diff options
Diffstat (limited to 'regress')
-rw-r--r-- | regress/Makefile | 5 | ||||
-rw-r--r-- | regress/multipubkey.sh | 66 |
2 files changed, 69 insertions, 2 deletions
diff --git a/regress/Makefile b/regress/Makefile index 2905a0d0a..27c4e79e1 100644 --- a/regress/Makefile +++ b/regress/Makefile | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: Makefile,v 1.71 2014/12/22 02:15:52 djm Exp $ | 1 | # $OpenBSD: Makefile,v 1.72 2014/12/22 08:06:03 djm Exp $ |
2 | 2 | ||
3 | REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t-exec | 3 | REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t-exec |
4 | tests: $(REGRESS_TARGETS) | 4 | tests: $(REGRESS_TARGETS) |
@@ -64,7 +64,8 @@ LTESTS= connect \ | |||
64 | keys-command \ | 64 | keys-command \ |
65 | forward-control \ | 65 | forward-control \ |
66 | integrity \ | 66 | integrity \ |
67 | krl | 67 | krl \ |
68 | multipubkey | ||
68 | # dhgex \ | 69 | # dhgex \ |
69 | 70 | ||
70 | INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers | 71 | INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers |
diff --git a/regress/multipubkey.sh b/regress/multipubkey.sh new file mode 100644 index 000000000..e9d15306f --- /dev/null +++ b/regress/multipubkey.sh | |||
@@ -0,0 +1,66 @@ | |||
1 | # $OpenBSD: multipubkey.sh,v 1.1 2014/12/22 08:06:03 djm Exp $ | ||
2 | # Placed in the Public Domain. | ||
3 | |||
4 | tid="multiple pubkey" | ||
5 | |||
6 | rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/user_key* | ||
7 | rm -f $OBJ/authorized_principals_$USER $OBJ/cert_user_key* | ||
8 | |||
9 | mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig | ||
10 | mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig | ||
11 | |||
12 | # Create a CA key | ||
13 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key ||\ | ||
14 | fatal "ssh-keygen failed" | ||
15 | |||
16 | # Make some keys and a certificate. | ||
17 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 || \ | ||
18 | fatal "ssh-keygen failed" | ||
19 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key2 || \ | ||
20 | fatal "ssh-keygen failed" | ||
21 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ | ||
22 | -z $$ -n ${USER},mekmitasdigoat $OBJ/user_key1 || | ||
23 | fail "couldn't sign user_key1" | ||
24 | # Copy the private key alongside the cert to allow better control of when | ||
25 | # it is offered. | ||
26 | mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1.pub | ||
27 | cp -p $OBJ/user_key1 $OBJ/cert_user_key1 | ||
28 | |||
29 | grep -v IdentityFile $OBJ/ssh_proxy.orig > $OBJ/ssh_proxy | ||
30 | |||
31 | opts="-oProtocol=2 -F $OBJ/ssh_proxy -oIdentitiesOnly=yes" | ||
32 | opts="$opts -i $OBJ/cert_user_key1 -i $OBJ/user_key1 -i $OBJ/user_key2" | ||
33 | |||
34 | for privsep in no yes; do | ||
35 | ( | ||
36 | grep -v "Protocol" $OBJ/sshd_proxy.orig | ||
37 | echo "Protocol 2" | ||
38 | echo "UsePrivilegeSeparation $privsep" | ||
39 | echo "AuthenticationMethods publickey,publickey" | ||
40 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" | ||
41 | echo "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u" | ||
42 | ) > $OBJ/sshd_proxy | ||
43 | |||
44 | # Single key should fail. | ||
45 | rm -f $OBJ/authorized_principals_$USER | ||
46 | cat $OBJ/user_key1.pub > $OBJ/authorized_keys_$USER | ||
47 | ${SSH} $opts proxy true && fail "ssh succeeded with key" | ||
48 | |||
49 | # Single key with same-public cert should fail. | ||
50 | echo mekmitasdigoat > $OBJ/authorized_principals_$USER | ||
51 | cat $OBJ/user_key1.pub > $OBJ/authorized_keys_$USER | ||
52 | ${SSH} $opts proxy true && fail "ssh succeeded with key+cert" | ||
53 | |||
54 | # Multiple plain keys should succeed. | ||
55 | rm -f $OBJ/authorized_principals_$USER | ||
56 | cat $OBJ/user_key1.pub $OBJ/user_key2.pub > \ | ||
57 | $OBJ/authorized_keys_$USER | ||
58 | ${SSH} $opts proxy true || fail "ssh failed with multiple keys" | ||
59 | # Cert and different key should succeed | ||
60 | |||
61 | # Key and different-public cert should succeed. | ||
62 | echo mekmitasdigoat > $OBJ/authorized_principals_$USER | ||
63 | cat $OBJ/user_key2.pub > $OBJ/authorized_keys_$USER | ||
64 | ${SSH} $opts proxy true || fail "ssh failed with key/cert" | ||
65 | done | ||
66 | |||