summaryrefslogtreecommitdiff
path: root/regress
diff options
context:
space:
mode:
Diffstat (limited to 'regress')
-rw-r--r--regress/Makefile9
-rw-r--r--regress/README.regress4
-rw-r--r--regress/cert-hostkey.sh174
-rw-r--r--regress/cert-userkey.sh221
-rw-r--r--regress/login-timeout.sh2
-rw-r--r--regress/reconfigure.sh2
-rw-r--r--regress/reexec.sh6
-rw-r--r--regress/test-exec.sh2
8 files changed, 299 insertions, 121 deletions
diff --git a/regress/Makefile b/regress/Makefile
index d25a64555..9762ab204 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.52 2010/02/26 20:33:21 djm Exp $ 1# $OpenBSD: Makefile,v 1.54 2010/06/27 19:19:56 phessler Exp $
2 2
3REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec 3REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec
4tests: $(REGRESS_TARGETS) 4tests: $(REGRESS_TARGETS)
@@ -69,7 +69,8 @@ CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
69 scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \ 69 scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
70 sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \ 70 sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \
71 known_hosts-cert host_ca_key* cert_host_key* \ 71 known_hosts-cert host_ca_key* cert_host_key* \
72 putty.rsa2 sshd_proxy_orig 72 putty.rsa2 sshd_proxy_orig \
73 authorized_principals_${USER}
73 74
74# Enable all malloc(3) randomisations and checks 75# Enable all malloc(3) randomisations and checks
75TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" 76TEST_ENV= "MALLOC_OPTIONS=AFGJPRX"
@@ -112,13 +113,13 @@ t-exec: ${LTESTS:=.sh}
112 @if [ "x$?" = "x" ]; then exit 0; fi; \ 113 @if [ "x$?" = "x" ]; then exit 0; fi; \
113 for TEST in ""$?; do \ 114 for TEST in ""$?; do \
114 echo "run test $${TEST}" ... 1>&2; \ 115 echo "run test $${TEST}" ... 1>&2; \
115 (env SUDO=${SUDO} TEST_ENV=${TEST_ENV} sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ 116 (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \
116 done 117 done
117 118
118t-exec-interop: ${INTEROP_TESTS:=.sh} 119t-exec-interop: ${INTEROP_TESTS:=.sh}
119 @if [ "x$?" = "x" ]; then exit 0; fi; \ 120 @if [ "x$?" = "x" ]; then exit 0; fi; \
120 for TEST in ""$?; do \ 121 for TEST in ""$?; do \
121 echo "run test $${TEST}" ... 1>&2; \ 122 echo "run test $${TEST}" ... 1>&2; \
122 (env SUDO=${SUDO} TEST_ENV=${TEST_ENV} sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ 123 (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \
123 done 124 done
124 125
diff --git a/regress/README.regress b/regress/README.regress
index 5aaf734bd..da9bb6a99 100644
--- a/regress/README.regress
+++ b/regress/README.regress
@@ -29,7 +29,7 @@ TEST_SSH_x: path to "ssh" command under test, where x=SSH,SSHD,SSHAGENT,SSHADD
29OBJ: used by test scripts to access build dir. 29OBJ: used by test scripts to access build dir.
30TEST_SHELL: shell used for running the test scripts. 30TEST_SHELL: shell used for running the test scripts.
31TEST_SSH_PORT: TCP port to be used for the listening tests. 31TEST_SSH_PORT: TCP port to be used for the listening tests.
32TEST_SSH_SSH_CONFOTPS: Configuration directives to be added to ssh_config 32TEST_SSH_SSH_CONFOPTS: Configuration directives to be added to ssh_config
33 before running each test. 33 before running each test.
34TEST_SSH_SSHD_CONFOTPS: Configuration directives to be added to sshd_config 34TEST_SSH_SSHD_CONFOTPS: Configuration directives to be added to sshd_config
35 before running each test. 35 before running each test.
@@ -105,4 +105,4 @@ Known Issues.
105 test to fail. The old behaviour can be restored by setting (and 105 test to fail. The old behaviour can be restored by setting (and
106 exporting) _POSIX2_VERSION=199209 before running the tests. 106 exporting) _POSIX2_VERSION=199209 before running the tests.
107 107
108$Id: README.regress,v 1.10 2005/10/03 10:14:18 dtucker Exp $ 108$Id: README.regress,v 1.11 2010/08/16 21:04:29 djm Exp $
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 3fda667cb..0265e8f6b 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-hostkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $ 1# $OpenBSD: cert-hostkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified host keys" 4tid="certified host keys"
@@ -28,11 +28,17 @@ for ktype in rsa dsa ; do
28 -I "regress host key for $USER" \ 28 -I "regress host key for $USER" \
29 -n $HOSTS $OBJ/cert_host_key_${ktype} || 29 -n $HOSTS $OBJ/cert_host_key_${ktype} ||
30 fail "couldn't sign cert_host_key_${ktype}" 30 fail "couldn't sign cert_host_key_${ktype}"
31 cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
32 cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
33 ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
34 -I "regress host key for $USER" \
35 -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
36 fail "couldn't sign cert_host_key_${ktype}_v00"
31done 37done
32 38
33# Basic connect tests 39# Basic connect tests
34for privsep in yes no ; do 40for privsep in yes no ; do
35 for ktype in rsa dsa ; do 41 for ktype in rsa dsa rsa_v00 dsa_v00; do
36 verbose "$tid: host ${ktype} cert connect privsep $privsep" 42 verbose "$tid: host ${ktype} cert connect privsep $privsep"
37 ( 43 (
38 cat $OBJ/sshd_proxy_bak 44 cat $OBJ/sshd_proxy_bak
@@ -61,9 +67,15 @@ done
61 echon '@revoked ' 67 echon '@revoked '
62 echon "* " 68 echon "* "
63 cat $OBJ/cert_host_key_dsa.pub 69 cat $OBJ/cert_host_key_dsa.pub
70 echon '@revoked '
71 echon "* "
72 cat $OBJ/cert_host_key_rsa_v00.pub
73 echon '@revoked '
74 echon "* "
75 cat $OBJ/cert_host_key_dsa_v00.pub
64) > $OBJ/known_hosts-cert 76) > $OBJ/known_hosts-cert
65for privsep in yes no ; do 77for privsep in yes no ; do
66 for ktype in rsa dsa ; do 78 for ktype in rsa dsa rsa_v00 dsa_v00; do
67 verbose "$tid: host ${ktype} revoked cert privsep $privsep" 79 verbose "$tid: host ${ktype} revoked cert privsep $privsep"
68 ( 80 (
69 cat $OBJ/sshd_proxy_bak 81 cat $OBJ/sshd_proxy_bak
@@ -90,7 +102,7 @@ done
90 echon "* " 102 echon "* "
91 cat $OBJ/host_ca_key.pub 103 cat $OBJ/host_ca_key.pub
92) > $OBJ/known_hosts-cert 104) > $OBJ/known_hosts-cert
93for ktype in rsa dsa ; do 105for ktype in rsa dsa rsa_v00 dsa_v00 ; do
94 verbose "$tid: host ${ktype} revoked cert" 106 verbose "$tid: host ${ktype} revoked cert"
95 ( 107 (
96 cat $OBJ/sshd_proxy_bak 108 cat $OBJ/sshd_proxy_bak
@@ -116,32 +128,39 @@ test_one() {
116 ident=$1 128 ident=$1
117 result=$2 129 result=$2
118 sign_opts=$3 130 sign_opts=$3
119
120 verbose "$tid: test host cert connect $ident expect $result"
121
122 ${SSHKEYGEN} -q -s $OBJ/host_ca_key -I "regress host key for $USER" \
123 $sign_opts \
124 $OBJ/cert_host_key_rsa ||
125 fail "couldn't sign cert_host_key_rsa"
126 (
127 cat $OBJ/sshd_proxy_bak
128 echo HostKey $OBJ/cert_host_key_rsa
129 echo HostCertificate $OBJ/cert_host_key_rsa-cert.pub
130 ) > $OBJ/sshd_proxy
131 131
132 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 132 for kt in rsa rsa_v00 ; do
133 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 133 case $kt in
134 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 134 *_v00) args="-t v00" ;;
135 rc=$? 135 *) args="" ;;
136 if [ "x$result" = "xsuccess" ] ; then 136 esac
137 if [ $rc -ne 0 ]; then 137
138 fail "ssh cert connect $ident failed unexpectedly" 138 verbose "$tid: host cert connect $ident $kt expect $result"
139 fi 139 ${SSHKEYGEN} -q -s $OBJ/host_ca_key \
140 else 140 -I "regress host key for $USER" \
141 if [ $rc -eq 0 ]; then 141 $sign_opts $args \
142 fail "ssh cert connect $ident succeeded unexpectedly" 142 $OBJ/cert_host_key_${kt} ||
143 fail "couldn't sign cert_host_key_${kt}"
144 (
145 cat $OBJ/sshd_proxy_bak
146 echo HostKey $OBJ/cert_host_key_${kt}
147 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
148 ) > $OBJ/sshd_proxy
149
150 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
151 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
152 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
153 rc=$?
154 if [ "x$result" = "xsuccess" ] ; then
155 if [ $rc -ne 0 ]; then
156 fail "ssh cert connect $ident failed unexpectedly"
157 fi
158 else
159 if [ $rc -eq 0 ]; then
160 fail "ssh cert connect $ident succeeded unexpectedly"
161 fi
143 fi 162 fi
144 fi 163 done
145} 164}
146 165
147test_one "user-certificate" failure "-n $HOSTS" 166test_one "user-certificate" failure "-n $HOSTS"
@@ -153,32 +172,35 @@ test_one "cert valid interval" success "-h -V-1w:+2w"
153test_one "cert has constraints" failure "-h -Oforce-command=false" 172test_one "cert has constraints" failure "-h -Oforce-command=false"
154 173
155# Check downgrade of cert to raw key when no CA found 174# Check downgrade of cert to raw key when no CA found
156rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* 175for v in v01 v00 ; do
157for ktype in rsa dsa ; do 176 for ktype in rsa dsa ; do
158 verbose "$tid: host ${ktype} cert downgrade to raw key" 177 rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
159 # Generate and sign a host key 178 verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
160 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 179 # Generate and sign a host key
161 -f $OBJ/cert_host_key_${ktype} || \ 180 ${SSHKEYGEN} -q -N '' -t ${ktype} \
162 fail "ssh-keygen of cert_host_key_${ktype} failed" 181 -f $OBJ/cert_host_key_${ktype} || \
163 ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -I "regress host key for $USER" \ 182 fail "ssh-keygen of cert_host_key_${ktype} failed"
164 -n $HOSTS $OBJ/cert_host_key_${ktype} || 183 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
165 fail "couldn't sign cert_host_key_${ktype}" 184 -I "regress host key for $USER" \
166 ( 185 -n $HOSTS $OBJ/cert_host_key_${ktype} ||
167 echon "$HOSTS " 186 fail "couldn't sign cert_host_key_${ktype}"
168 cat $OBJ/cert_host_key_${ktype}.pub 187 (
169 ) > $OBJ/known_hosts-cert 188 echon "$HOSTS "
170 ( 189 cat $OBJ/cert_host_key_${ktype}.pub
171 cat $OBJ/sshd_proxy_bak 190 ) > $OBJ/known_hosts-cert
172 echo HostKey $OBJ/cert_host_key_${ktype} 191 (
173 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 192 cat $OBJ/sshd_proxy_bak
174 ) > $OBJ/sshd_proxy 193 echo HostKey $OBJ/cert_host_key_${ktype}
175 194 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
176 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 195 ) > $OBJ/sshd_proxy
177 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 196
178 -F $OBJ/ssh_proxy somehost true 197 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
179 if [ $? -ne 0 ]; then 198 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
180 fail "ssh cert connect failed" 199 -F $OBJ/ssh_proxy somehost true
181 fi 200 if [ $? -ne 0 ]; then
201 fail "ssh cert connect failed"
202 fi
203 done
182done 204done
183 205
184# Wrong certificate 206# Wrong certificate
@@ -187,25 +209,31 @@ done
187 echon "$HOSTS " 209 echon "$HOSTS "
188 cat $OBJ/host_ca_key.pub 210 cat $OBJ/host_ca_key.pub
189) > $OBJ/known_hosts-cert 211) > $OBJ/known_hosts-cert
190for ktype in rsa dsa ; do 212for v in v01 v00 ; do
191 # Self-sign key 213 for kt in rsa dsa ; do
192 ${SSHKEYGEN} -h -q -s $OBJ/cert_host_key_${ktype} \ 214 rm -f $OBJ/cert_host_key*
193 -I "regress host key for $USER" \ 215 # Self-sign key
194 -n $HOSTS $OBJ/cert_host_key_${ktype} || 216 ${SSHKEYGEN} -q -N '' -t ${kt} \
195 fail "couldn't sign cert_host_key_${ktype}" 217 -f $OBJ/cert_host_key_${kt} || \
196 verbose "$tid: host ${ktype} connect wrong cert" 218 fail "ssh-keygen of cert_host_key_${kt} failed"
197 ( 219 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
198 cat $OBJ/sshd_proxy_bak 220 -I "regress host key for $USER" \
199 echo HostKey $OBJ/cert_host_key_${ktype} 221 -n $HOSTS $OBJ/cert_host_key_${kt} ||
200 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 222 fail "couldn't sign cert_host_key_${kt}"
201 ) > $OBJ/sshd_proxy 223 verbose "$tid: host ${kt} connect wrong cert"
202 224 (
203 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 225 cat $OBJ/sshd_proxy_bak
204 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 226 echo HostKey $OBJ/cert_host_key_${kt}
205 -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 227 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
206 if [ $? -eq 0 ]; then 228 ) > $OBJ/sshd_proxy
207 fail "ssh cert connect $ident succeeded unexpectedly" 229
208 fi 230 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
231 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
232 -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
233 if [ $? -eq 0 ]; then
234 fail "ssh cert connect $ident succeeded unexpectedly"
235 fi
236 done
209done 237done
210 238
211rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* 239rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 7a58e7b75..a41a9a9c0 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-userkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $ 1# $OpenBSD: cert-userkey.sh,v 1.6 2010/06/29 23:59:54 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified user keys" 4tid="certified user keys"
@@ -18,8 +18,128 @@ for ktype in rsa dsa ; do
18 fail "ssh-keygen of cert_user_key_${ktype} failed" 18 fail "ssh-keygen of cert_user_key_${ktype} failed"
19 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \ 19 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
20 "regress user key for $USER" \ 20 "regress user key for $USER" \
21 -n $USER $OBJ/cert_user_key_${ktype} || 21 -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
22 fail "couldn't sign cert_user_key_${ktype}" 22 fail "couldn't sign cert_user_key_${ktype}"
23 cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
24 cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
25 ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
26 "regress user key for $USER" \
27 -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
28 fail "couldn't sign cert_user_key_${ktype}_v00"
29done
30
31# Test explicitly-specified principals
32for ktype in rsa dsa rsa_v00 dsa_v00 ; do
33 for privsep in yes no ; do
34 _prefix="${ktype} privsep $privsep"
35
36 # Setup for AuthorizedPrincipalsFile
37 rm -f $OBJ/authorized_keys_$USER
38 (
39 cat $OBJ/sshd_proxy_bak
40 echo "UsePrivilegeSeparation $privsep"
41 echo "AuthorizedPrincipalsFile " \
42 "$OBJ/authorized_principals_%u"
43 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
44 ) > $OBJ/sshd_proxy
45
46 # Missing authorized_principals
47 verbose "$tid: ${_prefix} missing authorized_principals"
48 rm -f $OBJ/authorized_principals_$USER
49 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
50 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
51 if [ $? -eq 0 ]; then
52 fail "ssh cert connect succeeded unexpectedly"
53 fi
54
55 # Empty authorized_principals
56 verbose "$tid: ${_prefix} empty authorized_principals"
57 echo > $OBJ/authorized_principals_$USER
58 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
59 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
60 if [ $? -eq 0 ]; then
61 fail "ssh cert connect succeeded unexpectedly"
62 fi
63
64 # Wrong authorized_principals
65 verbose "$tid: ${_prefix} wrong authorized_principals"
66 echo gregorsamsa > $OBJ/authorized_principals_$USER
67 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
68 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
69 if [ $? -eq 0 ]; then
70 fail "ssh cert connect succeeded unexpectedly"
71 fi
72
73 # Correct authorized_principals
74 verbose "$tid: ${_prefix} correct authorized_principals"
75 echo mekmitasdigoat > $OBJ/authorized_principals_$USER
76 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
77 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
78 if [ $? -ne 0 ]; then
79 fail "ssh cert connect failed"
80 fi
81
82 # authorized_principals with bad key option
83 verbose "$tid: ${_prefix} authorized_principals bad key opt"
84 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
85 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
86 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
87 if [ $? -eq 0 ]; then
88 fail "ssh cert connect succeeded unexpectedly"
89 fi
90
91 # authorized_principals with command=false
92 verbose "$tid: ${_prefix} authorized_principals command=false"
93 echo 'command="false" mekmitasdigoat' > \
94 $OBJ/authorized_principals_$USER
95 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
96 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
97 if [ $? -eq 0 ]; then
98 fail "ssh cert connect succeeded unexpectedly"
99 fi
100
101
102 # authorized_principals with command=true
103 verbose "$tid: ${_prefix} authorized_principals command=true"
104 echo 'command="true" mekmitasdigoat' > \
105 $OBJ/authorized_principals_$USER
106 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
107 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
108 if [ $? -ne 0 ]; then
109 fail "ssh cert connect failed"
110 fi
111
112 # Setup for principals= key option
113 rm -f $OBJ/authorized_principals_$USER
114 (
115 cat $OBJ/sshd_proxy_bak
116 echo "UsePrivilegeSeparation $privsep"
117 ) > $OBJ/sshd_proxy
118
119 # Wrong principals list
120 verbose "$tid: ${_prefix} wrong principals key option"
121 (
122 echon 'cert-authority,principals="gregorsamsa" '
123 cat $OBJ/user_ca_key.pub
124 ) > $OBJ/authorized_keys_$USER
125 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
126 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
127 if [ $? -eq 0 ]; then
128 fail "ssh cert connect succeeded unexpectedly"
129 fi
130
131 # Correct principals list
132 verbose "$tid: ${_prefix} correct principals key option"
133 (
134 echon 'cert-authority,principals="mekmitasdigoat" '
135 cat $OBJ/user_ca_key.pub
136 ) > $OBJ/authorized_keys_$USER
137 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
138 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
139 if [ $? -ne 0 ]; then
140 fail "ssh cert connect failed"
141 fi
142 done
23done 143done
24 144
25basic_tests() { 145basic_tests() {
@@ -35,7 +155,7 @@ basic_tests() {
35 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" 155 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
36 fi 156 fi
37 157
38 for ktype in rsa dsa ; do 158 for ktype in rsa dsa rsa_v00 dsa_v00 ; do
39 for privsep in yes no ; do 159 for privsep in yes no ; do
40 _prefix="${ktype} privsep $privsep $auth" 160 _prefix="${ktype} privsep $privsep $auth"
41 # Simple connect 161 # Simple connect
@@ -102,45 +222,50 @@ test_one() {
102 result=$2 222 result=$2
103 sign_opts=$3 223 sign_opts=$3
104 auth_choice=$4 224 auth_choice=$4
225 auth_opt=$5
105 226
106 if test "x$auth_choice" = "x" ; then 227 if test "x$auth_choice" = "x" ; then
107 auth_choice="authorized_keys TrustedUserCAKeys" 228 auth_choice="authorized_keys TrustedUserCAKeys"
108 fi 229 fi
109 230
110 for auth in $auth_choice ; do 231 for auth in $auth_choice ; do
111 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 232 for ktype in rsa rsa_v00 ; do
112 if test "x$auth" = "xauthorized_keys" ; then 233 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
113 # Add CA to authorized_keys 234 if test "x$auth" = "xauthorized_keys" ; then
114 ( 235 # Add CA to authorized_keys
115 echon 'cert-authority ' 236 (
116 cat $OBJ/user_ca_key.pub 237 echon "cert-authority${auth_opt} "
117 ) > $OBJ/authorized_keys_$USER 238 cat $OBJ/user_ca_key.pub
118 else 239 ) > $OBJ/authorized_keys_$USER
119 echo > $OBJ/authorized_keys_$USER 240 else
120 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" >> \ 241 echo > $OBJ/authorized_keys_$USER
121 $OBJ/sshd_proxy 242 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
122 243 >> $OBJ/sshd_proxy
123 fi 244 if test "x$auth_opt" != "x" ; then
124 245 echo $auth_opt >> $OBJ/sshd_proxy
125 verbose "$tid: $ident auth $auth expect $result" 246 fi
126 ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
127 -I "regress user key for $USER" \
128 $sign_opts \
129 $OBJ/cert_user_key_rsa ||
130 fail "couldn't sign cert_user_key_rsa"
131
132 ${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
133 somehost true >/dev/null 2>&1
134 rc=$?
135 if [ "x$result" = "xsuccess" ] ; then
136 if [ $rc -ne 0 ]; then
137 fail "$ident failed unexpectedly"
138 fi 247 fi
139 else 248
140 if [ $rc -eq 0 ]; then 249 verbose "$tid: $ident auth $auth expect $result $ktype"
141 fail "$ident succeeded unexpectedly" 250 ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
251 -I "regress user key for $USER" \
252 $sign_opts \
253 $OBJ/cert_user_key_${ktype} ||
254 fail "couldn't sign cert_user_key_${ktype}"
255
256 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
257 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
258 rc=$?
259 if [ "x$result" = "xsuccess" ] ; then
260 if [ $rc -ne 0 ]; then
261 fail "$ident failed unexpectedly"
262 fi
263 else
264 if [ $rc -eq 0 ]; then
265 fail "$ident succeeded unexpectedly"
266 fi
142 fi 267 fi
143 fi 268 done
144 done 269 done
145} 270}
146 271
@@ -157,10 +282,33 @@ test_one "force-command" failure "-n ${USER} -Oforce-command=false"
157test_one "empty principals" success "" authorized_keys 282test_one "empty principals" success "" authorized_keys
158test_one "empty principals" failure "" TrustedUserCAKeys 283test_one "empty principals" failure "" TrustedUserCAKeys
159 284
285# Check explicitly-specified principals: an empty principals list in the cert
286# should always be refused.
287
288# AuthorizedPrincipalsFile
289rm -f $OBJ/authorized_keys_$USER
290echo mekmitasdigoat > $OBJ/authorized_principals_$USER
291test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \
292 TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
293test_one "AuthorizedPrincipalsFile no principals" failure "" \
294 TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
295
296# principals= key option
297rm -f $OBJ/authorized_principals_$USER
298test_one "principals key option principals" success "-n mekmitasdigoat" \
299 authorized_keys ',principals="mekmitasdigoat"'
300test_one "principals key option no principals" failure "" \
301 authorized_keys ',principals="mekmitasdigoat"'
302
160# Wrong certificate 303# Wrong certificate
161for ktype in rsa dsa ; do 304cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
305for ktype in rsa dsa rsa_v00 dsa_v00 ; do
306 case $ktype in
307 *_v00) args="-t v00" ;;
308 *) args="" ;;
309 esac
162 # Self-sign 310 # Self-sign
163 ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ 311 ${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \
164 "regress user key for $USER" \ 312 "regress user key for $USER" \
165 -n $USER $OBJ/cert_user_key_${ktype} || 313 -n $USER $OBJ/cert_user_key_${ktype} ||
166 fail "couldn't sign cert_user_key_${ktype}" 314 fail "couldn't sign cert_user_key_${ktype}"
@@ -173,4 +321,5 @@ for ktype in rsa dsa ; do
173done 321done
174 322
175rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* 323rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
324rm -f $OBJ/authorized_principals_$USER
176 325
diff --git a/regress/login-timeout.sh b/regress/login-timeout.sh
index 15a887f74..55fbb324d 100644
--- a/regress/login-timeout.sh
+++ b/regress/login-timeout.sh
@@ -15,7 +15,7 @@ if [ $? -ne 0 ]; then
15 fail "ssh connect after login grace timeout failed with privsep" 15 fail "ssh connect after login grace timeout failed with privsep"
16fi 16fi
17 17
18$SUDO kill `cat $PIDFILE` 18$SUDO kill `$SUDO cat $PIDFILE`
19 19
20trace "test login grace without privsep" 20trace "test login grace without privsep"
21echo "UsePrivilegeSeparation no" >> $OBJ/sshd_config 21echo "UsePrivilegeSeparation no" >> $OBJ/sshd_config
diff --git a/regress/reconfigure.sh b/regress/reconfigure.sh
index 1daf29f9a..9fd289531 100644
--- a/regress/reconfigure.sh
+++ b/regress/reconfigure.sh
@@ -15,7 +15,7 @@ esac
15 15
16start_sshd 16start_sshd
17 17
18PID=`cat $PIDFILE` 18PID=`$SUDO cat $PIDFILE`
19rm -f $PIDFILE 19rm -f $PIDFILE
20$SUDO kill -HUP $PID 20$SUDO kill -HUP $PID
21 21
diff --git a/regress/reexec.sh b/regress/reexec.sh
index 4f824a31d..6edfc318e 100644
--- a/regress/reexec.sh
+++ b/regress/reexec.sh
@@ -41,7 +41,7 @@ echo "InvalidXXX=no" >> $OBJ/sshd_config
41 41
42copy_tests 42copy_tests
43 43
44$SUDO kill `cat $PIDFILE` 44$SUDO kill `$SUDO cat $PIDFILE`
45rm -f $PIDFILE 45rm -f $PIDFILE
46 46
47cp $OBJ/sshd_config.orig $OBJ/sshd_config 47cp $OBJ/sshd_config.orig $OBJ/sshd_config
@@ -53,7 +53,7 @@ rm -f $SSHD_COPY
53 53
54copy_tests 54copy_tests
55 55
56$SUDO kill `cat $PIDFILE` 56$SUDO kill `$SUDO cat $PIDFILE`
57rm -f $PIDFILE 57rm -f $PIDFILE
58 58
59verbose "test reexec fallback without privsep" 59verbose "test reexec fallback without privsep"
@@ -66,7 +66,7 @@ rm -f $SSHD_COPY
66 66
67copy_tests 67copy_tests
68 68
69$SUDO kill `cat $PIDFILE` 69$SUDO kill `$SUDO cat $PIDFILE`
70rm -f $PIDFILE 70rm -f $PIDFILE
71 71
72 72
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index b3a19389d..b64dcdbcf 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -167,7 +167,7 @@ have_prog()
167cleanup () 167cleanup ()
168{ 168{
169 if [ -f $PIDFILE ]; then 169 if [ -f $PIDFILE ]; then
170 pid=`cat $PIDFILE` 170 pid=`$SUDO cat $PIDFILE`
171 if [ "X$pid" = "X" ]; then 171 if [ "X$pid" = "X" ]; then
172 echo no sshd running 172 echo no sshd running
173 else 173 else