From afa59e26eeb44a93f36f043f60b936eaddae77c4 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 1 Nov 2019 01:55:41 +0000 Subject: upstream: skip security-key key types for tests until we have a dummy U2F middleware to use. OpenBSD-Regress-ID: 37200462b44334a4ad45e6a1f7ad1bd717521a95 --- regress/test-exec.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'regress/test-exec.sh') diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 508b93284..3f1685bb0 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.66 2019/07/05 04:12:46 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.67 2019/11/01 01:55:41 djm Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -475,7 +475,7 @@ fi rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER -SSH_KEYTYPES=`$SSH -Q key-plain` +SSH_KEYTYPES=`$SSH -Q key-plain | grep -v ^sk` for t in ${SSH_KEYTYPES}; do # generate user key -- cgit v1.2.3 From ad44ca81bea83657d558aaef5a1d789a9032bac3 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Tue, 26 Nov 2019 23:43:10 +0000 Subject: upstream: test FIDO2/U2F key types; ok markus@ OpenBSD-Regress-ID: 367e06d5a260407619b4b113ea0bd7004a435474 --- regress/agent-getpeereid.sh | 4 ++-- regress/agent-pkcs11.sh | 4 ++-- regress/agent-ptrace.sh | 2 +- regress/agent-timeout.sh | 4 ++-- regress/agent.sh | 10 ++++----- regress/cert-file.sh | 4 ++-- regress/cert-hostkey.sh | 6 ++--- regress/cert-userkey.sh | 10 +++++---- regress/hostkey-agent.sh | 8 +++---- regress/hostkey-rotate.sh | 11 ++++------ regress/keygen-change.sh | 5 ++--- regress/keyscan.sh | 4 ++-- regress/keytype.sh | 51 ++++++++++++++++++++++++++++--------------- regress/krl.sh | 22 ++++++++++++------- regress/limit-keytype.sh | 17 ++++++++++++--- regress/principals-command.sh | 2 +- regress/sshsig.sh | 4 ++-- regress/test-exec.sh | 48 +++++++++++++++++++++++++++++++++++----- 18 files changed, 142 insertions(+), 74 deletions(-) (limited to 'regress/test-exec.sh') diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh index 769c29e8d..524340816 100644 --- a/regress/agent-getpeereid.sh +++ b/regress/agent-getpeereid.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent-getpeereid.sh,v 1.10 2018/02/09 03:40:22 dtucker Exp $ +# $OpenBSD: agent-getpeereid.sh,v 1.11 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="disallow agent attach from other uid" @@ -26,7 +26,7 @@ case "x$SUDO" in esac trace "start agent" -eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null +eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s -a ${ASOCK}` > /dev/null r=$? if [ $r -ne 0 ]; then fail "could not start ssh-agent: exit code $r" diff --git a/regress/agent-pkcs11.sh b/regress/agent-pkcs11.sh index 5205d9067..fbbaea518 100644 --- a/regress/agent-pkcs11.sh +++ b/regress/agent-pkcs11.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent-pkcs11.sh,v 1.6 2019/01/21 09:13:41 djm Exp $ +# $OpenBSD: agent-pkcs11.sh,v 1.7 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="pkcs11 agent test" @@ -75,7 +75,7 @@ openssl pkcs8 -nocrypt -in $EC |\ softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" --import /dev/stdin trace "start agent" -eval `${SSHAGENT} -s` > /dev/null +eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null r=$? if [ $r -ne 0 ]; then fail "could not start ssh-agent: exit code $r" diff --git a/regress/agent-ptrace.sh b/regress/agent-ptrace.sh index 2d795ee32..9cd68d7ec 100644 --- a/regress/agent-ptrace.sh +++ b/regress/agent-ptrace.sh @@ -41,7 +41,7 @@ else fi trace "start agent" -eval `${SSHAGENT} -s` > /dev/null +eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null r=$? if [ $r -ne 0 ]; then fail "could not start ssh-agent: exit code $r" diff --git a/regress/agent-timeout.sh b/regress/agent-timeout.sh index 311c7bcba..6dec09285 100644 --- a/regress/agent-timeout.sh +++ b/regress/agent-timeout.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent-timeout.sh,v 1.5 2019/09/03 08:37:06 djm Exp $ +# $OpenBSD: agent-timeout.sh,v 1.6 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="agent timeout test" @@ -6,7 +6,7 @@ tid="agent timeout test" SSHAGENT_TIMEOUT=10 trace "start agent" -eval `${SSHAGENT} -s` > /dev/null +eval `${SSHAGENT} -s ${EXTRA_AGENT_ARGS}` > /dev/null r=$? if [ $r -ne 0 ]; then fail "could not start ssh-agent: exit code $r" diff --git a/regress/agent.sh b/regress/agent.sh index 48fa12b0e..922d8436e 100644 --- a/regress/agent.sh +++ b/regress/agent.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent.sh,v 1.15 2019/07/23 07:39:43 dtucker Exp $ +# $OpenBSD: agent.sh,v 1.16 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="simple agent test" @@ -8,8 +8,8 @@ if [ $? -ne 2 ]; then fail "ssh-add -l did not fail with exit code 2" fi -trace "start agent" -eval `${SSHAGENT} -s` > /dev/null +trace "start agent, args ${EXTRA_AGENT_ARGS} -s" +eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null r=$? if [ $r -ne 0 ]; then fatal "could not start ssh-agent: exit code $r" @@ -39,9 +39,9 @@ for t in ${SSH_KEYTYPES}; do # add to authorized keys cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER # add privat key to agent - ${SSHADD} $OBJ/$t-agent > /dev/null 2>&1 + ${SSHADD} $OBJ/$t-agent #> /dev/null 2>&1 if [ $? -ne 0 ]; then - fail "ssh-add did succeed exit code 0" + fail "ssh-add failed exit code $?" fi # Remove private key to ensure that we aren't accidentally using it. rm -f $OBJ/$t-agent diff --git a/regress/cert-file.sh b/regress/cert-file.sh index 1157a3582..94e672a99 100644 --- a/regress/cert-file.sh +++ b/regress/cert-file.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-file.sh,v 1.7 2018/04/10 00:14:10 djm Exp $ +# $OpenBSD: cert-file.sh,v 1.8 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="ssh with certificates" @@ -120,7 +120,7 @@ if [ $? -ne 2 ]; then fi trace "start agent" -eval `${SSHAGENT} -s` > /dev/null +eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null r=$? if [ $r -ne 0 ]; then fatal "could not start ssh-agent: exit code $r" diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 82195b11b..dc40b782a 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-hostkey.sh,v 1.19 2019/11/01 01:55:41 djm Exp $ +# $OpenBSD: cert-hostkey.sh,v 1.20 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="certified host keys" @@ -9,7 +9,7 @@ rm -f $OBJ/cert_host_key* $OBJ/host_krl_* # Allow all hostkey/pubkey types, prefer certs for the client rsa=0 types="" -for i in `$SSH -Q key | grep -v ^sk-`; do +for i in `$SSH -Q key | filter_sk`; do if [ -z "$types" ]; then types="$i" continue @@ -70,7 +70,7 @@ touch $OBJ/host_revoked_plain touch $OBJ/host_revoked_cert cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca -PLAIN_TYPES=`$SSH -Q key-plain | grep -v ^sk- | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` +PLAIN_TYPES=`$SSH -Q key-plain | filter_sk | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 51ac8dcb9..d6e293d57 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-userkey.sh,v 1.22 2019/11/01 01:55:41 djm Exp $ +# $OpenBSD: cert-userkey.sh,v 1.23 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="certified user keys" @@ -7,7 +7,7 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak -PLAIN_TYPES=`$SSH -Q key-plain | grep -v ^sk- | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` +PLAIN_TYPES=`$SSH -Q key-plain | maybe_filter_sk | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` EXTRA_TYPES="" rsa="" @@ -17,8 +17,10 @@ if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then fi kname() { - case $ktype in - rsa-sha2-*) n="$ktype" ;; + case $1 in + rsa-sha2-*) n="$1" ;; + sk-ecdsa-*) n="sk-ecdsa" ;; + sk-ssh-ed25519*) n="sk-ssh-ed25519" ;; # subshell because some seds will add a newline *) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;; esac diff --git a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh index c581c7bfd..af2ed7806 100644 --- a/regress/hostkey-agent.sh +++ b/regress/hostkey-agent.sh @@ -1,4 +1,4 @@ -# $OpenBSD: hostkey-agent.sh,v 1.8 2019/11/01 01:55:41 djm Exp $ +# $OpenBSD: hostkey-agent.sh,v 1.9 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="hostkey agent" @@ -6,7 +6,7 @@ tid="hostkey agent" rm -f $OBJ/agent-key.* $OBJ/ssh_proxy.orig $OBJ/known_hosts.orig trace "start agent" -eval `${SSHAGENT} -s` > /dev/null +eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null r=$? [ $r -ne 0 ] && fatal "could not start ssh-agent: exit code $r" @@ -14,7 +14,7 @@ grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig trace "load hostkeys" -for k in `${SSH} -Q key-plain | grep -v ^sk-` ; do +for k in `${SSH} -Q key-plain | filter_sk` ; do ${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k" ( printf 'localhost-with-alias,127.0.0.1,::1 ' @@ -31,7 +31,7 @@ cp $OBJ/known_hosts.orig $OBJ/known_hosts unset SSH_AUTH_SOCK for ps in no yes; do - for k in `${SSH} -Q key-plain | grep -v ^sk-` ; do + for k in `${SSH} -Q key-plain | filter_sk` ; do verbose "key type $k privsep=$ps" cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy diff --git a/regress/hostkey-rotate.sh b/regress/hostkey-rotate.sh index 707e32908..c3e100c3e 100644 --- a/regress/hostkey-rotate.sh +++ b/regress/hostkey-rotate.sh @@ -1,11 +1,8 @@ -# $OpenBSD: hostkey-rotate.sh,v 1.7 2019/11/01 01:55:41 djm Exp $ +# $OpenBSD: hostkey-rotate.sh,v 1.8 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="hostkey rotate" -# Need full names here since they are used in HostKeyAlgorithms -HOSTKEY_TYPES="`${SSH} -Q key-plain | grep -v ^sk-`" - rm -f $OBJ/hkr.* $OBJ/ssh_proxy.orig grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig @@ -20,7 +17,7 @@ secondary="$primary" trace "prepare hostkeys" nkeys=0 all_algs="" -for k in $HOSTKEY_TYPES; do +for k in $SSH_HOSTKEY_TYPES; do ${SSHKEYGEN} -qt $k -f $OBJ/hkr.$k -N '' || fatal "ssh-keygen $k" echo "Hostkey $OBJ/hkr.${k}" >> $OBJ/sshd_proxy.orig nkeys=`expr $nkeys + 1` @@ -67,12 +64,12 @@ verbose "learn additional hostkeys" dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs # Check that other keys learned expect_nkeys $nkeys "learn hostkeys" -for k in $HOSTKEY_TYPES; do +for k in $SSH_HOSTKEY_TYPES; do check_key_present $k || fail "didn't learn keytype $k" done # Check each key type -for k in $HOSTKEY_TYPES; do +for k in $SSH_HOSTKEY_TYPES; do verbose "learn additional hostkeys, type=$k" dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$k,$all_algs expect_nkeys $nkeys "learn hostkeys $k" diff --git a/regress/keygen-change.sh b/regress/keygen-change.sh index c62f2c17c..dd1bfda80 100644 --- a/regress/keygen-change.sh +++ b/regress/keygen-change.sh @@ -1,4 +1,4 @@ -# $OpenBSD: keygen-change.sh,v 1.7 2019/11/01 01:55:41 djm Exp $ +# $OpenBSD: keygen-change.sh,v 1.8 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="change passphrase for key" @@ -6,10 +6,9 @@ tid="change passphrase for key" S1="secret1" S2="2secret" -KEYTYPES=`${SSH} -Q key-plain | grep -v ^sk-` +KEYTYPES=`${SSH} -Q key-plain | maybe_filter_sk` for t in $KEYTYPES; do - # generate user key for agent trace "generating $t key" rm -f $OBJ/$t-key ${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key diff --git a/regress/keyscan.sh b/regress/keyscan.sh index 4e16ecd87..0ce0c7410 100644 --- a/regress/keyscan.sh +++ b/regress/keyscan.sh @@ -1,9 +1,9 @@ -# $OpenBSD: keyscan.sh,v 1.10 2019/11/01 01:55:41 djm Exp $ +# $OpenBSD: keyscan.sh,v 1.11 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="keyscan" -KEYTYPES=`${SSH} -Q key-plain | grep -v ^sk-` +KEYTYPES=`${SSH} -Q key-plain | filter_sk` for i in $KEYTYPES; do if [ -z "$algs" ]; then algs="$i" diff --git a/regress/keytype.sh b/regress/keytype.sh index 13095088e..91c5aca1b 100644 --- a/regress/keytype.sh +++ b/regress/keytype.sh @@ -1,4 +1,4 @@ -# $OpenBSD: keytype.sh,v 1.8 2019/07/23 13:49:14 dtucker Exp $ +# $OpenBSD: keytype.sh,v 1.9 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="login with different key types" @@ -16,43 +16,60 @@ for i in ${SSH_KEYTYPES}; do ecdsa-sha2-nistp256) ktypes="$ktypes ecdsa-256" ;; ecdsa-sha2-nistp384) ktypes="$ktypes ecdsa-384" ;; ecdsa-sha2-nistp521) ktypes="$ktypes ecdsa-521" ;; + sk-ssh-ed25519*) ktypes="$ktypes ed25519-sk" ;; + sk-ecdsa-sha2-nistp256*) ktypes="$ktypes ecdsa-sk" ;; esac done for kt in $ktypes; do rm -f $OBJ/key.$kt - bits=`echo ${kt} | awk -F- '{print $2}'` - type=`echo ${kt} | awk -F- '{print $1}'` + xbits=`echo ${kt} | awk -F- '{print $2}'` + xtype=`echo ${kt} | awk -F- '{print $1}'` + case "$kt" in + *sk) type="$kt"; bits="n/a"; bits_arg="";; + *) type=$xtype; bits=$xbits; bits_arg="-b $bits";; + esac verbose "keygen $type, $bits bits" - ${SSHKEYGEN} -b $bits -q -N '' -t $type -f $OBJ/key.$kt ||\ + ${SSHKEYGEN} $bits_arg -q -N '' -t $type -f $OBJ/key.$kt || \ fail "ssh-keygen for type $type, $bits bits failed" done +kname_to_ktype() { + case $1 in + dsa-1024) echo ssh-dss;; + ecdsa-256) echo ecdsa-sha2-nistp256;; + ecdsa-384) echo ecdsa-sha2-nistp384;; + ecdsa-521) echo ecdsa-sha2-nistp521;; + ed25519-512) echo ssh-ed25519;; + rsa-*) echo rsa-sha2-512,rsa-sha2-256,ssh-rsa;; + ed25519-sk) echo sk-ssh-ed25519@openssh.com;; + ecdsa-sk) echo sk-ecdsa-sha2-nistp256@openssh.com;; + esac +} + tries="1 2 3" for ut in $ktypes; do - htypes=$ut + user_type=`kname_to_ktype "$ut"` + # SK keys are not supported for hostkeys. + case "$ut" in + *sk) htypes=ed25519-512;; + *) htypes="$ut";; + esac #htypes=$ktypes for ht in $htypes; do - case $ht in - dsa-1024) t=ssh-dss;; - ecdsa-256) t=ecdsa-sha2-nistp256;; - ecdsa-384) t=ecdsa-sha2-nistp384;; - ecdsa-521) t=ecdsa-sha2-nistp521;; - ed25519-512) t=ssh-ed25519;; - rsa-*) t=rsa-sha2-512,rsa-sha2-256,ssh-rsa;; - esac + host_type=`kname_to_ktype "$ht"` trace "ssh connect, userkey $ut, hostkey $ht" ( grep -v HostKey $OBJ/sshd_proxy_bak echo HostKey $OBJ/key.$ht - echo PubkeyAcceptedKeyTypes $t - echo HostKeyAlgorithms $t + echo PubkeyAcceptedKeyTypes $user_type + echo HostKeyAlgorithms $host_type ) > $OBJ/sshd_proxy ( grep -v IdentityFile $OBJ/ssh_proxy_bak echo IdentityFile $OBJ/key.$ut - echo PubkeyAcceptedKeyTypes $t - echo HostKeyAlgorithms $t + echo PubkeyAcceptedKeyTypes $user_type + echo HostKeyAlgorithms $host_type ) > $OBJ/ssh_proxy ( printf 'localhost-with-alias,127.0.0.1,::1 ' diff --git a/regress/krl.sh b/regress/krl.sh index c9b2e67eb..1efd80bfe 100644 --- a/regress/krl.sh +++ b/regress/krl.sh @@ -1,16 +1,19 @@ -# $OpenBSD: krl.sh,v 1.9 2019/11/01 01:55:41 djm Exp $ +# $OpenBSD: krl.sh,v 1.10 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="key revocation lists" # Use ed25519 by default since it's fast and it's supported when building # w/out OpenSSL. Populate ktype[2-4] with the other types if supported. -ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; ktype4=ed25519 -for t in `${SSH} -Q key-plain | grep -v ^sk-`; do +ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; +ktype4=ed25519; ktype5=ed25519; ktype6=ed25519; +for t in `${SSH} -Q key-plain | maybe_filter_sk`; do case "$t" in ecdsa*) ktype2=ecdsa ;; ssh-rsa) ktype3=rsa ;; ssh-dss) ktype4=dsa ;; + sk-ssh-ed25519@openssh.com) ktype5=ed25519-sk ;; + sk-ecdsa-sha2-nistp256@openssh.com) ktype6=ecdsa-sk ;; esac done @@ -34,6 +37,7 @@ serial: 10 serial: 15 serial: 30 serial: 50 +serial: 90 serial: 999 # The following sum to 500-799 serial: 500 @@ -51,7 +55,7 @@ EOF # A specification that revokes some certificated by key ID. touch $OBJ/revoked-keyid -for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do +for n in 1 2 3 4 10 15 30 50 90 `jot 500 300` 999 1000 1001 1002; do test "x$n" = "x499" && continue # Fill in by-ID revocation spec. echo "id: revoked $n" >> $OBJ/revoked-keyid @@ -64,9 +68,11 @@ keygen() { # supported. keytype=$ktype1 case $N in - 2 | 10 | 510 | 1001) keytype=$ktype2 ;; - 4 | 30 | 520 | 1002) keytype=$ktype3 ;; - 8 | 50 | 530 | 1003) keytype=$ktype4 ;; + 2 | 10 | 510 | 1001) keytype=$ktype2 ;; + 4 | 30 | 520 | 1002) keytype=$ktype3 ;; + 8 | 50 | 530 | 1003) keytype=$ktype4 ;; + 16 | 70 | 540 | 1004) keytype=$ktype5 ;; + 32 | 90 | 550 | 1005) keytype=$ktype6 ;; esac $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \ || fatal "$SSHKEYGEN failed" @@ -78,7 +84,7 @@ keygen() { # Generate some keys. verbose "$tid: generating test keys" -REVOKED_SERIALS="1 4 10 50 500 510 520 799 999" +REVOKED_SERIALS="1 4 10 50 90 500 510 520 550 799 999" for n in $REVOKED_SERIALS ; do f=`keygen $n` RKEYS="$RKEYS ${f}.pub" diff --git a/regress/limit-keytype.sh b/regress/limit-keytype.sh index 6eb255c24..abac05c0c 100644 --- a/regress/limit-keytype.sh +++ b/regress/limit-keytype.sh @@ -1,20 +1,25 @@ -# $OpenBSD: limit-keytype.sh,v 1.7 2019/11/01 01:55:41 djm Exp $ +# $OpenBSD: limit-keytype.sh,v 1.8 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="restrict pubkey type" +# XXX sk-* keys aren't actually tested ATM. + rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/user_key* rm -f $OBJ/authorized_principals_$USER $OBJ/cert_user_key* mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig -ktype1=ed25519; ktype2=$ktype1; ktype3=$ktype1; ktype4=$ktype1 -for t in `${SSH} -Q key-plain | grep -v ^sk-`; do +ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; +ktype4=ed25519; ktype5=ed25519; ktype6=ed25519; +for t in `${SSH} -Q key-plain | maybe_filter_sk`; do case "$t" in ssh-rsa) ktype2=rsa ;; ecdsa*) ktype3=ecdsa ;; # unused ssh-dss) ktype4=dsa ;; + sk-ssh-ed25519@openssh.com) ktype5=ed25519-sk ;; + sk-ecdsa-sha2-nistp256@openssh.com) ktype6=ecdsa-sk ;; esac done @@ -31,6 +36,10 @@ ${SSHKEYGEN} -q -N '' -t $ktype2 -f $OBJ/user_key3 || \ fatal "ssh-keygen failed" ${SSHKEYGEN} -q -N '' -t $ktype4 -f $OBJ/user_key4 || \ fatal "ssh-keygen failed" +${SSHKEYGEN} -q -N '' -t $ktype5 -f $OBJ/user_key5 || \ + fatal "ssh-keygen failed" +${SSHKEYGEN} -q -N '' -t $ktype6 -f $OBJ/user_key6 || \ + fatal "ssh-keygen failed" ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ -z $$ -n ${USER},mekmitasdigoat $OBJ/user_key3 || fatal "couldn't sign user_key1" @@ -68,6 +77,8 @@ keytype() { ed25519) printf "ssh-ed25519" ;; dsa) printf "ssh-dss" ;; rsa) printf "rsa-sha2-256,rsa-sha2-512,ssh-rsa" ;; + sk-ecdsa) printf "sk-ecdsa-*" ;; + sk-ssh-ed25519) printf "sk-ssh-ed25519-*" ;; esac } diff --git a/regress/principals-command.sh b/regress/principals-command.sh index 005c6b7d6..a91858cbb 100644 --- a/regress/principals-command.sh +++ b/regress/principals-command.sh @@ -12,7 +12,7 @@ if [ -z "$SUDO" -a ! -w /var/run ]; then exit 0 fi -case "`${SSH} -Q key-plain | grep -v ^sk-`" in +case "`${SSH} -Q key-plain`" in *ssh-rsa*) userkeytype=rsa ;; *) userkeytype=ed25519 ;; esac diff --git a/regress/sshsig.sh b/regress/sshsig.sh index eb99486ae..da362c179 100644 --- a/regress/sshsig.sh +++ b/regress/sshsig.sh @@ -1,4 +1,4 @@ -# $OpenBSD: sshsig.sh,v 1.2 2019/10/04 03:39:19 djm Exp $ +# $OpenBSD: sshsig.sh,v 1.3 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="sshsig" @@ -23,7 +23,7 @@ CA_PRIV=$OBJ/sigca-key CA_PUB=$OBJ/sigca-key.pub trace "start agent" -eval `${SSHAGENT} -s` > /dev/null +eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null r=$? if [ $r -ne 0 ]; then fatal "could not start ssh-agent: exit code $r" diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 3f1685bb0..4bf4059fc 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.67 2019/11/01 01:55:41 djm Exp $ +# $OpenBSD: test-exec.sh,v 1.68 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -128,6 +128,12 @@ if [ "x$TEST_SSH_CONCH" != "x" ]; then *) CONCH=`which ${TEST_SSH_CONCH} 2>/dev/null` ;; esac fi +if [ "x$TEST_SSH_PKCS11_HELPER" != "x" ]; then + SSH_PKCS11_HELPER="${TEST_SSH_PKCS11_HELPER}" +fi +if [ "x$TEST_SSH_SK_HELPER" != "x" ]; then + SSH_SK_HELPER="${TEST_SSH_SK_HELPER}" +fi # Path to sshd must be absolute for rexec case "$SSHD" in @@ -252,6 +258,7 @@ increase_datafile_size() # these should be used in tests export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP +export SSH_PKCS11_HELPER SSH_SK_HELPER #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP # Portable specific functions @@ -475,8 +482,35 @@ fi rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER -SSH_KEYTYPES=`$SSH -Q key-plain | grep -v ^sk` +SSH_SK_PROVIDER= +if [ -f "${SRC}/misc/sk-dummy/obj/sk-dummy.so" ] ; then + SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/obj/sk-dummy.so" +elif [ -f "${SRC}/misc/sk-dummy/sk-dummy.so" ] ; then + SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/sk-dummy.so" +fi +export SSH_SK_PROVIDER + +if ! test -z "$SSH_SK_PROVIDER"; then + EXTRA_AGENT_ARGS='-P/*' # XXX want realpath(1)... + echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/ssh_config +fi +export EXTRA_AGENT_ARGS + +filter_sk() { + grep -v ^sk +} + +maybe_filter_sk() { + if test -z "$SSH_SK_PROVIDER" ; then + filter_sk + else + cat + fi +} +SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk` +SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | filter_sk` + for t in ${SSH_KEYTYPES}; do # generate user key trace "generating key type $t" @@ -486,16 +520,18 @@ for t in ${SSH_KEYTYPES}; do fail "ssh-keygen for $t failed" fi + # setup authorized keys + cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER + echo IdentityFile $OBJ/$t >> $OBJ/ssh_config +done + +for t in ${SSH_HOSTKEY_TYPES}; do # known hosts file for client ( printf 'localhost-with-alias,127.0.0.1,::1 ' cat $OBJ/$t.pub ) >> $OBJ/known_hosts - # setup authorized keys - cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER - echo IdentityFile $OBJ/$t >> $OBJ/ssh_config - # use key as host key, too $SUDO cp $OBJ/$t $OBJ/host.$t echo HostKey $OBJ/host.$t >> $OBJ/sshd_config -- cgit v1.2.3 From e5b7cf8edca7e843adc125621e1dab14507f430a Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 16 Dec 2019 02:39:05 +0000 Subject: upstream: test security key host keys in addition to user keys OpenBSD-Regress-ID: 9fb45326106669a27e4bf150575c321806e275b1 --- regress/cert-hostkey.sh | 6 +++--- regress/hostkey-agent.sh | 6 +++--- regress/keygen-change.sh | 6 ++---- regress/keyscan.sh | 7 +++---- regress/keytype.sh | 8 ++------ regress/krl.sh | 4 ++-- regress/limit-keytype.sh | 4 ++-- regress/principals-command.sh | 4 ++-- regress/test-exec.sh | 12 +++++------- 9 files changed, 24 insertions(+), 33 deletions(-) (limited to 'regress/test-exec.sh') diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 67a9795d0..95d7c176a 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-hostkey.sh,v 1.21 2019/12/11 18:47:14 djm Exp $ +# $OpenBSD: cert-hostkey.sh,v 1.22 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. tid="certified host keys" @@ -9,7 +9,7 @@ rm -f $OBJ/cert_host_key* $OBJ/host_krl_* # Allow all hostkey/pubkey types, prefer certs for the client rsa=0 types="" -for i in `$SSH -Q key | filter_sk`; do +for i in `$SSH -Q key | maybe_filter_sk`; do if [ -z "$types" ]; then types="$i" continue @@ -70,7 +70,7 @@ touch $OBJ/host_revoked_plain touch $OBJ/host_revoked_cert cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca -PLAIN_TYPES=`$SSH -Q key-plain | filter_sk | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` +PLAIN_TYPES=`echo "$SSH_KEYTYPES" | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" diff --git a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh index 7f490e013..d6736e246 100644 --- a/regress/hostkey-agent.sh +++ b/regress/hostkey-agent.sh @@ -1,4 +1,4 @@ -# $OpenBSD: hostkey-agent.sh,v 1.10 2019/12/11 18:47:14 djm Exp $ +# $OpenBSD: hostkey-agent.sh,v 1.11 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. tid="hostkey agent" @@ -14,7 +14,7 @@ grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig trace "load hostkeys" -for k in `${SSH} -Q key-plain | filter_sk` ; do +for k in $SSH_KEYTYPES ; do ${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k" ( printf 'localhost-with-alias,127.0.0.1,::1 ' @@ -31,7 +31,7 @@ cp $OBJ/known_hosts.orig $OBJ/known_hosts unset SSH_AUTH_SOCK for ps in yes; do - for k in `${SSH} -Q key-plain | filter_sk` ; do + for k in $SSH_KEYTYPES ; do verbose "key type $k privsep=$ps" cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy diff --git a/regress/keygen-change.sh b/regress/keygen-change.sh index dd1bfda80..3863e33b5 100644 --- a/regress/keygen-change.sh +++ b/regress/keygen-change.sh @@ -1,4 +1,4 @@ -# $OpenBSD: keygen-change.sh,v 1.8 2019/11/26 23:43:10 djm Exp $ +# $OpenBSD: keygen-change.sh,v 1.9 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. tid="change passphrase for key" @@ -6,9 +6,7 @@ tid="change passphrase for key" S1="secret1" S2="2secret" -KEYTYPES=`${SSH} -Q key-plain | maybe_filter_sk` - -for t in $KEYTYPES; do +for t in $SSH_KEYTYPES; do trace "generating $t key" rm -f $OBJ/$t-key ${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key diff --git a/regress/keyscan.sh b/regress/keyscan.sh index 0ce0c7410..b8593fede 100644 --- a/regress/keyscan.sh +++ b/regress/keyscan.sh @@ -1,10 +1,9 @@ -# $OpenBSD: keyscan.sh,v 1.11 2019/11/26 23:43:10 djm Exp $ +# $OpenBSD: keyscan.sh,v 1.12 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. tid="keyscan" -KEYTYPES=`${SSH} -Q key-plain | filter_sk` -for i in $KEYTYPES; do +for i in $SSH_KEYTYPES; do if [ -z "$algs" ]; then algs="$i" else @@ -15,7 +14,7 @@ echo "HostKeyAlgorithms $algs" >> $OBJ/sshd_config start_sshd -for t in $KEYTYPES; do +for t in $SSH_KEYTYPES; do trace "keyscan type $t" ${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \ > /dev/null 2>&1 diff --git a/regress/keytype.sh b/regress/keytype.sh index 91c5aca1b..20a8ceaf2 100644 --- a/regress/keytype.sh +++ b/regress/keytype.sh @@ -1,4 +1,4 @@ -# $OpenBSD: keytype.sh,v 1.9 2019/11/26 23:43:10 djm Exp $ +# $OpenBSD: keytype.sh,v 1.10 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. tid="login with different key types" @@ -50,11 +50,7 @@ kname_to_ktype() { tries="1 2 3" for ut in $ktypes; do user_type=`kname_to_ktype "$ut"` - # SK keys are not supported for hostkeys. - case "$ut" in - *sk) htypes=ed25519-512;; - *) htypes="$ut";; - esac + htypes="$ut" #htypes=$ktypes for ht in $htypes; do host_type=`kname_to_ktype "$ht"` diff --git a/regress/krl.sh b/regress/krl.sh index 1efd80bfe..c381225ed 100644 --- a/regress/krl.sh +++ b/regress/krl.sh @@ -1,4 +1,4 @@ -# $OpenBSD: krl.sh,v 1.10 2019/11/26 23:43:10 djm Exp $ +# $OpenBSD: krl.sh,v 1.11 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. tid="key revocation lists" @@ -7,7 +7,7 @@ tid="key revocation lists" # w/out OpenSSL. Populate ktype[2-4] with the other types if supported. ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; ktype4=ed25519; ktype5=ed25519; ktype6=ed25519; -for t in `${SSH} -Q key-plain | maybe_filter_sk`; do +for t in $SSH_KEYTYPES; do case "$t" in ecdsa*) ktype2=ecdsa ;; ssh-rsa) ktype3=rsa ;; diff --git a/regress/limit-keytype.sh b/regress/limit-keytype.sh index abac05c0c..010a88cd7 100644 --- a/regress/limit-keytype.sh +++ b/regress/limit-keytype.sh @@ -1,4 +1,4 @@ -# $OpenBSD: limit-keytype.sh,v 1.8 2019/11/26 23:43:10 djm Exp $ +# $OpenBSD: limit-keytype.sh,v 1.9 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. tid="restrict pubkey type" @@ -13,7 +13,7 @@ mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; ktype4=ed25519; ktype5=ed25519; ktype6=ed25519; -for t in `${SSH} -Q key-plain | maybe_filter_sk`; do +for t in $SSH_KEYTYPES ; do case "$t" in ssh-rsa) ktype2=rsa ;; ecdsa*) ktype3=ecdsa ;; # unused diff --git a/regress/principals-command.sh b/regress/principals-command.sh index 9e85e8e75..5e535c133 100644 --- a/regress/principals-command.sh +++ b/regress/principals-command.sh @@ -1,4 +1,4 @@ -# $OpenBSD: principals-command.sh,v 1.10 2019/12/11 18:47:14 djm Exp $ +# $OpenBSD: principals-command.sh,v 1.11 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. tid="authorized principals command" @@ -12,7 +12,7 @@ if [ -z "$SUDO" -a ! -w /var/run ]; then exit 0 fi -case "`${SSH} -Q key-plain`" in +case "$SSH_KEYTYPES" in *ssh-rsa*) userkeytype=rsa ;; *) userkeytype=ed25519 ;; esac diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 4bf4059fc..03dab2031 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.68 2019/11/26 23:43:10 djm Exp $ +# $OpenBSD: test-exec.sh,v 1.69 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -493,23 +493,21 @@ export SSH_SK_PROVIDER if ! test -z "$SSH_SK_PROVIDER"; then EXTRA_AGENT_ARGS='-P/*' # XXX want realpath(1)... echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/ssh_config + echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_config + echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_proxy fi export EXTRA_AGENT_ARGS -filter_sk() { - grep -v ^sk -} - maybe_filter_sk() { if test -z "$SSH_SK_PROVIDER" ; then - filter_sk + grep -v ^sk else cat fi } SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk` -SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | filter_sk` +SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | maybe_filter_sk` for t in ${SSH_KEYTYPES}; do # generate user key -- cgit v1.2.3 From f8c11461aa6db168fc5e7eeae448b4cbbf59642a Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Tue, 21 Jan 2020 08:06:27 +0000 Subject: upstream: pass SSH_SK_HELPER explicitly past $SUDO to avoid it getting cleared; with dtucker@ OpenBSD-Regress-ID: 03178a0580324bf0dff28f7eac6c3edbc5407f8e --- regress/integrity.sh | 4 ++-- regress/test-exec.sh | 7 ++++--- sshd.c | 7 ++++++- 3 files changed, 12 insertions(+), 6 deletions(-) (limited to 'regress/test-exec.sh') diff --git a/regress/integrity.sh b/regress/integrity.sh index 5ba6bf6ab..bc030cb74 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -1,4 +1,4 @@ -# $OpenBSD: integrity.sh,v 1.23 2017/04/30 23:34:55 djm Exp $ +# $OpenBSD: integrity.sh,v 1.24 2020/01/21 08:06:27 djm Exp $ # Placed in the Public Domain. tid="integrity" @@ -18,7 +18,7 @@ macs="$macs `${SSH} -Q cipher-auth`" # >> $OBJ/ssh_proxy # sshd-command for proxy (see test-exec.sh) -cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${TEST_SSHD_LOGFILE} ${SSHD} -i -f $OBJ/sshd_proxy" +cmd="$SUDO env SSH_SK_HELPER="$SSH_SK_HELPER" sh ${SRC}/sshd-log-wrapper.sh ${TEST_SSHD_LOGFILE} ${SSHD} -i -f $OBJ/sshd_proxy" for m in $macs; do trace "test $tid: mac $m" diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 03dab2031..b448192e1 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.69 2019/12/16 02:39:05 djm Exp $ +# $OpenBSD: test-exec.sh,v 1.70 2020/01/21 08:06:27 djm Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -598,7 +598,7 @@ fi # create a proxy version of the client config ( cat $OBJ/ssh_config - echo proxycommand ${SUDO} sh ${SRC}/sshd-log-wrapper.sh ${TEST_SSHD_LOGFILE} ${SSHD} -i -f $OBJ/sshd_proxy + echo proxycommand ${SUDO} env SSH_SK_HELPER=\"$SSH_SK_HELPER\" sh ${SRC}/sshd-log-wrapper.sh ${TEST_SSHD_LOGFILE} ${SSHD} -i -f $OBJ/sshd_proxy ) > $OBJ/ssh_proxy # check proxy config @@ -608,7 +608,8 @@ start_sshd () { # start sshd $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -t || fatal "sshd_config broken" - $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -E$TEST_SSHD_LOGFILE + $SUDO env SSH_SK_HELPER="$SSH_SK_HELPER" \ + ${SSHD} -f $OBJ/sshd_config "$@" -E$TEST_SSHD_LOGFILE trace "wait for sshd" i=0; diff --git a/sshd.c b/sshd.c index 0cf13a741..ecec026bf 100644 --- a/sshd.c +++ b/sshd.c @@ -1059,7 +1059,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) { fd_set *fdset; int i, j, ret, maxfd; - int startups = 0, listening = 0, lameduck = 0; + int ostartups = -1, startups = 0, listening = 0, lameduck = 0; int startup_p[2] = { -1 , -1 }; char c = 0; struct sockaddr_storage from; @@ -1084,6 +1084,11 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) * the daemon is killed with a signal. */ for (;;) { + if (ostartups != startups) { + setproctitle("[listener] %d/%d startups", + startups, options.max_startups); + ostartups = startups; + } if (received_sighup) { if (!lameduck) { debug("Received SIGHUP; waiting for children"); -- cgit v1.2.3 From 7e1323102b1b04eef391b01e180710a2d408a7ab Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Thu, 23 Jan 2020 03:42:41 +0000 Subject: upstream: Check for and warn about StrictModes permission problems. ok tb@ OpenBSD-Regress-ID: 4841704ccdee50ee7efc6035bc686695c6ac2991 --- regress/test-exec.sh | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) (limited to 'regress/test-exec.sh') diff --git a/regress/test-exec.sh b/regress/test-exec.sh index b448192e1..c26e47f7f 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.70 2020/01/21 08:06:27 djm Exp $ +# $OpenBSD: test-exec.sh,v 1.71 2020/01/23 03:42:41 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -444,6 +444,29 @@ EOF # be abused to locally escalate privileges. if [ ! -z "$TEST_SSH_UNSAFE_PERMISSIONS" ]; then echo "StrictModes no" >> $OBJ/sshd_config +else + # check and warn if excessive permissions are likely to cause failures. + unsafe="" + dir="${OBJ}" + while test ${dir} != "/"; do + perms=`ls -ld ${dir}` + case "${perms}" in + ?????w????*|????????w?*) unsafe="${unsafe} ${dir}" ;; + esac + dir=`dirname ${dir}` + done + if ! test -z "${unsafe}"; then + cat < Date: Thu, 23 Jan 2020 10:19:59 +0000 Subject: upstream: When checking for unsafe directories, ignore non-directories (ie symlinks, where permissions are not relevant). OpenBSD-Regress-ID: fb6cfc8b022becb62b2dcb99ed3f072b3326e501 --- regress/test-exec.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'regress/test-exec.sh') diff --git a/regress/test-exec.sh b/regress/test-exec.sh index c26e47f7f..f17f9493d 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.71 2020/01/23 03:42:41 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.72 2020/01/23 10:19:59 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -449,10 +449,12 @@ else unsafe="" dir="${OBJ}" while test ${dir} != "/"; do - perms=`ls -ld ${dir}` - case "${perms}" in + if test -d "${dir}" ; then + perms=`ls -ld ${dir}` + case "${perms}" in ?????w????*|????????w?*) unsafe="${unsafe} ${dir}" ;; - esac + esac + fi dir=`dirname ${dir}` done if ! test -z "${unsafe}"; then -- cgit v1.2.3 From 0585b5697201f5d8b32e6f1b0fee7e188268d30d Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Fri, 24 Jan 2020 01:29:23 +0000 Subject: upstream: Do not warn about permissions on symlinks. OpenBSD-Regress-ID: 339d4cbae224bd8743ffad9c3afb0cf3cb66c357 --- regress/test-exec.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'regress/test-exec.sh') diff --git a/regress/test-exec.sh b/regress/test-exec.sh index f17f9493d..fa92ee45a 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.72 2020/01/23 10:19:59 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.73 2020/01/24 01:29:23 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -449,7 +449,7 @@ else unsafe="" dir="${OBJ}" while test ${dir} != "/"; do - if test -d "${dir}" ; then + if test -d "${dir}" && ! test -h "${dir}"; then perms=`ls -ld ${dir}` case "${perms}" in ?????w????*|????????w?*) unsafe="${unsafe} ${dir}" ;; -- cgit v1.2.3 From a0c81d2402eedc514b9c9f25ef9604eb0576b86a Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Sat, 25 Jan 2020 02:57:53 +0000 Subject: upstream: Move setting $NC into test-exec since it's now used by multiple tests, and in -portable we use our own local copy to avoid portability problems. OpenBSD-Regress-ID: ceb78445fcaac317bec2fc51b3f0d9589048c114 --- regress/connect.sh | 4 +--- regress/multiplex.sh | 4 +--- regress/test-exec.sh | 5 ++++- 3 files changed, 6 insertions(+), 7 deletions(-) (limited to 'regress/test-exec.sh') diff --git a/regress/connect.sh b/regress/connect.sh index 5e492b86d..46f12b7b3 100644 --- a/regress/connect.sh +++ b/regress/connect.sh @@ -1,10 +1,8 @@ -# $OpenBSD: connect.sh,v 1.7 2020/01/24 10:08:17 dtucker Exp $ +# $OpenBSD: connect.sh,v 1.8 2020/01/25 02:57:53 dtucker Exp $ # Placed in the Public Domain. tid="simple connect" -NC=nc - start_sshd trace "direct connect" diff --git a/regress/multiplex.sh b/regress/multiplex.sh index f93310ed8..817ddbfa8 100644 --- a/regress/multiplex.sh +++ b/regress/multiplex.sh @@ -1,4 +1,4 @@ -# $OpenBSD: multiplex.sh,v 1.31 2020/01/25 00:27:56 dtucker Exp $ +# $OpenBSD: multiplex.sh,v 1.32 2020/01/25 02:57:53 dtucker Exp $ # Placed in the Public Domain. make_tmpdir @@ -6,8 +6,6 @@ CTL=${SSH_REGRESS_TMP}/ctl-sock tid="connection multiplexing" -NC=$OBJ/netcat - trace "will use ProxyCommand $proxycmd" if config_defined DISABLE_FD_PASSING ; then echo "skipped (not supported on this platform)" diff --git a/regress/test-exec.sh b/regress/test-exec.sh index fa92ee45a..2c9c3f498 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.73 2020/01/24 01:29:23 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.74 2020/01/25 02:57:53 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -80,6 +80,9 @@ PLINK=plink PUTTYGEN=puttygen CONCH=conch +# Tools used by multiple tests +NC=$OBJ/netcat + if [ "x$TEST_SSH_SSH" != "x" ]; then SSH="${TEST_SSH_SSH}" fi -- cgit v1.2.3 From 677d0ece67634262b3b96c3cd6410b19f3a603b7 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 31 Jan 2020 23:25:08 +0000 Subject: upstream: regress test for sshd_config Include directive; from Jakub Jelen OpenBSD-Regress-ID: 0d9224de3297c7a5f51ba68d6e3725a2a9345fa4 --- regress/Makefile | 5 +- regress/servcfginclude.sh | 154 ++++++++++++++++++++++++++++++++++++++++++++++ regress/test-exec.sh | 3 +- 3 files changed, 159 insertions(+), 3 deletions(-) create mode 100644 regress/servcfginclude.sh (limited to 'regress/test-exec.sh') diff --git a/regress/Makefile b/regress/Makefile index 34c47e8cb..774c10d41 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.104 2019/09/03 08:37:45 djm Exp $ +# $OpenBSD: Makefile,v 1.106 2020/01/31 23:25:08 djm Exp $ tests: prep file-tests t-exec unit @@ -87,6 +87,7 @@ LTESTS= connect \ principals-command \ cert-file \ cfginclude \ + servcfginclude \ allow-deny-users \ authinfo \ sshsig @@ -122,7 +123,7 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ ssh-rsa_oldfmt \ ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \ ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \ - sshd_config.orig sshd_proxy sshd_proxy.* sshd_proxy_bak \ + sshd_config.* sshd_proxy sshd_proxy.* sshd_proxy_bak \ sshd_proxy_orig t10.out t10.out.pub t12.out t12.out.pub \ t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub \ t8.out t8.out.pub t9.out t9.out.pub testdata \ diff --git a/regress/servcfginclude.sh b/regress/servcfginclude.sh new file mode 100644 index 000000000..b25c8faa8 --- /dev/null +++ b/regress/servcfginclude.sh @@ -0,0 +1,154 @@ +# Placed in the Public Domain. + +tid="server config include" + +cat > $OBJ/sshd_config.i << _EOF +HostKey $OBJ/host.ssh-ed25519 +Match host a + Banner /aa + +Match host b + Banner /bb + Include $OBJ/sshd_config.i.* + +Match host c + Include $OBJ/sshd_config.i.* + Banner /cc + +Match host m + Include $OBJ/sshd_config.i.* + +Match Host d + Banner /dd + +Match Host e + Banner /ee + Include $OBJ/sshd_config.i.* + +Match Host f + Include $OBJ/sshd_config.i.* + Banner /ff + +Match Host n + Include $OBJ/sshd_config.i.* +_EOF + +cat > $OBJ/sshd_config.i.0 << _EOF +Match host xxxxxx +_EOF + +cat > $OBJ/sshd_config.i.1 << _EOF +Match host a + Banner /aaa + +Match host b + Banner /bbb + +Match host c + Banner /ccc + +Match Host d + Banner /ddd + +Match Host e + Banner /eee + +Match Host f + Banner /fff +_EOF + +cat > $OBJ/sshd_config.i.2 << _EOF +Match host a + Banner /aaaa + +Match host b + Banner /bbbb + +Match host c + Banner /cccc + +Match Host d + Banner /dddd + +Match Host e + Banner /eeee + +Match Host f + Banner /ffff + +Match all + Banner /xxxx +_EOF + +trial() { + _host="$1" + _exp="$2" + _desc="$3" + test -z "$_desc" && _desc="test match" + trace "$_desc host=$_host expect=$_exp" + ${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i -T \ + -C "host=$_host,user=test,addr=127.0.0.1" > $OBJ/sshd_config.out || + fatal "ssh config parse failed: $_desc host=$_host expect=$_exp" + _got=`grep -i '^banner ' $OBJ/sshd_config.out | awk '{print $2}'` + if test "x$_exp" != "x$_got" ; then + fail "$desc_ host $_host include fail: expected $_exp got $_got" + fi +} + +trial a /aa +trial b /bb +trial c /ccc +trial d /dd +trial e /ee +trial f /fff +trial m /xxxx +trial n /xxxx +trial x none + +# Prepare an included config with an error. + +cat > $OBJ/sshd_config.i.3 << _EOF +Banner xxxx + Junk +_EOF + +trace "disallow invalid config host=a" +${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i \ + -C "host=a,user=test,addr=127.0.0.1" 2>/dev/null && \ + fail "sshd include allowed invalid config" + +trace "disallow invalid config host=x" +${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i \ + -C "host=x,user=test,addr=127.0.0.1" 2>/dev/null && \ + fail "sshd include allowed invalid config" + +rm -f $OBJ/sshd_config.i.* + +# Ensure that a missing include is not fatal. +cat > $OBJ/sshd_config.i << _EOF +HostKey $OBJ/host.ssh-ed25519 +Include $OBJ/sshd_config.i.* +Banner /aa +_EOF + +trial a /aa "missing include non-fatal" + +# Ensure that Match/Host in an included config does not affect parent. +cat > $OBJ/sshd_config.i.x << _EOF +Match host x +_EOF + +trial a /aa "included file does not affect match state" + +# Ensure the empty include directive is not accepted +cat > $OBJ/sshd_config.i.x << _EOF +Include +_EOF + +trace "disallow invalid with no argument" +${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i.x \ + -C "host=x,user=test,addr=127.0.0.1" 2>/dev/null && \ + fail "sshd allowed Include with no argument" + +# cleanup +rm -f $OBJ/sshd_config.i $OBJ/sshd_config.i.* $OBJ/sshd_config.out diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 2c9c3f498..f5e3ee6f5 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.74 2020/01/25 02:57:53 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.75 2020/01/31 23:25:08 djm Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -239,6 +239,7 @@ echo "exec ${SSH} -E${TEST_SSH_LOGFILE} "'"$@"' >>$SSHLOGWRAP chmod a+rx $OBJ/ssh-log-wrapper.sh REAL_SSH="$SSH" +REAL_SSHD="$SSHD" SSH="$SSHLOGWRAP" # Some test data. We make a copy because some tests will overwrite it. -- cgit v1.2.3 From 311da721c2a5c6d147738e0699fa49d04cd5762a Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Thu, 30 Aug 2018 00:58:56 +0100 Subject: Work around conch interoperability failure Twisted Conch fails to read private keys in the new format (https://twistedmatrix.com/trac/ticket/9515). Work around this until it can be fixed in Twisted. Forwarded: not-needed Last-Update: 2019-10-09 Patch-Name: conch-old-privkey-format.patch --- regress/Makefile | 2 +- regress/conch-ciphers.sh | 2 +- regress/test-exec.sh | 12 ++++++++++++ 3 files changed, 14 insertions(+), 2 deletions(-) (limited to 'regress/test-exec.sh') diff --git a/regress/Makefile b/regress/Makefile index 774c10d41..01e257a94 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -120,7 +120,7 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \ scp-ssh-wrapper.scp setuid-allowed sftp-server.log \ sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \ - ssh-rsa_oldfmt \ + ssh-rsa_oldfmt ssh-rsa_oldfmt.pub \ ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \ ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \ sshd_config.* sshd_proxy sshd_proxy.* sshd_proxy_bak \ diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh index 6678813a2..6ff5da20b 100644 --- a/regress/conch-ciphers.sh +++ b/regress/conch-ciphers.sh @@ -16,7 +16,7 @@ for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \ rm -f ${COPY} # XXX the 2nd "cat" seems to be needed because of buggy FD handling # in conch - ${CONCH} --identity $OBJ/ssh-rsa --port $PORT --user $USER -e none \ + ${CONCH} --identity $OBJ/ssh-rsa_oldfmt --port $PORT --user $USER -e none \ --known-hosts $OBJ/known_hosts --notty --noagent --nox11 -n \ 127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY} if [ $? -ne 0 ]; then diff --git a/regress/test-exec.sh b/regress/test-exec.sh index f5e3ee6f5..a3a40719f 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -573,6 +573,18 @@ REGRESS_INTEROP_CONCH=no if test -x "$CONCH" ; then REGRESS_INTEROP_CONCH=yes fi +case "$SCRIPT" in +*conch*) ;; +*) REGRESS_INTEROP_CONCH=no +esac + +if test "$REGRESS_INTEROP_CONCH" = "yes" ; then + # Convert rsa key to old format to work around + # https://twistedmatrix.com/trac/ticket/9515 + cp $OBJ/ssh-rsa $OBJ/ssh-rsa_oldfmt + cp $OBJ/ssh-rsa.pub $OBJ/ssh-rsa_oldfmt.pub + ${SSHKEYGEN} -p -N '' -m PEM -f $OBJ/ssh-rsa_oldfmt >/dev/null +fi # If PuTTY is present and we are running a PuTTY test, prepare keys and # configuration -- cgit v1.2.3