From afa59e26eeb44a93f36f043f60b936eaddae77c4 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 1 Nov 2019 01:55:41 +0000 Subject: upstream: skip security-key key types for tests until we have a dummy U2F middleware to use. OpenBSD-Regress-ID: 37200462b44334a4ad45e6a1f7ad1bd717521a95 --- regress/keygen-change.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'regress/keygen-change.sh') diff --git a/regress/keygen-change.sh b/regress/keygen-change.sh index 8b8acd52f..c62f2c17c 100644 --- a/regress/keygen-change.sh +++ b/regress/keygen-change.sh @@ -1,4 +1,4 @@ -# $OpenBSD: keygen-change.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ +# $OpenBSD: keygen-change.sh,v 1.7 2019/11/01 01:55:41 djm Exp $ # Placed in the Public Domain. tid="change passphrase for key" @@ -6,7 +6,7 @@ tid="change passphrase for key" S1="secret1" S2="2secret" -KEYTYPES=`${SSH} -Q key-plain` +KEYTYPES=`${SSH} -Q key-plain | grep -v ^sk-` for t in $KEYTYPES; do # generate user key for agent -- cgit v1.2.3 From ad44ca81bea83657d558aaef5a1d789a9032bac3 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Tue, 26 Nov 2019 23:43:10 +0000 Subject: upstream: test FIDO2/U2F key types; ok markus@ OpenBSD-Regress-ID: 367e06d5a260407619b4b113ea0bd7004a435474 --- regress/agent-getpeereid.sh | 4 ++-- regress/agent-pkcs11.sh | 4 ++-- regress/agent-ptrace.sh | 2 +- regress/agent-timeout.sh | 4 ++-- regress/agent.sh | 10 ++++----- regress/cert-file.sh | 4 ++-- regress/cert-hostkey.sh | 6 ++--- regress/cert-userkey.sh | 10 +++++---- regress/hostkey-agent.sh | 8 +++---- regress/hostkey-rotate.sh | 11 ++++------ regress/keygen-change.sh | 5 ++--- regress/keyscan.sh | 4 ++-- regress/keytype.sh | 51 ++++++++++++++++++++++++++++--------------- regress/krl.sh | 22 ++++++++++++------- regress/limit-keytype.sh | 17 ++++++++++++--- regress/principals-command.sh | 2 +- regress/sshsig.sh | 4 ++-- regress/test-exec.sh | 48 +++++++++++++++++++++++++++++++++++----- 18 files changed, 142 insertions(+), 74 deletions(-) (limited to 'regress/keygen-change.sh') diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh index 769c29e8d..524340816 100644 --- a/regress/agent-getpeereid.sh +++ b/regress/agent-getpeereid.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent-getpeereid.sh,v 1.10 2018/02/09 03:40:22 dtucker Exp $ +# $OpenBSD: agent-getpeereid.sh,v 1.11 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="disallow agent attach from other uid" @@ -26,7 +26,7 @@ case "x$SUDO" in esac trace "start agent" -eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null +eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s -a ${ASOCK}` > /dev/null r=$? if [ $r -ne 0 ]; then fail "could not start ssh-agent: exit code $r" diff --git a/regress/agent-pkcs11.sh b/regress/agent-pkcs11.sh index 5205d9067..fbbaea518 100644 --- a/regress/agent-pkcs11.sh +++ b/regress/agent-pkcs11.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent-pkcs11.sh,v 1.6 2019/01/21 09:13:41 djm Exp $ +# $OpenBSD: agent-pkcs11.sh,v 1.7 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="pkcs11 agent test" @@ -75,7 +75,7 @@ openssl pkcs8 -nocrypt -in $EC |\ softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" --import /dev/stdin trace "start agent" -eval `${SSHAGENT} -s` > /dev/null +eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null r=$? if [ $r -ne 0 ]; then fail "could not start ssh-agent: exit code $r" diff --git a/regress/agent-ptrace.sh b/regress/agent-ptrace.sh index 2d795ee32..9cd68d7ec 100644 --- a/regress/agent-ptrace.sh +++ b/regress/agent-ptrace.sh @@ -41,7 +41,7 @@ else fi trace "start agent" -eval `${SSHAGENT} -s` > /dev/null +eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null r=$? if [ $r -ne 0 ]; then fail "could not start ssh-agent: exit code $r" diff --git a/regress/agent-timeout.sh b/regress/agent-timeout.sh index 311c7bcba..6dec09285 100644 --- a/regress/agent-timeout.sh +++ b/regress/agent-timeout.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent-timeout.sh,v 1.5 2019/09/03 08:37:06 djm Exp $ +# $OpenBSD: agent-timeout.sh,v 1.6 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="agent timeout test" @@ -6,7 +6,7 @@ tid="agent timeout test" SSHAGENT_TIMEOUT=10 trace "start agent" -eval `${SSHAGENT} -s` > /dev/null +eval `${SSHAGENT} -s ${EXTRA_AGENT_ARGS}` > /dev/null r=$? if [ $r -ne 0 ]; then fail "could not start ssh-agent: exit code $r" diff --git a/regress/agent.sh b/regress/agent.sh index 48fa12b0e..922d8436e 100644 --- a/regress/agent.sh +++ b/regress/agent.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent.sh,v 1.15 2019/07/23 07:39:43 dtucker Exp $ +# $OpenBSD: agent.sh,v 1.16 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="simple agent test" @@ -8,8 +8,8 @@ if [ $? -ne 2 ]; then fail "ssh-add -l did not fail with exit code 2" fi -trace "start agent" -eval `${SSHAGENT} -s` > /dev/null +trace "start agent, args ${EXTRA_AGENT_ARGS} -s" +eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null r=$? if [ $r -ne 0 ]; then fatal "could not start ssh-agent: exit code $r" @@ -39,9 +39,9 @@ for t in ${SSH_KEYTYPES}; do # add to authorized keys cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER # add privat key to agent - ${SSHADD} $OBJ/$t-agent > /dev/null 2>&1 + ${SSHADD} $OBJ/$t-agent #> /dev/null 2>&1 if [ $? -ne 0 ]; then - fail "ssh-add did succeed exit code 0" + fail "ssh-add failed exit code $?" fi # Remove private key to ensure that we aren't accidentally using it. rm -f $OBJ/$t-agent diff --git a/regress/cert-file.sh b/regress/cert-file.sh index 1157a3582..94e672a99 100644 --- a/regress/cert-file.sh +++ b/regress/cert-file.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-file.sh,v 1.7 2018/04/10 00:14:10 djm Exp $ +# $OpenBSD: cert-file.sh,v 1.8 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="ssh with certificates" @@ -120,7 +120,7 @@ if [ $? -ne 2 ]; then fi trace "start agent" -eval `${SSHAGENT} -s` > /dev/null +eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null r=$? if [ $r -ne 0 ]; then fatal "could not start ssh-agent: exit code $r" diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 82195b11b..dc40b782a 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-hostkey.sh,v 1.19 2019/11/01 01:55:41 djm Exp $ +# $OpenBSD: cert-hostkey.sh,v 1.20 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="certified host keys" @@ -9,7 +9,7 @@ rm -f $OBJ/cert_host_key* $OBJ/host_krl_* # Allow all hostkey/pubkey types, prefer certs for the client rsa=0 types="" -for i in `$SSH -Q key | grep -v ^sk-`; do +for i in `$SSH -Q key | filter_sk`; do if [ -z "$types" ]; then types="$i" continue @@ -70,7 +70,7 @@ touch $OBJ/host_revoked_plain touch $OBJ/host_revoked_cert cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca -PLAIN_TYPES=`$SSH -Q key-plain | grep -v ^sk- | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` +PLAIN_TYPES=`$SSH -Q key-plain | filter_sk | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 51ac8dcb9..d6e293d57 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-userkey.sh,v 1.22 2019/11/01 01:55:41 djm Exp $ +# $OpenBSD: cert-userkey.sh,v 1.23 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="certified user keys" @@ -7,7 +7,7 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak -PLAIN_TYPES=`$SSH -Q key-plain | grep -v ^sk- | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` +PLAIN_TYPES=`$SSH -Q key-plain | maybe_filter_sk | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` EXTRA_TYPES="" rsa="" @@ -17,8 +17,10 @@ if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then fi kname() { - case $ktype in - rsa-sha2-*) n="$ktype" ;; + case $1 in + rsa-sha2-*) n="$1" ;; + sk-ecdsa-*) n="sk-ecdsa" ;; + sk-ssh-ed25519*) n="sk-ssh-ed25519" ;; # subshell because some seds will add a newline *) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;; esac diff --git a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh index c581c7bfd..af2ed7806 100644 --- a/regress/hostkey-agent.sh +++ b/regress/hostkey-agent.sh @@ -1,4 +1,4 @@ -# $OpenBSD: hostkey-agent.sh,v 1.8 2019/11/01 01:55:41 djm Exp $ +# $OpenBSD: hostkey-agent.sh,v 1.9 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="hostkey agent" @@ -6,7 +6,7 @@ tid="hostkey agent" rm -f $OBJ/agent-key.* $OBJ/ssh_proxy.orig $OBJ/known_hosts.orig trace "start agent" -eval `${SSHAGENT} -s` > /dev/null +eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null r=$? [ $r -ne 0 ] && fatal "could not start ssh-agent: exit code $r" @@ -14,7 +14,7 @@ grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig trace "load hostkeys" -for k in `${SSH} -Q key-plain | grep -v ^sk-` ; do +for k in `${SSH} -Q key-plain | filter_sk` ; do ${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k" ( printf 'localhost-with-alias,127.0.0.1,::1 ' @@ -31,7 +31,7 @@ cp $OBJ/known_hosts.orig $OBJ/known_hosts unset SSH_AUTH_SOCK for ps in no yes; do - for k in `${SSH} -Q key-plain | grep -v ^sk-` ; do + for k in `${SSH} -Q key-plain | filter_sk` ; do verbose "key type $k privsep=$ps" cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy diff --git a/regress/hostkey-rotate.sh b/regress/hostkey-rotate.sh index 707e32908..c3e100c3e 100644 --- a/regress/hostkey-rotate.sh +++ b/regress/hostkey-rotate.sh @@ -1,11 +1,8 @@ -# $OpenBSD: hostkey-rotate.sh,v 1.7 2019/11/01 01:55:41 djm Exp $ +# $OpenBSD: hostkey-rotate.sh,v 1.8 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="hostkey rotate" -# Need full names here since they are used in HostKeyAlgorithms -HOSTKEY_TYPES="`${SSH} -Q key-plain | grep -v ^sk-`" - rm -f $OBJ/hkr.* $OBJ/ssh_proxy.orig grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig @@ -20,7 +17,7 @@ secondary="$primary" trace "prepare hostkeys" nkeys=0 all_algs="" -for k in $HOSTKEY_TYPES; do +for k in $SSH_HOSTKEY_TYPES; do ${SSHKEYGEN} -qt $k -f $OBJ/hkr.$k -N '' || fatal "ssh-keygen $k" echo "Hostkey $OBJ/hkr.${k}" >> $OBJ/sshd_proxy.orig nkeys=`expr $nkeys + 1` @@ -67,12 +64,12 @@ verbose "learn additional hostkeys" dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs # Check that other keys learned expect_nkeys $nkeys "learn hostkeys" -for k in $HOSTKEY_TYPES; do +for k in $SSH_HOSTKEY_TYPES; do check_key_present $k || fail "didn't learn keytype $k" done # Check each key type -for k in $HOSTKEY_TYPES; do +for k in $SSH_HOSTKEY_TYPES; do verbose "learn additional hostkeys, type=$k" dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$k,$all_algs expect_nkeys $nkeys "learn hostkeys $k" diff --git a/regress/keygen-change.sh b/regress/keygen-change.sh index c62f2c17c..dd1bfda80 100644 --- a/regress/keygen-change.sh +++ b/regress/keygen-change.sh @@ -1,4 +1,4 @@ -# $OpenBSD: keygen-change.sh,v 1.7 2019/11/01 01:55:41 djm Exp $ +# $OpenBSD: keygen-change.sh,v 1.8 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="change passphrase for key" @@ -6,10 +6,9 @@ tid="change passphrase for key" S1="secret1" S2="2secret" -KEYTYPES=`${SSH} -Q key-plain | grep -v ^sk-` +KEYTYPES=`${SSH} -Q key-plain | maybe_filter_sk` for t in $KEYTYPES; do - # generate user key for agent trace "generating $t key" rm -f $OBJ/$t-key ${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key diff --git a/regress/keyscan.sh b/regress/keyscan.sh index 4e16ecd87..0ce0c7410 100644 --- a/regress/keyscan.sh +++ b/regress/keyscan.sh @@ -1,9 +1,9 @@ -# $OpenBSD: keyscan.sh,v 1.10 2019/11/01 01:55:41 djm Exp $ +# $OpenBSD: keyscan.sh,v 1.11 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="keyscan" -KEYTYPES=`${SSH} -Q key-plain | grep -v ^sk-` +KEYTYPES=`${SSH} -Q key-plain | filter_sk` for i in $KEYTYPES; do if [ -z "$algs" ]; then algs="$i" diff --git a/regress/keytype.sh b/regress/keytype.sh index 13095088e..91c5aca1b 100644 --- a/regress/keytype.sh +++ b/regress/keytype.sh @@ -1,4 +1,4 @@ -# $OpenBSD: keytype.sh,v 1.8 2019/07/23 13:49:14 dtucker Exp $ +# $OpenBSD: keytype.sh,v 1.9 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="login with different key types" @@ -16,43 +16,60 @@ for i in ${SSH_KEYTYPES}; do ecdsa-sha2-nistp256) ktypes="$ktypes ecdsa-256" ;; ecdsa-sha2-nistp384) ktypes="$ktypes ecdsa-384" ;; ecdsa-sha2-nistp521) ktypes="$ktypes ecdsa-521" ;; + sk-ssh-ed25519*) ktypes="$ktypes ed25519-sk" ;; + sk-ecdsa-sha2-nistp256*) ktypes="$ktypes ecdsa-sk" ;; esac done for kt in $ktypes; do rm -f $OBJ/key.$kt - bits=`echo ${kt} | awk -F- '{print $2}'` - type=`echo ${kt} | awk -F- '{print $1}'` + xbits=`echo ${kt} | awk -F- '{print $2}'` + xtype=`echo ${kt} | awk -F- '{print $1}'` + case "$kt" in + *sk) type="$kt"; bits="n/a"; bits_arg="";; + *) type=$xtype; bits=$xbits; bits_arg="-b $bits";; + esac verbose "keygen $type, $bits bits" - ${SSHKEYGEN} -b $bits -q -N '' -t $type -f $OBJ/key.$kt ||\ + ${SSHKEYGEN} $bits_arg -q -N '' -t $type -f $OBJ/key.$kt || \ fail "ssh-keygen for type $type, $bits bits failed" done +kname_to_ktype() { + case $1 in + dsa-1024) echo ssh-dss;; + ecdsa-256) echo ecdsa-sha2-nistp256;; + ecdsa-384) echo ecdsa-sha2-nistp384;; + ecdsa-521) echo ecdsa-sha2-nistp521;; + ed25519-512) echo ssh-ed25519;; + rsa-*) echo rsa-sha2-512,rsa-sha2-256,ssh-rsa;; + ed25519-sk) echo sk-ssh-ed25519@openssh.com;; + ecdsa-sk) echo sk-ecdsa-sha2-nistp256@openssh.com;; + esac +} + tries="1 2 3" for ut in $ktypes; do - htypes=$ut + user_type=`kname_to_ktype "$ut"` + # SK keys are not supported for hostkeys. + case "$ut" in + *sk) htypes=ed25519-512;; + *) htypes="$ut";; + esac #htypes=$ktypes for ht in $htypes; do - case $ht in - dsa-1024) t=ssh-dss;; - ecdsa-256) t=ecdsa-sha2-nistp256;; - ecdsa-384) t=ecdsa-sha2-nistp384;; - ecdsa-521) t=ecdsa-sha2-nistp521;; - ed25519-512) t=ssh-ed25519;; - rsa-*) t=rsa-sha2-512,rsa-sha2-256,ssh-rsa;; - esac + host_type=`kname_to_ktype "$ht"` trace "ssh connect, userkey $ut, hostkey $ht" ( grep -v HostKey $OBJ/sshd_proxy_bak echo HostKey $OBJ/key.$ht - echo PubkeyAcceptedKeyTypes $t - echo HostKeyAlgorithms $t + echo PubkeyAcceptedKeyTypes $user_type + echo HostKeyAlgorithms $host_type ) > $OBJ/sshd_proxy ( grep -v IdentityFile $OBJ/ssh_proxy_bak echo IdentityFile $OBJ/key.$ut - echo PubkeyAcceptedKeyTypes $t - echo HostKeyAlgorithms $t + echo PubkeyAcceptedKeyTypes $user_type + echo HostKeyAlgorithms $host_type ) > $OBJ/ssh_proxy ( printf 'localhost-with-alias,127.0.0.1,::1 ' diff --git a/regress/krl.sh b/regress/krl.sh index c9b2e67eb..1efd80bfe 100644 --- a/regress/krl.sh +++ b/regress/krl.sh @@ -1,16 +1,19 @@ -# $OpenBSD: krl.sh,v 1.9 2019/11/01 01:55:41 djm Exp $ +# $OpenBSD: krl.sh,v 1.10 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="key revocation lists" # Use ed25519 by default since it's fast and it's supported when building # w/out OpenSSL. Populate ktype[2-4] with the other types if supported. -ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; ktype4=ed25519 -for t in `${SSH} -Q key-plain | grep -v ^sk-`; do +ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; +ktype4=ed25519; ktype5=ed25519; ktype6=ed25519; +for t in `${SSH} -Q key-plain | maybe_filter_sk`; do case "$t" in ecdsa*) ktype2=ecdsa ;; ssh-rsa) ktype3=rsa ;; ssh-dss) ktype4=dsa ;; + sk-ssh-ed25519@openssh.com) ktype5=ed25519-sk ;; + sk-ecdsa-sha2-nistp256@openssh.com) ktype6=ecdsa-sk ;; esac done @@ -34,6 +37,7 @@ serial: 10 serial: 15 serial: 30 serial: 50 +serial: 90 serial: 999 # The following sum to 500-799 serial: 500 @@ -51,7 +55,7 @@ EOF # A specification that revokes some certificated by key ID. touch $OBJ/revoked-keyid -for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do +for n in 1 2 3 4 10 15 30 50 90 `jot 500 300` 999 1000 1001 1002; do test "x$n" = "x499" && continue # Fill in by-ID revocation spec. echo "id: revoked $n" >> $OBJ/revoked-keyid @@ -64,9 +68,11 @@ keygen() { # supported. keytype=$ktype1 case $N in - 2 | 10 | 510 | 1001) keytype=$ktype2 ;; - 4 | 30 | 520 | 1002) keytype=$ktype3 ;; - 8 | 50 | 530 | 1003) keytype=$ktype4 ;; + 2 | 10 | 510 | 1001) keytype=$ktype2 ;; + 4 | 30 | 520 | 1002) keytype=$ktype3 ;; + 8 | 50 | 530 | 1003) keytype=$ktype4 ;; + 16 | 70 | 540 | 1004) keytype=$ktype5 ;; + 32 | 90 | 550 | 1005) keytype=$ktype6 ;; esac $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \ || fatal "$SSHKEYGEN failed" @@ -78,7 +84,7 @@ keygen() { # Generate some keys. verbose "$tid: generating test keys" -REVOKED_SERIALS="1 4 10 50 500 510 520 799 999" +REVOKED_SERIALS="1 4 10 50 90 500 510 520 550 799 999" for n in $REVOKED_SERIALS ; do f=`keygen $n` RKEYS="$RKEYS ${f}.pub" diff --git a/regress/limit-keytype.sh b/regress/limit-keytype.sh index 6eb255c24..abac05c0c 100644 --- a/regress/limit-keytype.sh +++ b/regress/limit-keytype.sh @@ -1,20 +1,25 @@ -# $OpenBSD: limit-keytype.sh,v 1.7 2019/11/01 01:55:41 djm Exp $ +# $OpenBSD: limit-keytype.sh,v 1.8 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="restrict pubkey type" +# XXX sk-* keys aren't actually tested ATM. + rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/user_key* rm -f $OBJ/authorized_principals_$USER $OBJ/cert_user_key* mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig -ktype1=ed25519; ktype2=$ktype1; ktype3=$ktype1; ktype4=$ktype1 -for t in `${SSH} -Q key-plain | grep -v ^sk-`; do +ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; +ktype4=ed25519; ktype5=ed25519; ktype6=ed25519; +for t in `${SSH} -Q key-plain | maybe_filter_sk`; do case "$t" in ssh-rsa) ktype2=rsa ;; ecdsa*) ktype3=ecdsa ;; # unused ssh-dss) ktype4=dsa ;; + sk-ssh-ed25519@openssh.com) ktype5=ed25519-sk ;; + sk-ecdsa-sha2-nistp256@openssh.com) ktype6=ecdsa-sk ;; esac done @@ -31,6 +36,10 @@ ${SSHKEYGEN} -q -N '' -t $ktype2 -f $OBJ/user_key3 || \ fatal "ssh-keygen failed" ${SSHKEYGEN} -q -N '' -t $ktype4 -f $OBJ/user_key4 || \ fatal "ssh-keygen failed" +${SSHKEYGEN} -q -N '' -t $ktype5 -f $OBJ/user_key5 || \ + fatal "ssh-keygen failed" +${SSHKEYGEN} -q -N '' -t $ktype6 -f $OBJ/user_key6 || \ + fatal "ssh-keygen failed" ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ -z $$ -n ${USER},mekmitasdigoat $OBJ/user_key3 || fatal "couldn't sign user_key1" @@ -68,6 +77,8 @@ keytype() { ed25519) printf "ssh-ed25519" ;; dsa) printf "ssh-dss" ;; rsa) printf "rsa-sha2-256,rsa-sha2-512,ssh-rsa" ;; + sk-ecdsa) printf "sk-ecdsa-*" ;; + sk-ssh-ed25519) printf "sk-ssh-ed25519-*" ;; esac } diff --git a/regress/principals-command.sh b/regress/principals-command.sh index 005c6b7d6..a91858cbb 100644 --- a/regress/principals-command.sh +++ b/regress/principals-command.sh @@ -12,7 +12,7 @@ if [ -z "$SUDO" -a ! -w /var/run ]; then exit 0 fi -case "`${SSH} -Q key-plain | grep -v ^sk-`" in +case "`${SSH} -Q key-plain`" in *ssh-rsa*) userkeytype=rsa ;; *) userkeytype=ed25519 ;; esac diff --git a/regress/sshsig.sh b/regress/sshsig.sh index eb99486ae..da362c179 100644 --- a/regress/sshsig.sh +++ b/regress/sshsig.sh @@ -1,4 +1,4 @@ -# $OpenBSD: sshsig.sh,v 1.2 2019/10/04 03:39:19 djm Exp $ +# $OpenBSD: sshsig.sh,v 1.3 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="sshsig" @@ -23,7 +23,7 @@ CA_PRIV=$OBJ/sigca-key CA_PUB=$OBJ/sigca-key.pub trace "start agent" -eval `${SSHAGENT} -s` > /dev/null +eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null r=$? if [ $r -ne 0 ]; then fatal "could not start ssh-agent: exit code $r" diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 3f1685bb0..4bf4059fc 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.67 2019/11/01 01:55:41 djm Exp $ +# $OpenBSD: test-exec.sh,v 1.68 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -128,6 +128,12 @@ if [ "x$TEST_SSH_CONCH" != "x" ]; then *) CONCH=`which ${TEST_SSH_CONCH} 2>/dev/null` ;; esac fi +if [ "x$TEST_SSH_PKCS11_HELPER" != "x" ]; then + SSH_PKCS11_HELPER="${TEST_SSH_PKCS11_HELPER}" +fi +if [ "x$TEST_SSH_SK_HELPER" != "x" ]; then + SSH_SK_HELPER="${TEST_SSH_SK_HELPER}" +fi # Path to sshd must be absolute for rexec case "$SSHD" in @@ -252,6 +258,7 @@ increase_datafile_size() # these should be used in tests export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP +export SSH_PKCS11_HELPER SSH_SK_HELPER #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP # Portable specific functions @@ -475,8 +482,35 @@ fi rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER -SSH_KEYTYPES=`$SSH -Q key-plain | grep -v ^sk` +SSH_SK_PROVIDER= +if [ -f "${SRC}/misc/sk-dummy/obj/sk-dummy.so" ] ; then + SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/obj/sk-dummy.so" +elif [ -f "${SRC}/misc/sk-dummy/sk-dummy.so" ] ; then + SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/sk-dummy.so" +fi +export SSH_SK_PROVIDER + +if ! test -z "$SSH_SK_PROVIDER"; then + EXTRA_AGENT_ARGS='-P/*' # XXX want realpath(1)... + echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/ssh_config +fi +export EXTRA_AGENT_ARGS + +filter_sk() { + grep -v ^sk +} + +maybe_filter_sk() { + if test -z "$SSH_SK_PROVIDER" ; then + filter_sk + else + cat + fi +} +SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk` +SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | filter_sk` + for t in ${SSH_KEYTYPES}; do # generate user key trace "generating key type $t" @@ -486,16 +520,18 @@ for t in ${SSH_KEYTYPES}; do fail "ssh-keygen for $t failed" fi + # setup authorized keys + cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER + echo IdentityFile $OBJ/$t >> $OBJ/ssh_config +done + +for t in ${SSH_HOSTKEY_TYPES}; do # known hosts file for client ( printf 'localhost-with-alias,127.0.0.1,::1 ' cat $OBJ/$t.pub ) >> $OBJ/known_hosts - # setup authorized keys - cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER - echo IdentityFile $OBJ/$t >> $OBJ/ssh_config - # use key as host key, too $SUDO cp $OBJ/$t $OBJ/host.$t echo HostKey $OBJ/host.$t >> $OBJ/sshd_config -- cgit v1.2.3 From e5b7cf8edca7e843adc125621e1dab14507f430a Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 16 Dec 2019 02:39:05 +0000 Subject: upstream: test security key host keys in addition to user keys OpenBSD-Regress-ID: 9fb45326106669a27e4bf150575c321806e275b1 --- regress/cert-hostkey.sh | 6 +++--- regress/hostkey-agent.sh | 6 +++--- regress/keygen-change.sh | 6 ++---- regress/keyscan.sh | 7 +++---- regress/keytype.sh | 8 ++------ regress/krl.sh | 4 ++-- regress/limit-keytype.sh | 4 ++-- regress/principals-command.sh | 4 ++-- regress/test-exec.sh | 12 +++++------- 9 files changed, 24 insertions(+), 33 deletions(-) (limited to 'regress/keygen-change.sh') diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 67a9795d0..95d7c176a 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-hostkey.sh,v 1.21 2019/12/11 18:47:14 djm Exp $ +# $OpenBSD: cert-hostkey.sh,v 1.22 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. tid="certified host keys" @@ -9,7 +9,7 @@ rm -f $OBJ/cert_host_key* $OBJ/host_krl_* # Allow all hostkey/pubkey types, prefer certs for the client rsa=0 types="" -for i in `$SSH -Q key | filter_sk`; do +for i in `$SSH -Q key | maybe_filter_sk`; do if [ -z "$types" ]; then types="$i" continue @@ -70,7 +70,7 @@ touch $OBJ/host_revoked_plain touch $OBJ/host_revoked_cert cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca -PLAIN_TYPES=`$SSH -Q key-plain | filter_sk | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` +PLAIN_TYPES=`echo "$SSH_KEYTYPES" | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" diff --git a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh index 7f490e013..d6736e246 100644 --- a/regress/hostkey-agent.sh +++ b/regress/hostkey-agent.sh @@ -1,4 +1,4 @@ -# $OpenBSD: hostkey-agent.sh,v 1.10 2019/12/11 18:47:14 djm Exp $ +# $OpenBSD: hostkey-agent.sh,v 1.11 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. tid="hostkey agent" @@ -14,7 +14,7 @@ grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig trace "load hostkeys" -for k in `${SSH} -Q key-plain | filter_sk` ; do +for k in $SSH_KEYTYPES ; do ${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k" ( printf 'localhost-with-alias,127.0.0.1,::1 ' @@ -31,7 +31,7 @@ cp $OBJ/known_hosts.orig $OBJ/known_hosts unset SSH_AUTH_SOCK for ps in yes; do - for k in `${SSH} -Q key-plain | filter_sk` ; do + for k in $SSH_KEYTYPES ; do verbose "key type $k privsep=$ps" cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy diff --git a/regress/keygen-change.sh b/regress/keygen-change.sh index dd1bfda80..3863e33b5 100644 --- a/regress/keygen-change.sh +++ b/regress/keygen-change.sh @@ -1,4 +1,4 @@ -# $OpenBSD: keygen-change.sh,v 1.8 2019/11/26 23:43:10 djm Exp $ +# $OpenBSD: keygen-change.sh,v 1.9 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. tid="change passphrase for key" @@ -6,9 +6,7 @@ tid="change passphrase for key" S1="secret1" S2="2secret" -KEYTYPES=`${SSH} -Q key-plain | maybe_filter_sk` - -for t in $KEYTYPES; do +for t in $SSH_KEYTYPES; do trace "generating $t key" rm -f $OBJ/$t-key ${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key diff --git a/regress/keyscan.sh b/regress/keyscan.sh index 0ce0c7410..b8593fede 100644 --- a/regress/keyscan.sh +++ b/regress/keyscan.sh @@ -1,10 +1,9 @@ -# $OpenBSD: keyscan.sh,v 1.11 2019/11/26 23:43:10 djm Exp $ +# $OpenBSD: keyscan.sh,v 1.12 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. tid="keyscan" -KEYTYPES=`${SSH} -Q key-plain | filter_sk` -for i in $KEYTYPES; do +for i in $SSH_KEYTYPES; do if [ -z "$algs" ]; then algs="$i" else @@ -15,7 +14,7 @@ echo "HostKeyAlgorithms $algs" >> $OBJ/sshd_config start_sshd -for t in $KEYTYPES; do +for t in $SSH_KEYTYPES; do trace "keyscan type $t" ${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \ > /dev/null 2>&1 diff --git a/regress/keytype.sh b/regress/keytype.sh index 91c5aca1b..20a8ceaf2 100644 --- a/regress/keytype.sh +++ b/regress/keytype.sh @@ -1,4 +1,4 @@ -# $OpenBSD: keytype.sh,v 1.9 2019/11/26 23:43:10 djm Exp $ +# $OpenBSD: keytype.sh,v 1.10 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. tid="login with different key types" @@ -50,11 +50,7 @@ kname_to_ktype() { tries="1 2 3" for ut in $ktypes; do user_type=`kname_to_ktype "$ut"` - # SK keys are not supported for hostkeys. - case "$ut" in - *sk) htypes=ed25519-512;; - *) htypes="$ut";; - esac + htypes="$ut" #htypes=$ktypes for ht in $htypes; do host_type=`kname_to_ktype "$ht"` diff --git a/regress/krl.sh b/regress/krl.sh index 1efd80bfe..c381225ed 100644 --- a/regress/krl.sh +++ b/regress/krl.sh @@ -1,4 +1,4 @@ -# $OpenBSD: krl.sh,v 1.10 2019/11/26 23:43:10 djm Exp $ +# $OpenBSD: krl.sh,v 1.11 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. tid="key revocation lists" @@ -7,7 +7,7 @@ tid="key revocation lists" # w/out OpenSSL. Populate ktype[2-4] with the other types if supported. ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; ktype4=ed25519; ktype5=ed25519; ktype6=ed25519; -for t in `${SSH} -Q key-plain | maybe_filter_sk`; do +for t in $SSH_KEYTYPES; do case "$t" in ecdsa*) ktype2=ecdsa ;; ssh-rsa) ktype3=rsa ;; diff --git a/regress/limit-keytype.sh b/regress/limit-keytype.sh index abac05c0c..010a88cd7 100644 --- a/regress/limit-keytype.sh +++ b/regress/limit-keytype.sh @@ -1,4 +1,4 @@ -# $OpenBSD: limit-keytype.sh,v 1.8 2019/11/26 23:43:10 djm Exp $ +# $OpenBSD: limit-keytype.sh,v 1.9 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. tid="restrict pubkey type" @@ -13,7 +13,7 @@ mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; ktype4=ed25519; ktype5=ed25519; ktype6=ed25519; -for t in `${SSH} -Q key-plain | maybe_filter_sk`; do +for t in $SSH_KEYTYPES ; do case "$t" in ssh-rsa) ktype2=rsa ;; ecdsa*) ktype3=ecdsa ;; # unused diff --git a/regress/principals-command.sh b/regress/principals-command.sh index 9e85e8e75..5e535c133 100644 --- a/regress/principals-command.sh +++ b/regress/principals-command.sh @@ -1,4 +1,4 @@ -# $OpenBSD: principals-command.sh,v 1.10 2019/12/11 18:47:14 djm Exp $ +# $OpenBSD: principals-command.sh,v 1.11 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. tid="authorized principals command" @@ -12,7 +12,7 @@ if [ -z "$SUDO" -a ! -w /var/run ]; then exit 0 fi -case "`${SSH} -Q key-plain`" in +case "$SSH_KEYTYPES" in *ssh-rsa*) userkeytype=rsa ;; *) userkeytype=ed25519 ;; esac diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 4bf4059fc..03dab2031 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.68 2019/11/26 23:43:10 djm Exp $ +# $OpenBSD: test-exec.sh,v 1.69 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -493,23 +493,21 @@ export SSH_SK_PROVIDER if ! test -z "$SSH_SK_PROVIDER"; then EXTRA_AGENT_ARGS='-P/*' # XXX want realpath(1)... echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/ssh_config + echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_config + echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_proxy fi export EXTRA_AGENT_ARGS -filter_sk() { - grep -v ^sk -} - maybe_filter_sk() { if test -z "$SSH_SK_PROVIDER" ; then - filter_sk + grep -v ^sk else cat fi } SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk` -SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | filter_sk` +SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | maybe_filter_sk` for t in ${SSH_KEYTYPES}; do # generate user key -- cgit v1.2.3