44 | $SUDO kill `cat $PIDFILE` | 44 | $SUDO kill `$SUDO cat $PIDFILE` |
| 45 | rm -f $PIDFILE | 45 | rm -f $PIDFILE |
| 46 | 46 | ||
| 47 | cp $OBJ/sshd_config.orig $OBJ/sshd_config | 47 | cp $OBJ/sshd_config.orig $OBJ/sshd_config |
| @@ -53,7 +53,7 @@ rm -f $SSHD_COPY | |||
| 53 | 53 | ||
| 54 | copy_tests | 54 | copy_tests |
| 55 | 55 | ||
| 56 | $SUDO kill `cat $PIDFILE` | 56 | $SUDO kill `$SUDO cat $PIDFILE` |
| 57 | rm -f $PIDFILE | 57 | rm -f $PIDFILE |
| 58 | 58 | ||
| 59 | verbose "test reexec fallback without privsep" | 59 | verbose "test reexec fallback without privsep" |
| @@ -66,7 +66,7 @@ rm -f $SSHD_COPY | |||
| 66 | 66 | ||
| 67 | copy_tests | 67 | copy_tests |
| 68 | 68 | ||
| 69 | $SUDO kill `cat $PIDFILE` | 69 | $SUDO kill `$SUDO cat $PIDFILE` |
| 70 | rm -f $PIDFILE | 70 | rm -f $PIDFILE |
| 71 | 71 | ||
| 72 | 72 | ||
diff --git a/regress/test-exec.sh b/regress/test-exec.sh index b3a19389d..b64dcdbcf 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh | |||
| @@ -167,7 +167,7 @@ have_prog() | |||
| 167 | cleanup () | 167 | cleanup () |
| 168 | { | 168 | { |
| 169 | if [ -f $PIDFILE ]; then | 169 | if [ -f $PIDFILE ]; then |
| 170 | pid=`cat $PIDFILE` | 170 | pid=`$SUDO cat $PIDFILE` |
| 171 | if [ "X$pid" = "X" ]; then | 171 | if [ "X$pid" = "X" ]; then |
| 172 | echo no sshd running | 172 | echo no sshd running |
| 173 | else | 173 | else |