From 58ac6de9648ea1e4d99061013965e0581abff101 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Sat, 27 Feb 2010 07:57:12 +1100
Subject:    - djm@cvs.openbsd.org 2010/02/26 20:33:21      [Makefile
 regress/cert-hostkey.sh regress/cert-userkey.sh]      regression tests for
 certified keys

---
 regress/cert-userkey.sh | 89 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 89 insertions(+)
 create mode 100644 regress/cert-userkey.sh

(limited to 'regress/cert-userkey.sh')

diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
new file mode 100644
index 000000000..307e7236f
--- /dev/null
+++ b/regress/cert-userkey.sh
@@ -0,0 +1,89 @@
+#	$OpenBSD: cert-userkey.sh,v 1.1 2010/02/26 20:33:21 djm Exp $
+#	Placed in the Public Domain.
+
+tid="certified user keys"
+
+rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+
+# Create a CA key and add it to authorized_keys
+${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/user_ca_key ||\
+	fail "ssh-keygen of user_ca_key failed"
+(
+	echo -n 'cert-authority '
+	cat $OBJ/user_ca_key.pub
+) > $OBJ/authorized_keys_$USER
+
+# Generate and sign user keys
+for ktype in rsa dsa ; do 
+	verbose "$tid: sign user ${ktype} cert"
+	${SSHKEYGEN} -q -N '' -t ${ktype} \
+	    -f $OBJ/cert_user_key_${ktype} || \
+		fail "ssh-keygen of cert_user_key_${ktype} failed"
+	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
+	    "regress user key for $USER" \
+	    -n $USER $OBJ/cert_user_key_${ktype} ||
+		fail "couldn't sign cert_user_key_${ktype}"
+
+done
+
+# Basic connect tests
+for privsep in yes no ; do
+	for ktype in rsa dsa ; do 
+		verbose "$tid: user ${ktype} cert connect privsep $privsep"
+		(
+			cat $OBJ/sshd_proxy_bak
+			echo "UsePrivilegeSeparation $privsep"
+		) > $OBJ/sshd_proxy
+
+		${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
+		    somehost true
+		if [ $? -ne 0 ]; then
+			fail "ssh cert connect failed"
+		fi
+	done
+done
+
+verbose "$tid: ensure CA key does not authenticate user"
+${SSH} -2i $OBJ/user_ca_key -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+	fail "ssh cert connect with CA key succeeded unexpectedly"
+fi
+
+test_one() {
+	ident=$1
+	result=$2
+	sign_opts=$3
+	
+	verbose "$tid: test user cert connect $ident expect $result"
+
+	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
+	    $sign_opts \
+	    $OBJ/cert_user_key_rsa ||
+		fail "couldn't sign cert_user_key_rsa"
+
+	${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
+	    somehost true >/dev/null 2>&1
+	rc=$?
+	if [ "x$result" = "xsuccess" ] ; then
+		if [ $rc -ne 0 ]; then
+			fail "ssh cert connect $ident failed unexpectedly"
+		fi
+	else
+		if [ $rc -eq 0 ]; then
+			fail "ssh cert connect $ident succeeded unexpectedly"
+		fi
+	fi
+	cleanup
+}
+
+test_one "host-certificate"	failure "-h"
+test_one "empty principals"	success ""
+test_one "wrong principals"	failure "-n foo"
+test_one "cert not yet valid"	failure "-V20200101:20300101"
+test_one "cert expired"		failure "-V19800101:19900101"
+test_one "cert valid interval"	success "-V-1w:+2w"
+test_one "wrong source-address"	failure "-Osource-address=10.0.0.0/8"
+test_one "force-command"	failure "-Oforce-command=false"
+
+rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
-- 
cgit v1.2.3


From 386dbc05e9c8c34dde5abe62a7804b4747b0de06 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Wed, 3 Mar 2010 13:22:41 +1100
Subject:  - (djm) [regress/cert-userkey.sh] s/echo -n/echon/ here too

---
 ChangeLog               | 1 +
 regress/cert-userkey.sh | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

(limited to 'regress/cert-userkey.sh')

diff --git a/ChangeLog b/ChangeLog
index 911467dd0..21417e6be 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -11,6 +11,7 @@
      [ssh-keygen.c]
      POSIX strptime is stricter than OpenBSD's so do a little dance to
      appease it.
+ - (djm) [regress/cert-userkey.sh] s/echo -n/echon/ here too
 
 20100302
  - (tim) [config.guess config.sub] Bug 1722: Update to latest versions from
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 307e7236f..9588e0b6b 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -10,7 +10,7 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 ${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/user_ca_key ||\
 	fail "ssh-keygen of user_ca_key failed"
 (
-	echo -n 'cert-authority '
+	echon 'cert-authority '
 	cat $OBJ/user_ca_key.pub
 ) > $OBJ/authorized_keys_$USER
 
-- 
cgit v1.2.3


From 017d1e777ef197eab866b9d0046e000a46baf10b Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Thu, 4 Mar 2010 21:57:21 +1100
Subject:    - djm@cvs.openbsd.org 2010/03/03 00:47:23     
 [regress/cert-hostkey.sh regress/cert-userkey.sh]      add an extra test to
 ensure that authentication with the wrong      certificate fails as it should
 (and it does)

---
 ChangeLog               |  4 ++++
 regress/cert-hostkey.sh | 29 ++++++++++++++++++++++++++++-
 regress/cert-userkey.sh | 18 ++++++++++++++++--
 3 files changed, 48 insertions(+), 3 deletions(-)

(limited to 'regress/cert-userkey.sh')

diff --git a/ChangeLog b/ChangeLog
index 07d4aeb05..116ce569a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -35,6 +35,10 @@
      authentication.
      
      feedback and ok markus@
+   - djm@cvs.openbsd.org 2010/03/03 00:47:23
+     [regress/cert-hostkey.sh regress/cert-userkey.sh]
+     add an extra test to ensure that authentication with the wrong
+     certificate fails as it should (and it does)
 
 20100303
  - (djm) [PROTOCOL.certkeys] Add RCS Ident
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 9539a927f..9097a1359 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: cert-hostkey.sh,v 1.1 2010/02/26 20:33:21 djm Exp $
+#	$OpenBSD: cert-hostkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $
 #	Placed in the Public Domain.
 
 tid="certified host keys"
@@ -119,4 +119,31 @@ for ktype in rsa dsa ; do
 	fi
 done
 
+# Wrong certificate
+(
+	echon '@cert-authority '
+	echon "$HOSTS "
+	cat $OBJ/host_ca_key.pub
+) > $OBJ/known_hosts-cert
+for ktype in rsa dsa ; do 
+	# Self-sign key
+	${SSHKEYGEN} -h -q -s $OBJ/cert_host_key_${ktype} \
+	    -I "regress host key for $USER" \
+	    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
+		fail "couldn't sign cert_host_key_${ktype}"
+	verbose "$tid: host ${ktype} connect wrong cert"
+	(
+		cat $OBJ/sshd_proxy_bak
+		echo HostKey $OBJ/cert_host_key_${ktype}
+		echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+	) > $OBJ/sshd_proxy
+
+	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+		-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect $ident succeeded unexpectedly"
+	fi
+done
+
 rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 9588e0b6b..874915205 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: cert-userkey.sh,v 1.1 2010/02/26 20:33:21 djm Exp $
+#	$OpenBSD: cert-userkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $
 #	Placed in the Public Domain.
 
 tid="certified user keys"
@@ -24,7 +24,6 @@ for ktype in rsa dsa ; do
 	    "regress user key for $USER" \
 	    -n $USER $OBJ/cert_user_key_${ktype} ||
 		fail "couldn't sign cert_user_key_${ktype}"
-
 done
 
 # Basic connect tests
@@ -86,4 +85,19 @@ test_one "cert valid interval"	success "-V-1w:+2w"
 test_one "wrong source-address"	failure "-Osource-address=10.0.0.0/8"
 test_one "force-command"	failure "-Oforce-command=false"
 
+# Wrong certificate
+for ktype in rsa dsa ; do 
+	# Self-sign
+	${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
+	    "regress user key for $USER" \
+	    -n $USER $OBJ/cert_user_key_${ktype} ||
+		fail "couldn't sign cert_user_key_${ktype}"
+	verbose "$tid: user ${ktype} connect wrong cert"
+	${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
+	    somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect $ident succeeded unexpectedly"
+	fi
+done
+
 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
-- 
cgit v1.2.3


From 700dcfa3e0a98be44f2e3675849055984f04a70a Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Thu, 4 Mar 2010 21:58:01 +1100
Subject:    - djm@cvs.openbsd.org 2010/03/04 10:38:23     
 [regress/cert-hostkey.sh regress/cert-userkey.sh]      additional regression
 tests for revoked keys and TrustedUserCAKeys

---
 ChangeLog               |   3 +
 regress/cert-hostkey.sh |  64 ++++++++++++++++++-
 regress/cert-userkey.sh | 161 +++++++++++++++++++++++++++++++++++-------------
 3 files changed, 183 insertions(+), 45 deletions(-)

(limited to 'regress/cert-userkey.sh')

diff --git a/ChangeLog b/ChangeLog
index 116ce569a..f6c61d89d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -39,6 +39,9 @@
      [regress/cert-hostkey.sh regress/cert-userkey.sh]
      add an extra test to ensure that authentication with the wrong
      certificate fails as it should (and it does)
+   - djm@cvs.openbsd.org 2010/03/04 10:38:23
+     [regress/cert-hostkey.sh regress/cert-userkey.sh]
+     additional regression tests for revoked keys and TrustedUserCAKeys
 
 20100303
  - (djm) [PROTOCOL.certkeys] Add RCS Ident
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 9097a1359..3fda667cb 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: cert-hostkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $
+#	$OpenBSD: cert-hostkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
 #	Placed in the Public Domain.
 
 tid="certified host keys"
@@ -50,6 +50,68 @@ for privsep in yes no ; do
 	done
 done
 
+# Revoked certificates with key present
+(
+	echon '@cert-authority '
+	echon "$HOSTS "
+	cat $OBJ/host_ca_key.pub
+	echon '@revoked '
+	echon "* "
+	cat $OBJ/cert_host_key_rsa.pub
+	echon '@revoked '
+	echon "* "
+	cat $OBJ/cert_host_key_dsa.pub
+) > $OBJ/known_hosts-cert
+for privsep in yes no ; do
+	for ktype in rsa dsa ; do 
+		verbose "$tid: host ${ktype} revoked cert privsep $privsep"
+		(
+			cat $OBJ/sshd_proxy_bak
+			echo HostKey $OBJ/cert_host_key_${ktype}
+			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+			echo UsePrivilegeSeparation $privsep
+		) > $OBJ/sshd_proxy
+
+		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+			-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+		if [ $? -eq 0 ]; then
+			fail "ssh cert connect succeeded unexpectedly"
+		fi
+	done
+done
+
+# Revoked CA
+(
+	echon '@cert-authority '
+	echon "$HOSTS "
+	cat $OBJ/host_ca_key.pub
+	echon '@revoked '
+	echon "* "
+	cat $OBJ/host_ca_key.pub
+) > $OBJ/known_hosts-cert
+for ktype in rsa dsa ; do 
+	verbose "$tid: host ${ktype} revoked cert"
+	(
+		cat $OBJ/sshd_proxy_bak
+		echo HostKey $OBJ/cert_host_key_${ktype}
+		echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+	) > $OBJ/sshd_proxy
+	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+		-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect succeeded unexpectedly"
+	fi
+done
+
+# Create a CA key and add it to known hosts
+(
+	echon '@cert-authority '
+	echon "$HOSTS "
+	cat $OBJ/host_ca_key.pub
+) > $OBJ/known_hosts-cert
+
 test_one() {
 	ident=$1
 	result=$2
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 874915205..7a58e7b75 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: cert-userkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $
+#	$OpenBSD: cert-userkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
 #	Placed in the Public Domain.
 
 tid="certified user keys"
@@ -6,13 +6,9 @@ tid="certified user keys"
 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 
-# Create a CA key and add it to authorized_keys
+# Create a CA key
 ${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/user_ca_key ||\
 	fail "ssh-keygen of user_ca_key failed"
-(
-	echon 'cert-authority '
-	cat $OBJ/user_ca_key.pub
-) > $OBJ/authorized_keys_$USER
 
 # Generate and sign user keys
 for ktype in rsa dsa ; do 
@@ -26,64 +22,140 @@ for ktype in rsa dsa ; do
 		fail "couldn't sign cert_user_key_${ktype}"
 done
 
-# Basic connect tests
-for privsep in yes no ; do
+basic_tests() {
+	auth=$1
+	if test "x$auth" = "xauthorized_keys" ; then
+		# Add CA to authorized_keys
+		(
+			echon 'cert-authority '
+			cat $OBJ/user_ca_key.pub
+		) > $OBJ/authorized_keys_$USER
+	else
+		echo > $OBJ/authorized_keys_$USER
+		extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
+	fi
+	
 	for ktype in rsa dsa ; do 
-		verbose "$tid: user ${ktype} cert connect privsep $privsep"
+		for privsep in yes no ; do
+			_prefix="${ktype} privsep $privsep $auth"
+			# Simple connect
+			verbose "$tid: ${_prefix} connect"
+			(
+				cat $OBJ/sshd_proxy_bak
+				echo "UsePrivilegeSeparation $privsep"
+				echo "$extra_sshd"
+			) > $OBJ/sshd_proxy
+	
+			${SSH} -2i $OBJ/cert_user_key_${ktype} \
+			    -F $OBJ/ssh_proxy somehost true
+			if [ $? -ne 0 ]; then
+				fail "ssh cert connect failed"
+			fi
+
+			# Revoked keys
+			verbose "$tid: ${_prefix} revoked key"
+			(
+				cat $OBJ/sshd_proxy_bak
+				echo "UsePrivilegeSeparation $privsep"
+				echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub"
+				echo "$extra_sshd"
+			) > $OBJ/sshd_proxy
+			${SSH} -2i $OBJ/cert_user_key_${ktype} \
+			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+			if [ $? -eq 0 ]; then
+				fail "ssh cert connect succeeded unexpecedly"
+			fi
+		done
+	
+		# Revoked CA
+		verbose "$tid: ${ktype} $auth revoked CA key"
 		(
 			cat $OBJ/sshd_proxy_bak
-			echo "UsePrivilegeSeparation $privsep"
+			echo "RevokedKeys $OBJ/user_ca_key.pub"
+			echo "$extra_sshd"
 		) > $OBJ/sshd_proxy
-
 		${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
-		    somehost true
-		if [ $? -ne 0 ]; then
-			fail "ssh cert connect failed"
+		    somehost true >/dev/null 2>&1
+		if [ $? -eq 0 ]; then
+			fail "ssh cert connect succeeded unexpecedly"
 		fi
 	done
-done
+	
+	verbose "$tid: $auth CA does not authenticate"
+	(
+		cat $OBJ/sshd_proxy_bak
+		echo "$extra_sshd"
+	) > $OBJ/sshd_proxy
+	verbose "$tid: ensure CA key does not authenticate user"
+	${SSH} -2i $OBJ/user_ca_key \
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect with CA key succeeded unexpectedly"
+	fi
+}
 
-verbose "$tid: ensure CA key does not authenticate user"
-${SSH} -2i $OBJ/user_ca_key -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-if [ $? -eq 0 ]; then
-	fail "ssh cert connect with CA key succeeded unexpectedly"
-fi
+basic_tests authorized_keys
+basic_tests TrustedUserCAKeys
 
 test_one() {
 	ident=$1
 	result=$2
 	sign_opts=$3
-	
-	verbose "$tid: test user cert connect $ident expect $result"
+	auth_choice=$4
+
+	if test "x$auth_choice" = "x" ; then
+		auth_choice="authorized_keys TrustedUserCAKeys"
+	fi
 
-	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
-	    $sign_opts \
-	    $OBJ/cert_user_key_rsa ||
-		fail "couldn't sign cert_user_key_rsa"
+	for auth in $auth_choice ; do
+		cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
+		if test "x$auth" = "xauthorized_keys" ; then
+			# Add CA to authorized_keys
+			(
+				echon 'cert-authority '
+				cat $OBJ/user_ca_key.pub
+			) > $OBJ/authorized_keys_$USER
+		else
+			echo > $OBJ/authorized_keys_$USER
+			echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" >> \
+			    $OBJ/sshd_proxy
 
-	${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
-	    somehost true >/dev/null 2>&1
-	rc=$?
-	if [ "x$result" = "xsuccess" ] ; then
-		if [ $rc -ne 0 ]; then
-			fail "ssh cert connect $ident failed unexpectedly"
 		fi
-	else
-		if [ $rc -eq 0 ]; then
-			fail "ssh cert connect $ident succeeded unexpectedly"
+		
+		verbose "$tid: $ident auth $auth expect $result"
+		${SSHKEYGEN} -q -s $OBJ/user_ca_key \
+		    -I "regress user key for $USER" \
+		    $sign_opts \
+		    $OBJ/cert_user_key_rsa ||
+			fail "couldn't sign cert_user_key_rsa"
+	
+		${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
+		    somehost true >/dev/null 2>&1
+		rc=$?
+		if [ "x$result" = "xsuccess" ] ; then
+			if [ $rc -ne 0 ]; then
+				fail "$ident failed unexpectedly"
+			fi
+		else
+			if [ $rc -eq 0 ]; then
+				fail "$ident succeeded unexpectedly"
+			fi
 		fi
-	fi
-	cleanup
+	done
 }
 
-test_one "host-certificate"	failure "-h"
-test_one "empty principals"	success ""
+test_one "correct principal"	success "-n ${USER}"
+test_one "host-certificate"	failure "-n ${USER} -h"
 test_one "wrong principals"	failure "-n foo"
-test_one "cert not yet valid"	failure "-V20200101:20300101"
-test_one "cert expired"		failure "-V19800101:19900101"
-test_one "cert valid interval"	success "-V-1w:+2w"
-test_one "wrong source-address"	failure "-Osource-address=10.0.0.0/8"
-test_one "force-command"	failure "-Oforce-command=false"
+test_one "cert not yet valid"	failure "-n ${USER} -V20200101:20300101"
+test_one "cert expired"		failure "-n ${USER} -V19800101:19900101"
+test_one "cert valid interval"	success "-n ${USER} -V-1w:+2w"
+test_one "wrong source-address"	failure "-n ${USER} -Osource-address=10.0.0.0/8"
+test_one "force-command"	failure "-n ${USER} -Oforce-command=false"
+
+# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals
+test_one "empty principals"	success "" authorized_keys
+test_one "empty principals"	failure "" TrustedUserCAKeys
 
 # Wrong certificate
 for ktype in rsa dsa ; do 
@@ -101,3 +173,4 @@ for ktype in rsa dsa ; do
 done
 
 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
+
-- 
cgit v1.2.3