From 53f4bb65999cef5634fba2bb4fbef3a70650ce4c Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 18 Apr 2010 08:15:14 +1000 Subject: - OpenBSD CVS Sync - djm@cvs.openbsd.org 2010/04/16 01:58:45 [regress/cert-hostkey.sh regress/cert-userkey.sh] regression tests for v01 certificate format includes interop tests for v00 certs --- regress/cert-hostkey.sh | 174 ++++++++++++++++++++++++++++-------------------- regress/cert-userkey.sh | 80 ++++++++++++---------- 2 files changed, 147 insertions(+), 107 deletions(-) (limited to 'regress') diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 3fda667cb..0265e8f6b 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-hostkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $ +# $OpenBSD: cert-hostkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $ # Placed in the Public Domain. tid="certified host keys" @@ -28,11 +28,17 @@ for ktype in rsa dsa ; do -I "regress host key for $USER" \ -n $HOSTS $OBJ/cert_host_key_${ktype} || fail "couldn't sign cert_host_key_${ktype}" + cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00 + cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub + ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \ + -I "regress host key for $USER" \ + -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 || + fail "couldn't sign cert_host_key_${ktype}_v00" done # Basic connect tests for privsep in yes no ; do - for ktype in rsa dsa ; do + for ktype in rsa dsa rsa_v00 dsa_v00; do verbose "$tid: host ${ktype} cert connect privsep $privsep" ( cat $OBJ/sshd_proxy_bak @@ -61,9 +67,15 @@ done echon '@revoked ' echon "* " cat $OBJ/cert_host_key_dsa.pub + echon '@revoked ' + echon "* " + cat $OBJ/cert_host_key_rsa_v00.pub + echon '@revoked ' + echon "* " + cat $OBJ/cert_host_key_dsa_v00.pub ) > $OBJ/known_hosts-cert for privsep in yes no ; do - for ktype in rsa dsa ; do + for ktype in rsa dsa rsa_v00 dsa_v00; do verbose "$tid: host ${ktype} revoked cert privsep $privsep" ( cat $OBJ/sshd_proxy_bak @@ -90,7 +102,7 @@ done echon "* " cat $OBJ/host_ca_key.pub ) > $OBJ/known_hosts-cert -for ktype in rsa dsa ; do +for ktype in rsa dsa rsa_v00 dsa_v00 ; do verbose "$tid: host ${ktype} revoked cert" ( cat $OBJ/sshd_proxy_bak @@ -116,32 +128,39 @@ test_one() { ident=$1 result=$2 sign_opts=$3 - - verbose "$tid: test host cert connect $ident expect $result" - - ${SSHKEYGEN} -q -s $OBJ/host_ca_key -I "regress host key for $USER" \ - $sign_opts \ - $OBJ/cert_host_key_rsa || - fail "couldn't sign cert_host_key_rsa" - ( - cat $OBJ/sshd_proxy_bak - echo HostKey $OBJ/cert_host_key_rsa - echo HostCertificate $OBJ/cert_host_key_rsa-cert.pub - ) > $OBJ/sshd_proxy - ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ - -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - rc=$? - if [ "x$result" = "xsuccess" ] ; then - if [ $rc -ne 0 ]; then - fail "ssh cert connect $ident failed unexpectedly" - fi - else - if [ $rc -eq 0 ]; then - fail "ssh cert connect $ident succeeded unexpectedly" + for kt in rsa rsa_v00 ; do + case $kt in + *_v00) args="-t v00" ;; + *) args="" ;; + esac + + verbose "$tid: host cert connect $ident $kt expect $result" + ${SSHKEYGEN} -q -s $OBJ/host_ca_key \ + -I "regress host key for $USER" \ + $sign_opts $args \ + $OBJ/cert_host_key_${kt} || + fail "couldn't sign cert_host_key_${kt}" + ( + cat $OBJ/sshd_proxy_bak + echo HostKey $OBJ/cert_host_key_${kt} + echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub + ) > $OBJ/sshd_proxy + + ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ + -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + rc=$? + if [ "x$result" = "xsuccess" ] ; then + if [ $rc -ne 0 ]; then + fail "ssh cert connect $ident failed unexpectedly" + fi + else + if [ $rc -eq 0 ]; then + fail "ssh cert connect $ident succeeded unexpectedly" + fi fi - fi + done } test_one "user-certificate" failure "-n $HOSTS" @@ -153,32 +172,35 @@ test_one "cert valid interval" success "-h -V-1w:+2w" test_one "cert has constraints" failure "-h -Oforce-command=false" # Check downgrade of cert to raw key when no CA found -rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* -for ktype in rsa dsa ; do - verbose "$tid: host ${ktype} cert downgrade to raw key" - # Generate and sign a host key - ${SSHKEYGEN} -q -N '' -t ${ktype} \ - -f $OBJ/cert_host_key_${ktype} || \ - fail "ssh-keygen of cert_host_key_${ktype} failed" - ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -I "regress host key for $USER" \ - -n $HOSTS $OBJ/cert_host_key_${ktype} || - fail "couldn't sign cert_host_key_${ktype}" - ( - echon "$HOSTS " - cat $OBJ/cert_host_key_${ktype}.pub - ) > $OBJ/known_hosts-cert - ( - cat $OBJ/sshd_proxy_bak - echo HostKey $OBJ/cert_host_key_${ktype} - echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub - ) > $OBJ/sshd_proxy - - ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ - -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ - -F $OBJ/ssh_proxy somehost true - if [ $? -ne 0 ]; then - fail "ssh cert connect failed" - fi +for v in v01 v00 ; do + for ktype in rsa dsa ; do + rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* + verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" + # Generate and sign a host key + ${SSHKEYGEN} -q -N '' -t ${ktype} \ + -f $OBJ/cert_host_key_${ktype} || \ + fail "ssh-keygen of cert_host_key_${ktype} failed" + ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \ + -I "regress host key for $USER" \ + -n $HOSTS $OBJ/cert_host_key_${ktype} || + fail "couldn't sign cert_host_key_${ktype}" + ( + echon "$HOSTS " + cat $OBJ/cert_host_key_${ktype}.pub + ) > $OBJ/known_hosts-cert + ( + cat $OBJ/sshd_proxy_bak + echo HostKey $OBJ/cert_host_key_${ktype} + echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub + ) > $OBJ/sshd_proxy + + ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ + -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ + -F $OBJ/ssh_proxy somehost true + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi + done done # Wrong certificate @@ -187,25 +209,31 @@ done echon "$HOSTS " cat $OBJ/host_ca_key.pub ) > $OBJ/known_hosts-cert -for ktype in rsa dsa ; do - # Self-sign key - ${SSHKEYGEN} -h -q -s $OBJ/cert_host_key_${ktype} \ - -I "regress host key for $USER" \ - -n $HOSTS $OBJ/cert_host_key_${ktype} || - fail "couldn't sign cert_host_key_${ktype}" - verbose "$tid: host ${ktype} connect wrong cert" - ( - cat $OBJ/sshd_proxy_bak - echo HostKey $OBJ/cert_host_key_${ktype} - echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub - ) > $OBJ/sshd_proxy - - ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ - -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ - -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect $ident succeeded unexpectedly" - fi +for v in v01 v00 ; do + for kt in rsa dsa ; do + rm -f $OBJ/cert_host_key* + # Self-sign key + ${SSHKEYGEN} -q -N '' -t ${kt} \ + -f $OBJ/cert_host_key_${kt} || \ + fail "ssh-keygen of cert_host_key_${kt} failed" + ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \ + -I "regress host key for $USER" \ + -n $HOSTS $OBJ/cert_host_key_${kt} || + fail "couldn't sign cert_host_key_${kt}" + verbose "$tid: host ${kt} connect wrong cert" + ( + cat $OBJ/sshd_proxy_bak + echo HostKey $OBJ/cert_host_key_${kt} + echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub + ) > $OBJ/sshd_proxy + + ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ + -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ + -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect $ident succeeded unexpectedly" + fi + done done rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 7a58e7b75..88d6d70a4 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-userkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $ +# $OpenBSD: cert-userkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $ # Placed in the Public Domain. tid="certified user keys" @@ -20,6 +20,12 @@ for ktype in rsa dsa ; do "regress user key for $USER" \ -n $USER $OBJ/cert_user_key_${ktype} || fail "couldn't sign cert_user_key_${ktype}" + cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 + cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub + ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ + "regress user key for $USER" \ + -n $USER $OBJ/cert_user_key_${ktype}_v00 || + fail "couldn't sign cert_user_key_${ktype}_v00" done basic_tests() { @@ -35,7 +41,7 @@ basic_tests() { extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" fi - for ktype in rsa dsa ; do + for ktype in rsa dsa rsa_v00 dsa_v00 ; do for privsep in yes no ; do _prefix="${ktype} privsep $privsep $auth" # Simple connect @@ -108,39 +114,41 @@ test_one() { fi for auth in $auth_choice ; do - cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy - if test "x$auth" = "xauthorized_keys" ; then - # Add CA to authorized_keys - ( - echon 'cert-authority ' - cat $OBJ/user_ca_key.pub - ) > $OBJ/authorized_keys_$USER - else - echo > $OBJ/authorized_keys_$USER - echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" >> \ - $OBJ/sshd_proxy - - fi - - verbose "$tid: $ident auth $auth expect $result" - ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ - -I "regress user key for $USER" \ - $sign_opts \ - $OBJ/cert_user_key_rsa || - fail "couldn't sign cert_user_key_rsa" + for ktype in rsa rsa_v00 ; do + cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy + if test "x$auth" = "xauthorized_keys" ; then + # Add CA to authorized_keys + ( + echon 'cert-authority ' + cat $OBJ/user_ca_key.pub + ) > $OBJ/authorized_keys_$USER + else + echo > $OBJ/authorized_keys_$USER + echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \ + >> $OBJ/sshd_proxy - ${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \ - somehost true >/dev/null 2>&1 - rc=$? - if [ "x$result" = "xsuccess" ] ; then - if [ $rc -ne 0 ]; then - fail "$ident failed unexpectedly" fi - else - if [ $rc -eq 0 ]; then - fail "$ident succeeded unexpectedly" + + verbose "$tid: $ident auth $auth expect $result $ktype" + ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ + -I "regress user key for $USER" \ + $sign_opts \ + $OBJ/cert_user_key_${ktype} || + fail "couldn't sign cert_user_key_${ktype}" + + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + rc=$? + if [ "x$result" = "xsuccess" ] ; then + if [ $rc -ne 0 ]; then + fail "$ident failed unexpectedly" + fi + else + if [ $rc -eq 0 ]; then + fail "$ident succeeded unexpectedly" + fi fi - fi + done done } @@ -158,9 +166,13 @@ test_one "empty principals" success "" authorized_keys test_one "empty principals" failure "" TrustedUserCAKeys # Wrong certificate -for ktype in rsa dsa ; do +for ktype in rsa dsa rsa_v00 dsa_v00 ; do + case $ktype in + *_v00) args="-t v00" ;; + *) args="" ;; + esac # Self-sign - ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ + ${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \ "regress user key for $USER" \ -n $USER $OBJ/cert_user_key_${ktype} || fail "couldn't sign cert_user_key_${ktype}" -- cgit v1.2.3 From 3bcce80b544174b70dfd6e0a4e9f1488ca6fa69b Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 21 May 2010 14:48:16 +1000 Subject: - djm@cvs.openbsd.org 2010/05/07 11:31:26 [regress/Makefile regress/cert-userkey.sh] regress tests for AuthorizedPrincipalsFile and "principals=" key option. feedback and ok markus@ --- ChangeLog | 7 +++ regress/Makefile | 5 ++- regress/cert-userkey.sh | 117 +++++++++++++++++++++++++++++++++++++++++++++--- 3 files changed, 122 insertions(+), 7 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 331655873..35cd857a2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20100521 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2010/05/07 11:31:26 + [regress/Makefile regress/cert-userkey.sh] + regress tests for AuthorizedPrincipalsFile and "principals=" key option. + feedback and ok markus@ + 20100511 - (dtucker) [Makefile.in] Bug #1770: Link libopenbsd-compat twice to solve circular dependency problem on old or odd platforms. From Tom Lane, ok diff --git a/regress/Makefile b/regress/Makefile index d25a64555..6e7b441bf 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.52 2010/02/26 20:33:21 djm Exp $ +# $OpenBSD: Makefile,v 1.53 2010/05/07 11:31:26 djm Exp $ REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec tests: $(REGRESS_TARGETS) @@ -69,7 +69,8 @@ CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \ sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \ known_hosts-cert host_ca_key* cert_host_key* \ - putty.rsa2 sshd_proxy_orig + putty.rsa2 sshd_proxy_orig \ + authorized_principals_${USER} # Enable all malloc(3) randomisations and checks TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 88d6d70a4..8fd1b48db 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-userkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $ +# $OpenBSD: cert-userkey.sh,v 1.5 2010/05/07 11:31:26 djm Exp $ # Placed in the Public Domain. tid="certified user keys" @@ -18,16 +18,100 @@ for ktype in rsa dsa ; do fail "ssh-keygen of cert_user_key_${ktype} failed" ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \ "regress user key for $USER" \ - -n $USER $OBJ/cert_user_key_${ktype} || + -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || fail "couldn't sign cert_user_key_${ktype}" cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ "regress user key for $USER" \ - -n $USER $OBJ/cert_user_key_${ktype}_v00 || + -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 || fail "couldn't sign cert_user_key_${ktype}_v00" done +# Test explicitly-specified principals +for ktype in rsa dsa rsa_v00 dsa_v00 ; do + for privsep in yes no ; do + _prefix="${ktype} privsep $privsep" + + # Setup for AuthorizedPrincipalsFile + rm -f $OBJ/authorized_keys_$USER + ( + cat $OBJ/sshd_proxy_bak + echo "UsePrivilegeSeparation $privsep" + echo "AuthorizedPrincipalsFile " \ + "$OBJ/authorized_principals_%u" + echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" + ) > $OBJ/sshd_proxy + + # Missing authorized_principals + verbose "$tid: ${_prefix} missing authorized_principals" + rm -f $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Empty authorized_principals + verbose "$tid: ${_prefix} empty authorized_principals" + echo > $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Wrong authorized_principals + verbose "$tid: ${_prefix} wrong authorized_principals" + echo gregorsamsa > $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Correct authorized_principals + verbose "$tid: ${_prefix} correct authorized_principals" + echo mekmitasdigoat > $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi + + # Setup for principals= key option + rm -f $OBJ/authorized_principals_$USER + ( + cat $OBJ/sshd_proxy_bak + echo "UsePrivilegeSeparation $privsep" + ) > $OBJ/sshd_proxy + + # Wrong principals list + verbose "$tid: ${_prefix} wrong principals key option" + ( + echon 'cert-authority,principals="gregorsamsa" ' + cat $OBJ/user_ca_key.pub + ) > $OBJ/authorized_keys_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Correct principals list + verbose "$tid: ${_prefix} correct principals key option" + ( + echon 'cert-authority,principals="mekmitasdigoat" ' + cat $OBJ/user_ca_key.pub + ) > $OBJ/authorized_keys_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi + done +done + basic_tests() { auth=$1 if test "x$auth" = "xauthorized_keys" ; then @@ -108,6 +192,7 @@ test_one() { result=$2 sign_opts=$3 auth_choice=$4 + auth_opt=$5 if test "x$auth_choice" = "x" ; then auth_choice="authorized_keys TrustedUserCAKeys" @@ -119,14 +204,16 @@ test_one() { if test "x$auth" = "xauthorized_keys" ; then # Add CA to authorized_keys ( - echon 'cert-authority ' + echon "cert-authority${auth_opt} " cat $OBJ/user_ca_key.pub ) > $OBJ/authorized_keys_$USER else echo > $OBJ/authorized_keys_$USER echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \ >> $OBJ/sshd_proxy - + if test "x$auth_opt" != "x" ; then + echo $auth_opt >> $OBJ/sshd_proxy + fi fi verbose "$tid: $ident auth $auth expect $result $ktype" @@ -165,7 +252,26 @@ test_one "force-command" failure "-n ${USER} -Oforce-command=false" test_one "empty principals" success "" authorized_keys test_one "empty principals" failure "" TrustedUserCAKeys +# Check explicitly-specified principals: an empty principals list in the cert +# should always be refused. + +# AuthorizedPrincipalsFile +rm -f $OBJ/authorized_keys_$USER +echo mekmitasdigoat > $OBJ/authorized_principals_$USER +test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \ + TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u" +test_one "AuthorizedPrincipalsFile no principals" failure "" \ + TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u" + +# principals= key option +rm -f $OBJ/authorized_principals_$USER +test_one "principals key option principals" success "-n mekmitasdigoat" \ + authorized_keys ',principals="mekmitasdigoat"' +test_one "principals key option no principals" failure "" \ + authorized_keys ',principals="mekmitasdigoat"' + # Wrong certificate +cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy for ktype in rsa dsa rsa_v00 dsa_v00 ; do case $ktype in *_v00) args="-t v00" ;; @@ -185,4 +291,5 @@ for ktype in rsa dsa rsa_v00 dsa_v00 ; do done rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* +rm -f $OBJ/authorized_principals_$USER -- cgit v1.2.3 From 527ded7f643d99ef0798a3c3a19e4edc56b9289f Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 2 Jul 2010 13:40:16 +1000 Subject: - phessler@cvs.openbsd.org 2010/06/27 19:19:56 [Makefile] fix how we run the tests so we can successfully use SUDO='sudo -E' in our env --- ChangeLog | 4 ++++ regress/Makefile | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index cf93dc9fe..e2452f427 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,10 @@ Fix a longstanding problem where if you suspend scp at the password/passphrase prompt the terminal mode is not restored. OK djm@ + - phessler@cvs.openbsd.org 2010/06/27 19:19:56 + [regress/Makefile] + fix how we run the tests so we can successfully use SUDO='sudo -E' + in our env 20100627 - (tim) [openbsd-compat/port-uw.c] Reorder includes. auth-options.h now needs diff --git a/regress/Makefile b/regress/Makefile index 6e7b441bf..9762ab204 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.53 2010/05/07 11:31:26 djm Exp $ +# $OpenBSD: Makefile,v 1.54 2010/06/27 19:19:56 phessler Exp $ REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec tests: $(REGRESS_TARGETS) @@ -113,13 +113,13 @@ t-exec: ${LTESTS:=.sh} @if [ "x$?" = "x" ]; then exit 0; fi; \ for TEST in ""$?; do \ echo "run test $${TEST}" ... 1>&2; \ - (env SUDO=${SUDO} TEST_ENV=${TEST_ENV} sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ + (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ done t-exec-interop: ${INTEROP_TESTS:=.sh} @if [ "x$?" = "x" ]; then exit 0; fi; \ for TEST in ""$?; do \ echo "run test $${TEST}" ... 1>&2; \ - (env SUDO=${SUDO} TEST_ENV=${TEST_ENV} sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ + (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ done -- cgit v1.2.3 From ab139cde3827744985a7d52da753af8cff27f3a3 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 2 Jul 2010 13:42:18 +1000 Subject: - djm@cvs.openbsd.org 2010/06/29 23:59:54 [cert-userkey.sh] regress tests for key options in AuthorizedPrincipals --- ChangeLog | 3 +++ regress/cert-userkey.sh | 32 +++++++++++++++++++++++++++++++- 2 files changed, 34 insertions(+), 1 deletion(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index e2452f427..b67dfe78f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -32,6 +32,9 @@ [regress/Makefile] fix how we run the tests so we can successfully use SUDO='sudo -E' in our env + - djm@cvs.openbsd.org 2010/06/29 23:59:54 + [cert-userkey.sh] + regress tests for key options in AuthorizedPrincipals 20100627 - (tim) [openbsd-compat/port-uw.c] Reorder includes. auth-options.h now needs diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 8fd1b48db..a41a9a9c0 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-userkey.sh,v 1.5 2010/05/07 11:31:26 djm Exp $ +# $OpenBSD: cert-userkey.sh,v 1.6 2010/06/29 23:59:54 djm Exp $ # Placed in the Public Domain. tid="certified user keys" @@ -79,6 +79,36 @@ for ktype in rsa dsa rsa_v00 dsa_v00 ; do fail "ssh cert connect failed" fi + # authorized_principals with bad key option + verbose "$tid: ${_prefix} authorized_principals bad key opt" + echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # authorized_principals with command=false + verbose "$tid: ${_prefix} authorized_principals command=false" + echo 'command="false" mekmitasdigoat' > \ + $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + + # authorized_principals with command=true + verbose "$tid: ${_prefix} authorized_principals command=true" + echo 'command="true" mekmitasdigoat' > \ + $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi + # Setup for principals= key option rm -f $OBJ/authorized_principals_$USER ( -- cgit v1.2.3 From 722b8d14f17f6471ef9b746f8b5942e1c7940d32 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Thu, 12 Aug 2010 09:43:13 -0700 Subject: - (tim) [regress/login-timeout.sh regress/reconfigure.sh regress/reexec.sh regress/test-exec.sh] Under certain conditions when testing with sudo tests would fail because the pidfile could not be read by a regular user. "cat: cannot open ...../regress/pidfile: Permission denied (error 13)" Make sure cat is run by $SUDO. no objection from me. djm@ --- ChangeLog | 7 +++++++ regress/login-timeout.sh | 2 +- regress/reconfigure.sh | 2 +- regress/reexec.sh | 6 +++--- regress/test-exec.sh | 2 +- 5 files changed, 13 insertions(+), 6 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 23ecb0618..daf1e98f5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20100812 + - (tim) [regress/login-timeout.sh regress/reconfigure.sh regress/reexec.sh + regress/test-exec.sh] Under certain conditions when testing with sudo + tests would fail because the pidfile could not be read by a regular user. + "cat: cannot open ...../regress/pidfile: Permission denied (error 13)" + Make sure cat is run by $SUDO. no objection from me. djm@ + 20100809 - (djm) bz#1561: don't bother setting IFF_UP on tun(4) device if it is already set. Makes FreeBSD user openable tunnels useful; patch from diff --git a/regress/login-timeout.sh b/regress/login-timeout.sh index 15a887f74..55fbb324d 100644 --- a/regress/login-timeout.sh +++ b/regress/login-timeout.sh @@ -15,7 +15,7 @@ if [ $? -ne 0 ]; then fail "ssh connect after login grace timeout failed with privsep" fi -$SUDO kill `cat $PIDFILE` +$SUDO kill `$SUDO cat $PIDFILE` trace "test login grace without privsep" echo "UsePrivilegeSeparation no" >> $OBJ/sshd_config diff --git a/regress/reconfigure.sh b/regress/reconfigure.sh index 1daf29f9a..9fd289531 100644 --- a/regress/reconfigure.sh +++ b/regress/reconfigure.sh @@ -15,7 +15,7 @@ esac start_sshd -PID=`cat $PIDFILE` +PID=`$SUDO cat $PIDFILE` rm -f $PIDFILE $SUDO kill -HUP $PID diff --git a/regress/reexec.sh b/regress/reexec.sh index 4f824a31d..6edfc318e 100644 --- a/regress/reexec.sh +++ b/regress/reexec.sh @@ -41,7 +41,7 @@ echo "InvalidXXX=no" >> $OBJ/sshd_config copy_tests -$SUDO kill `cat $PIDFILE` +$SUDO kill `$SUDO cat $PIDFILE` rm -f $PIDFILE cp $OBJ/sshd_config.orig $OBJ/sshd_config @@ -53,7 +53,7 @@ rm -f $SSHD_COPY copy_tests -$SUDO kill `cat $PIDFILE` +$SUDO kill `$SUDO cat $PIDFILE` rm -f $PIDFILE verbose "test reexec fallback without privsep" @@ -66,7 +66,7 @@ rm -f $SSHD_COPY copy_tests -$SUDO kill `cat $PIDFILE` +$SUDO kill `$SUDO cat $PIDFILE` rm -f $PIDFILE diff --git a/regress/test-exec.sh b/regress/test-exec.sh index b3a19389d..b64dcdbcf 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -167,7 +167,7 @@ have_prog() cleanup () { if [ -f $PIDFILE ]; then - pid=`cat $PIDFILE` + pid=`$SUDO cat $PIDFILE` if [ "X$pid" = "X" ]; then echo no sshd running else -- cgit v1.2.3 From 07ad38918117d87121e65738431a68fd3a3b2048 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 17 Aug 2010 07:04:28 +1000 Subject: - (djm) [regress/README.regress] typo --- ChangeLog | 1 + regress/README.regress | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index f9496530c..ba9858d03 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,7 @@ by this. "please commit" markus@ + - (djm) [regress/README.regress] typo 20100812 - (tim) [regress/login-timeout.sh regress/reconfigure.sh regress/reexec.sh diff --git a/regress/README.regress b/regress/README.regress index 5aaf734bd..da9bb6a99 100644 --- a/regress/README.regress +++ b/regress/README.regress @@ -29,7 +29,7 @@ TEST_SSH_x: path to "ssh" command under test, where x=SSH,SSHD,SSHAGENT,SSHADD OBJ: used by test scripts to access build dir. TEST_SHELL: shell used for running the test scripts. TEST_SSH_PORT: TCP port to be used for the listening tests. -TEST_SSH_SSH_CONFOTPS: Configuration directives to be added to ssh_config +TEST_SSH_SSH_CONFOPTS: Configuration directives to be added to ssh_config before running each test. TEST_SSH_SSHD_CONFOTPS: Configuration directives to be added to sshd_config before running each test. @@ -105,4 +105,4 @@ Known Issues. test to fail. The old behaviour can be restored by setting (and exporting) _POSIX2_VERSION=199209 before running the tests. -$Id: README.regress,v 1.10 2005/10/03 10:14:18 dtucker Exp $ +$Id: README.regress,v 1.11 2010/08/16 21:04:29 djm Exp $ -- cgit v1.2.3