From ad44ca81bea83657d558aaef5a1d789a9032bac3 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Tue, 26 Nov 2019 23:43:10 +0000 Subject: upstream: test FIDO2/U2F key types; ok markus@ OpenBSD-Regress-ID: 367e06d5a260407619b4b113ea0bd7004a435474 --- regress/keytype.sh | 51 ++++++++++++++++++++++++++++++++++----------------- 1 file changed, 34 insertions(+), 17 deletions(-) (limited to 'regress/keytype.sh') diff --git a/regress/keytype.sh b/regress/keytype.sh index 13095088e..91c5aca1b 100644 --- a/regress/keytype.sh +++ b/regress/keytype.sh @@ -1,4 +1,4 @@ -# $OpenBSD: keytype.sh,v 1.8 2019/07/23 13:49:14 dtucker Exp $ +# $OpenBSD: keytype.sh,v 1.9 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="login with different key types" @@ -16,43 +16,60 @@ for i in ${SSH_KEYTYPES}; do ecdsa-sha2-nistp256) ktypes="$ktypes ecdsa-256" ;; ecdsa-sha2-nistp384) ktypes="$ktypes ecdsa-384" ;; ecdsa-sha2-nistp521) ktypes="$ktypes ecdsa-521" ;; + sk-ssh-ed25519*) ktypes="$ktypes ed25519-sk" ;; + sk-ecdsa-sha2-nistp256*) ktypes="$ktypes ecdsa-sk" ;; esac done for kt in $ktypes; do rm -f $OBJ/key.$kt - bits=`echo ${kt} | awk -F- '{print $2}'` - type=`echo ${kt} | awk -F- '{print $1}'` + xbits=`echo ${kt} | awk -F- '{print $2}'` + xtype=`echo ${kt} | awk -F- '{print $1}'` + case "$kt" in + *sk) type="$kt"; bits="n/a"; bits_arg="";; + *) type=$xtype; bits=$xbits; bits_arg="-b $bits";; + esac verbose "keygen $type, $bits bits" - ${SSHKEYGEN} -b $bits -q -N '' -t $type -f $OBJ/key.$kt ||\ + ${SSHKEYGEN} $bits_arg -q -N '' -t $type -f $OBJ/key.$kt || \ fail "ssh-keygen for type $type, $bits bits failed" done +kname_to_ktype() { + case $1 in + dsa-1024) echo ssh-dss;; + ecdsa-256) echo ecdsa-sha2-nistp256;; + ecdsa-384) echo ecdsa-sha2-nistp384;; + ecdsa-521) echo ecdsa-sha2-nistp521;; + ed25519-512) echo ssh-ed25519;; + rsa-*) echo rsa-sha2-512,rsa-sha2-256,ssh-rsa;; + ed25519-sk) echo sk-ssh-ed25519@openssh.com;; + ecdsa-sk) echo sk-ecdsa-sha2-nistp256@openssh.com;; + esac +} + tries="1 2 3" for ut in $ktypes; do - htypes=$ut + user_type=`kname_to_ktype "$ut"` + # SK keys are not supported for hostkeys. + case "$ut" in + *sk) htypes=ed25519-512;; + *) htypes="$ut";; + esac #htypes=$ktypes for ht in $htypes; do - case $ht in - dsa-1024) t=ssh-dss;; - ecdsa-256) t=ecdsa-sha2-nistp256;; - ecdsa-384) t=ecdsa-sha2-nistp384;; - ecdsa-521) t=ecdsa-sha2-nistp521;; - ed25519-512) t=ssh-ed25519;; - rsa-*) t=rsa-sha2-512,rsa-sha2-256,ssh-rsa;; - esac + host_type=`kname_to_ktype "$ht"` trace "ssh connect, userkey $ut, hostkey $ht" ( grep -v HostKey $OBJ/sshd_proxy_bak echo HostKey $OBJ/key.$ht - echo PubkeyAcceptedKeyTypes $t - echo HostKeyAlgorithms $t + echo PubkeyAcceptedKeyTypes $user_type + echo HostKeyAlgorithms $host_type ) > $OBJ/sshd_proxy ( grep -v IdentityFile $OBJ/ssh_proxy_bak echo IdentityFile $OBJ/key.$ut - echo PubkeyAcceptedKeyTypes $t - echo HostKeyAlgorithms $t + echo PubkeyAcceptedKeyTypes $user_type + echo HostKeyAlgorithms $host_type ) > $OBJ/ssh_proxy ( printf 'localhost-with-alias,127.0.0.1,::1 ' -- cgit v1.2.3 From e5b7cf8edca7e843adc125621e1dab14507f430a Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 16 Dec 2019 02:39:05 +0000 Subject: upstream: test security key host keys in addition to user keys OpenBSD-Regress-ID: 9fb45326106669a27e4bf150575c321806e275b1 --- regress/cert-hostkey.sh | 6 +++--- regress/hostkey-agent.sh | 6 +++--- regress/keygen-change.sh | 6 ++---- regress/keyscan.sh | 7 +++---- regress/keytype.sh | 8 ++------ regress/krl.sh | 4 ++-- regress/limit-keytype.sh | 4 ++-- regress/principals-command.sh | 4 ++-- regress/test-exec.sh | 12 +++++------- 9 files changed, 24 insertions(+), 33 deletions(-) (limited to 'regress/keytype.sh') diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 67a9795d0..95d7c176a 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-hostkey.sh,v 1.21 2019/12/11 18:47:14 djm Exp $ +# $OpenBSD: cert-hostkey.sh,v 1.22 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. tid="certified host keys" @@ -9,7 +9,7 @@ rm -f $OBJ/cert_host_key* $OBJ/host_krl_* # Allow all hostkey/pubkey types, prefer certs for the client rsa=0 types="" -for i in `$SSH -Q key | filter_sk`; do +for i in `$SSH -Q key | maybe_filter_sk`; do if [ -z "$types" ]; then types="$i" continue @@ -70,7 +70,7 @@ touch $OBJ/host_revoked_plain touch $OBJ/host_revoked_cert cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca -PLAIN_TYPES=`$SSH -Q key-plain | filter_sk | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` +PLAIN_TYPES=`echo "$SSH_KEYTYPES" | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" diff --git a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh index 7f490e013..d6736e246 100644 --- a/regress/hostkey-agent.sh +++ b/regress/hostkey-agent.sh @@ -1,4 +1,4 @@ -# $OpenBSD: hostkey-agent.sh,v 1.10 2019/12/11 18:47:14 djm Exp $ +# $OpenBSD: hostkey-agent.sh,v 1.11 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. tid="hostkey agent" @@ -14,7 +14,7 @@ grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig trace "load hostkeys" -for k in `${SSH} -Q key-plain | filter_sk` ; do +for k in $SSH_KEYTYPES ; do ${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k" ( printf 'localhost-with-alias,127.0.0.1,::1 ' @@ -31,7 +31,7 @@ cp $OBJ/known_hosts.orig $OBJ/known_hosts unset SSH_AUTH_SOCK for ps in yes; do - for k in `${SSH} -Q key-plain | filter_sk` ; do + for k in $SSH_KEYTYPES ; do verbose "key type $k privsep=$ps" cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy diff --git a/regress/keygen-change.sh b/regress/keygen-change.sh index dd1bfda80..3863e33b5 100644 --- a/regress/keygen-change.sh +++ b/regress/keygen-change.sh @@ -1,4 +1,4 @@ -# $OpenBSD: keygen-change.sh,v 1.8 2019/11/26 23:43:10 djm Exp $ +# $OpenBSD: keygen-change.sh,v 1.9 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. tid="change passphrase for key" @@ -6,9 +6,7 @@ tid="change passphrase for key" S1="secret1" S2="2secret" -KEYTYPES=`${SSH} -Q key-plain | maybe_filter_sk` - -for t in $KEYTYPES; do +for t in $SSH_KEYTYPES; do trace "generating $t key" rm -f $OBJ/$t-key ${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key diff --git a/regress/keyscan.sh b/regress/keyscan.sh index 0ce0c7410..b8593fede 100644 --- a/regress/keyscan.sh +++ b/regress/keyscan.sh @@ -1,10 +1,9 @@ -# $OpenBSD: keyscan.sh,v 1.11 2019/11/26 23:43:10 djm Exp $ +# $OpenBSD: keyscan.sh,v 1.12 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. tid="keyscan" -KEYTYPES=`${SSH} -Q key-plain | filter_sk` -for i in $KEYTYPES; do +for i in $SSH_KEYTYPES; do if [ -z "$algs" ]; then algs="$i" else @@ -15,7 +14,7 @@ echo "HostKeyAlgorithms $algs" >> $OBJ/sshd_config start_sshd -for t in $KEYTYPES; do +for t in $SSH_KEYTYPES; do trace "keyscan type $t" ${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \ > /dev/null 2>&1 diff --git a/regress/keytype.sh b/regress/keytype.sh index 91c5aca1b..20a8ceaf2 100644 --- a/regress/keytype.sh +++ b/regress/keytype.sh @@ -1,4 +1,4 @@ -# $OpenBSD: keytype.sh,v 1.9 2019/11/26 23:43:10 djm Exp $ +# $OpenBSD: keytype.sh,v 1.10 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. tid="login with different key types" @@ -50,11 +50,7 @@ kname_to_ktype() { tries="1 2 3" for ut in $ktypes; do user_type=`kname_to_ktype "$ut"` - # SK keys are not supported for hostkeys. - case "$ut" in - *sk) htypes=ed25519-512;; - *) htypes="$ut";; - esac + htypes="$ut" #htypes=$ktypes for ht in $htypes; do host_type=`kname_to_ktype "$ht"` diff --git a/regress/krl.sh b/regress/krl.sh index 1efd80bfe..c381225ed 100644 --- a/regress/krl.sh +++ b/regress/krl.sh @@ -1,4 +1,4 @@ -# $OpenBSD: krl.sh,v 1.10 2019/11/26 23:43:10 djm Exp $ +# $OpenBSD: krl.sh,v 1.11 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. tid="key revocation lists" @@ -7,7 +7,7 @@ tid="key revocation lists" # w/out OpenSSL. Populate ktype[2-4] with the other types if supported. ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; ktype4=ed25519; ktype5=ed25519; ktype6=ed25519; -for t in `${SSH} -Q key-plain | maybe_filter_sk`; do +for t in $SSH_KEYTYPES; do case "$t" in ecdsa*) ktype2=ecdsa ;; ssh-rsa) ktype3=rsa ;; diff --git a/regress/limit-keytype.sh b/regress/limit-keytype.sh index abac05c0c..010a88cd7 100644 --- a/regress/limit-keytype.sh +++ b/regress/limit-keytype.sh @@ -1,4 +1,4 @@ -# $OpenBSD: limit-keytype.sh,v 1.8 2019/11/26 23:43:10 djm Exp $ +# $OpenBSD: limit-keytype.sh,v 1.9 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. tid="restrict pubkey type" @@ -13,7 +13,7 @@ mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; ktype4=ed25519; ktype5=ed25519; ktype6=ed25519; -for t in `${SSH} -Q key-plain | maybe_filter_sk`; do +for t in $SSH_KEYTYPES ; do case "$t" in ssh-rsa) ktype2=rsa ;; ecdsa*) ktype3=ecdsa ;; # unused diff --git a/regress/principals-command.sh b/regress/principals-command.sh index 9e85e8e75..5e535c133 100644 --- a/regress/principals-command.sh +++ b/regress/principals-command.sh @@ -1,4 +1,4 @@ -# $OpenBSD: principals-command.sh,v 1.10 2019/12/11 18:47:14 djm Exp $ +# $OpenBSD: principals-command.sh,v 1.11 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. tid="authorized principals command" @@ -12,7 +12,7 @@ if [ -z "$SUDO" -a ! -w /var/run ]; then exit 0 fi -case "`${SSH} -Q key-plain`" in +case "$SSH_KEYTYPES" in *ssh-rsa*) userkeytype=rsa ;; *) userkeytype=ed25519 ;; esac diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 4bf4059fc..03dab2031 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.68 2019/11/26 23:43:10 djm Exp $ +# $OpenBSD: test-exec.sh,v 1.69 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -493,23 +493,21 @@ export SSH_SK_PROVIDER if ! test -z "$SSH_SK_PROVIDER"; then EXTRA_AGENT_ARGS='-P/*' # XXX want realpath(1)... echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/ssh_config + echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_config + echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_proxy fi export EXTRA_AGENT_ARGS -filter_sk() { - grep -v ^sk -} - maybe_filter_sk() { if test -z "$SSH_SK_PROVIDER" ; then - filter_sk + grep -v ^sk else cat fi } SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk` -SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | filter_sk` +SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | maybe_filter_sk` for t in ${SSH_KEYTYPES}; do # generate user key -- cgit v1.2.3