From ce1b358ea414a2cc88e4430cd5a2ea7fecd9de57 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 16 Mar 2015 22:46:14 +0000 Subject: upstream commit make CLEANFILES clean up more of the tests' droppings --- regress/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'regress') diff --git a/regress/Makefile b/regress/Makefile index 99a7d60f5..252fb2eeb 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.78 2015/01/26 06:12:18 djm Exp $ +# $OpenBSD: Makefile,v 1.79 2015/03/16 22:46:14 djm Exp $ REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec tests: prep $(REGRESS_TARGETS) -- cgit v1.2.3 From 9e1777a0d1c706714b055811c12ab8cc21033e4a Mon Sep 17 00:00:00 2001 From: "markus@openbsd.org" Date: Tue, 24 Mar 2015 20:19:15 +0000 Subject: upstream commit use ${SSH} for -Q instead of installed ssh --- regress/cipher-speed.sh | 4 ++-- regress/hostkey-rotate.sh | 8 ++++---- regress/integrity.sh | 4 ++-- regress/kextype.sh | 4 ++-- regress/try-ciphers.sh | 4 ++-- 5 files changed, 12 insertions(+), 12 deletions(-) (limited to 'regress') diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh index ad2f9b90b..575dc2341 100644 --- a/regress/cipher-speed.sh +++ b/regress/cipher-speed.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cipher-speed.sh,v 1.12 2015/03/03 22:35:19 markus Exp $ +# $OpenBSD: cipher-speed.sh,v 1.13 2015/03/24 20:22:17 markus Exp $ # Placed in the Public Domain. tid="cipher speed" @@ -25,7 +25,7 @@ for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do fi done # No point trying all MACs for AEAD ciphers since they are ignored. - if ssh -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then + if ${SSH} -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then break fi n=`expr $n + 1` diff --git a/regress/hostkey-rotate.sh b/regress/hostkey-rotate.sh index b5d542d12..cde6008f4 100644 --- a/regress/hostkey-rotate.sh +++ b/regress/hostkey-rotate.sh @@ -1,4 +1,4 @@ -# $OpenBSD: hostkey-rotate.sh,v 1.2 2015/03/03 17:53:40 djm Exp $ +# $OpenBSD: hostkey-rotate.sh,v 1.3 2015/03/24 20:22:17 markus Exp $ # Placed in the Public Domain. tid="hostkey rotate" @@ -15,7 +15,7 @@ rm $OBJ/known_hosts trace "prepare hostkeys" nkeys=0 all_algs="" -for k in `ssh -Q key-plain` ; do +for k in `${SSH} -Q key-plain` ; do ${SSHKEYGEN} -qt $k -f $OBJ/hkr.$k -N '' || fatal "ssh-keygen $k" echo "Hostkey $OBJ/hkr.${k}" >> $OBJ/sshd_proxy.orig nkeys=`expr $nkeys + 1` @@ -62,7 +62,7 @@ expect_nkeys $nkeys "learn hostkeys" check_key_present ssh-rsa || fail "didn't learn keys" # Check each key type -for k in `ssh -Q key-plain` ; do +for k in `${SSH} -Q key-plain` ; do verbose "learn additional hostkeys, type=$k" dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$k,$all_algs expect_nkeys $nkeys "learn hostkeys $k" @@ -109,7 +109,7 @@ dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa expect_nkeys 1 "learn hostkeys" check_key_present ssh-rsa || fail "didn't learn changed key" -# $OpenBSD: hostkey-rotate.sh,v 1.2 2015/03/03 17:53:40 djm Exp $ +# $OpenBSD: hostkey-rotate.sh,v 1.3 2015/03/24 20:22:17 markus Exp $ # Placed in the Public Domain. tid="hostkey rotate" diff --git a/regress/integrity.sh b/regress/integrity.sh index 2ff8b3f17..1d4976771 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -1,4 +1,4 @@ -# $OpenBSD: integrity.sh,v 1.15 2015/01/19 20:42:31 markus Exp $ +# $OpenBSD: integrity.sh,v 1.16 2015/03/24 20:22:17 markus Exp $ # Placed in the Public Domain. tid="integrity" @@ -38,7 +38,7 @@ for m in $macs; do cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy # modify output from sshd at offset $off pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1" - if ssh -Q cipher-auth | grep "^${m}\$" >/dev/null 2>&1 ; then + if ${SSH} -Q cipher-auth | grep "^${m}\$" >/dev/null 2>&1 ; then echo "Ciphers=$m" >> $OBJ/sshd_proxy macopt="-c $m" else diff --git a/regress/kextype.sh b/regress/kextype.sh index 6f952f4e4..e27189904 100644 --- a/regress/kextype.sh +++ b/regress/kextype.sh @@ -1,4 +1,4 @@ -# $OpenBSD: kextype.sh,v 1.5 2014/04/21 22:15:37 djm Exp $ +# $OpenBSD: kextype.sh,v 1.6 2015/03/24 20:19:15 markus Exp $ # Placed in the Public Domain. tid="login with different key exchange algorithms" @@ -8,7 +8,7 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak # Make server accept all key exchanges. -ALLKEX=`ssh -Q kex` +ALLKEX=`${SSH} -Q kex` KEXOPT=`echo $ALLKEX | tr ' ' ,` echo "KexAlgorithms=$KEXOPT" >> $OBJ/sshd_proxy diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh index 4165c7b88..889a735d2 100644 --- a/regress/try-ciphers.sh +++ b/regress/try-ciphers.sh @@ -1,4 +1,4 @@ -# $OpenBSD: try-ciphers.sh,v 1.24 2015/03/03 22:35:19 markus Exp $ +# $OpenBSD: try-ciphers.sh,v 1.25 2015/03/24 20:22:17 markus Exp $ # Placed in the Public Domain. tid="try ciphers" @@ -19,7 +19,7 @@ for c in `${SSH} -Q cipher`; do fi # No point trying all MACs for AEAD ciphers since they # are ignored. - if ssh -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then + if ${SSH} -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then break fi n=`expr $n + 1` -- cgit v1.2.3 From 7da2be0cb9601ed25460c83aa4d44052b967ba0f Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Tue, 31 Mar 2015 22:59:01 +0000 Subject: upstream commit adapt to recent hostfile.c change: when parsing known_hosts without fully parsing the keys therein, hostkeys_foreach() will now correctly identify KEY_RSA1 keys; ok markus@ miod@ --- regress/unittests/hostkeys/test_iterate.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'regress') diff --git a/regress/unittests/hostkeys/test_iterate.c b/regress/unittests/hostkeys/test_iterate.c index d81291b68..2eaaf063a 100644 --- a/regress/unittests/hostkeys/test_iterate.c +++ b/regress/unittests/hostkeys/test_iterate.c @@ -1,4 +1,4 @@ -/* $OpenBSD: test_iterate.c,v 1.3 2015/03/07 04:41:48 djm Exp $ */ +/* $OpenBSD: test_iterate.c,v 1.4 2015/03/31 22:59:01 djm Exp $ */ /* * Regress test for hostfile.h hostkeys_foreach() * @@ -91,8 +91,8 @@ check(struct hostkey_foreach_line *l, void *_ctx) expected->l.keytype : expected->no_parse_keytype; #ifndef WITH_SSH1 - if (expected->l.keytype == KEY_RSA1 || - expected->no_parse_keytype == KEY_RSA1) { + if (parse_key && (expected->l.keytype == KEY_RSA1 || + expected->no_parse_keytype == KEY_RSA1)) { expected_status = HKF_STATUS_INVALID; expected_keytype = KEY_UNSPEC; parse_key = 0; -- cgit v1.2.3 From d9b9b43656091cf0ad55c122f08fadb07dad0abd Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 7 Apr 2015 09:10:00 +1000 Subject: Fix misspellings of regress CONFOPTS env variables. Patch from Bryan Drewery. --- regress/README.regress | 2 +- regress/test-exec.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'regress') diff --git a/regress/README.regress b/regress/README.regress index 82e4cc751..9b99bdacb 100644 --- a/regress/README.regress +++ b/regress/README.regress @@ -31,7 +31,7 @@ TEST_SHELL: shell used for running the test scripts. TEST_SSH_PORT: TCP port to be used for the listening tests. TEST_SSH_SSH_CONFOPTS: Configuration directives to be added to ssh_config before running each test. -TEST_SSH_SSHD_CONFOTPS: Configuration directives to be added to sshd_config +TEST_SSH_SSHD_CONFOPTS: Configuration directives to be added to sshd_config before running each test. diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 0f766620d..114e129f2 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -444,7 +444,7 @@ Host * EOF if [ ! -z "$TEST_SSH_SSH_CONFOPTS" ]; then - trace "adding ssh_config option $TEST_SSH_SSHD_CONFOPTS" + trace "adding ssh_config option $TEST_SSH_SSH_CONFOPTS" echo "$TEST_SSH_SSH_CONFOPTS" >> $OBJ/ssh_config fi -- cgit v1.2.3 From 673a1c16ad078d41558247ce739fe812c960acc8 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 16 Apr 2015 11:40:20 +1000 Subject: remove dependency on arpa/telnet.h --- regress/netcat.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'regress') diff --git a/regress/netcat.c b/regress/netcat.c index 1a9fc8730..6234ba019 100644 --- a/regress/netcat.c +++ b/regress/netcat.c @@ -42,7 +42,6 @@ #include #include #include -#include #include #include @@ -63,6 +62,13 @@ # endif #endif +/* Telnet options from arpa/telnet.h */ +#define IAC 255 +#define DONT 254 +#define DO 253 +#define WONT 252 +#define WILL 251 + #ifndef SUN_LEN #define SUN_LEN(su) \ (sizeof(*(su)) - sizeof((su)->sun_path) + strlen((su)->sun_path)) -- cgit v1.2.3 From 38b8272f823dc1dd4e29dbcee83943ed48bb12fa Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Mon, 4 May 2015 01:47:53 +0000 Subject: upstream commit Use diff w/out -u for better portability --- regress/cfgparse.sh | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 regress/cfgparse.sh (limited to 'regress') diff --git a/regress/cfgparse.sh b/regress/cfgparse.sh new file mode 100644 index 000000000..95bd9a8a4 --- /dev/null +++ b/regress/cfgparse.sh @@ -0,0 +1,60 @@ +# $OpenBSD: cfgparse.sh,v 1.4 2015/05/04 01:51:39 dtucker Exp $ +# Placed in the Public Domain. + +tid="config parse" + +# We need to use the keys generated for the regression test because sshd -T +# will fail if we're not running with SUDO (no permissions for real keys) or +# if we are # running tests on a system that has never had sshd installed +# (keys won't exist). + +grep "HostKey " $OBJ/sshd_config > $OBJ/sshd_config_minimal +SSHD_KEYS="`cat $OBJ/sshd_config_minimal`" + +verbose "reparse minimal config" +($SUDO ${SSHD} -T -f $OBJ/sshd_config_minimal >$OBJ/sshd_config.1 && + $SUDO ${SSHD} -T -f $OBJ/sshd_config.1 >$OBJ/sshd_config.2 && + diff $OBJ/sshd_config.1 $OBJ/sshd_config.2) || fail "reparse minimal config" + +verbose "reparse regress config" +($SUDO ${SSHD} -T -f $OBJ/sshd_config >$OBJ/sshd_config.1 && + $SUDO ${SSHD} -T -f $OBJ/sshd_config.1 >$OBJ/sshd_config.2 && + diff $OBJ/sshd_config.1 $OBJ/sshd_config.2) || fail "reparse regress config" + +verbose "listenaddress order" +# expected output +cat > $OBJ/sshd_config.0 < $OBJ/sshd_config.1 <$OBJ/sshd_config.2 && + diff $OBJ/sshd_config.0 $OBJ/sshd_config.2) || \ + fail "listenaddress order 1" +# test 2: listenaddress first +cat > $OBJ/sshd_config.1 <$OBJ/sshd_config.2 && + diff $OBJ/sshd_config.0 $OBJ/sshd_config.2) || \ + fail "listenaddress order 2" + +# cleanup +rm -f $OBJ/sshd_config.[012] -- cgit v1.2.3 From 8377d5008ad260048192e1e56ad7d15a56d103dd Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 8 May 2015 07:26:13 +0000 Subject: upstream commit whitespace at EOL Upstream-Regress-ID: 9c48911643d5b05173b36a012041bed4080b8554 --- regress/ssh2putty.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'regress') diff --git a/regress/ssh2putty.sh b/regress/ssh2putty.sh index 691db1690..bcf83afe9 100755 --- a/regress/ssh2putty.sh +++ b/regress/ssh2putty.sh @@ -1,5 +1,5 @@ #!/bin/sh -# $OpenBSD: ssh2putty.sh,v 1.2 2009/10/06 23:51:49 dtucker Exp $ +# $OpenBSD: ssh2putty.sh,v 1.3 2015/05/08 07:26:13 djm Exp $ if test "x$1" = "x" -o "x$2" = "x" -o "x$3" = "x" ; then echo "Usage: ssh2putty hostname port ssh-private-key" @@ -19,13 +19,13 @@ else fi public_exponent=` - openssl rsa -noout -text -in $KEYFILE | grep ^publicExponent | + openssl rsa -noout -text -in $KEYFILE | grep ^publicExponent | sed 's/.*(//;s/).*//' ` test $? -ne 0 && exit 1 modulus=` - openssl rsa -noout -modulus -in $KEYFILE | grep ^Modulus= | + openssl rsa -noout -modulus -in $KEYFILE | grep ^Modulus= | sed 's/^Modulus=/0x/' | tr A-Z a-z ` test $? -ne 0 && exit 1 -- cgit v1.2.3 From 5ab283d0016bbc9d4d71e8e5284d011bc5a930cf Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 8 May 2015 07:29:00 +0000 Subject: upstream commit whitespace Upstream-Regress-ID: 6b708a3e709d5b7fd37890f874bafdff1f597519 --- regress/ssh-com.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'regress') diff --git a/regress/ssh-com.sh b/regress/ssh-com.sh index 6c5cfe888..4371d5279 100644 --- a/regress/ssh-com.sh +++ b/regress/ssh-com.sh @@ -1,4 +1,4 @@ -# $OpenBSD: ssh-com.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $ +# $OpenBSD: ssh-com.sh,v 1.9 2015/05/08 07:29:00 djm Exp $ # Placed in the Public Domain. tid="connect to ssh.com server" @@ -44,14 +44,14 @@ cat << EOF > $OBJ/sshd2_config HostKeyFile ${SRC}/dsa_ssh2.prv PublicHostKeyFile ${SRC}/dsa_ssh2.pub RandomSeedFile ${OBJ}/random_seed - MaxConnections 0 + MaxConnections 0 PermitRootLogin yes VerboseMode no CheckMail no Ssh1Compatibility no EOF -# create client config +# create client config sed "s/HostKeyAlias.*/HostKeyAlias ssh2-localhost-with-alias/" \ < $OBJ/ssh_config > $OBJ/ssh_config_com -- cgit v1.2.3 From 368f83c793275faa2c52f60eaa9bdac155c4254b Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 22 Apr 2015 01:38:36 +0000 Subject: upstream commit use correct key for nested certificate test --- regress/unittests/sshkey/test_sshkey.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'regress') diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c index ad10c9be2..4453a8599 100644 --- a/regress/unittests/sshkey/test_sshkey.c +++ b/regress/unittests/sshkey/test_sshkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: test_sshkey.c,v 1.3 2015/01/26 06:11:28 djm Exp $ */ +/* $OpenBSD: test_sshkey.c,v 1.4 2015/04/22 01:38:36 djm Exp $ */ /* * Regress test for sshkey.h key management API * @@ -505,7 +505,7 @@ sshkey_tests(void) ASSERT_INT_EQ(sshkey_load_cert(test_data_file("rsa_1"), &k1), 0); ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_1.pub"), &k2, NULL), 0); - k3 = get_private("ed25519_2"); + k3 = get_private("rsa_1"); build_cert(b, k2, "ssh-rsa-cert-v01@openssh.com", k3, k1); ASSERT_INT_EQ(sshkey_from_blob(sshbuf_ptr(b), sshbuf_len(b), &k4), SSH_ERR_KEY_CERT_INVALID_SIGN_KEY); -- cgit v1.2.3 From 0ef1de742be2ee4b10381193fe90730925b7f027 Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Thu, 23 Apr 2015 05:01:19 +0000 Subject: upstream commit Add a simple regression test for sshd's configuration parser. Right now, all it does is run the output of sshd -T back through itself and ensure the output is valid and invariant. --- regress/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'regress') diff --git a/regress/Makefile b/regress/Makefile index 252fb2eeb..68df9b391 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.79 2015/03/16 22:46:14 djm Exp $ +# $OpenBSD: Makefile,v 1.80 2015/04/23 05:01:19 dtucker Exp $ REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec tests: prep $(REGRESS_TARGETS) @@ -54,6 +54,7 @@ LTESTS= connect \ multiplex \ reexec \ brokenkeys \ + cfgparse \ cfgmatch \ addrmatch \ localcommand \ -- cgit v1.2.3 From 84452c5d03c21f9bfb28c234e0dc1dc67dd817b1 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 21 May 2015 06:40:02 +0000 Subject: upstream commit regress test for AuthorizedKeysCommand arguments Upstream-Regress-ID: bbd65c13c6b3be9a442ec115800bff9625898f12 --- regress/keys-command.sh | 59 ++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 48 insertions(+), 11 deletions(-) (limited to 'regress') diff --git a/regress/keys-command.sh b/regress/keys-command.sh index b595a434f..700273b66 100644 --- a/regress/keys-command.sh +++ b/regress/keys-command.sh @@ -1,4 +1,4 @@ -# $OpenBSD: keys-command.sh,v 1.2 2012/12/06 06:06:54 dtucker Exp $ +# $OpenBSD: keys-command.sh,v 1.3 2015/05/21 06:40:02 djm Exp $ # Placed in the Public Domain. tid="authorized keys from command" @@ -9,26 +9,63 @@ if test -z "$SUDO" ; then exit 0 fi +rm -f $OBJ/keys-command-args + +touch $OBJ/keys-command-args +chmod a+rw $OBJ/keys-command-args + +expected_key_text=`awk '{ print $2 }' < $OBJ/rsa.pub` +expected_key_fp=`$SSHKEYGEN -lf $OBJ/rsa.pub | awk '{ print $2 }'` + # Establish a AuthorizedKeysCommand in /var/run where it will have # acceptable directory permissions. KEY_COMMAND="/var/run/keycommand_${LOGNAME}" -cat << _EOF | $SUDO sh -c "cat > '$KEY_COMMAND'" +cat << _EOF | $SUDO sh -c "rm -f '$KEY_COMMAND' ; cat > '$KEY_COMMAND'" #!/bin/sh +echo args: "\$@" >> $OBJ/keys-command-args +echo "$PATH" | grep -q mekmitasdigoat && exit 7 test "x\$1" != "x${LOGNAME}" && exit 1 +if test $# -eq 6 ; then + test "x\$2" != "xblah" && exit 2 + test "x\$3" != "x${expected_key_text}" && exit 3 + test "x\$4" != "xssh-rsa" && exit 4 + test "x\$5" != "x${expected_key_fp}" && exit 5 + test "x\$6" != "xblah" && exit 6 +fi exec cat "$OBJ/authorized_keys_${LOGNAME}" _EOF $SUDO chmod 0755 "$KEY_COMMAND" -cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak -( - grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak - echo AuthorizedKeysFile none - echo AuthorizedKeysCommand $KEY_COMMAND - echo AuthorizedKeysCommandUser ${LOGNAME} -) > $OBJ/sshd_proxy - if [ -x $KEY_COMMAND ]; then - ${SSH} -F $OBJ/ssh_proxy somehost true + cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak + + verbose "AuthorizedKeysCommand with arguments" + ( + grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak + echo AuthorizedKeysFile none + echo AuthorizedKeysCommand $KEY_COMMAND %u blah %k %t %f blah + echo AuthorizedKeysCommandUser ${LOGNAME} + ) > $OBJ/sshd_proxy + + # Ensure that $PATH is sanitised in sshd + env PATH=$PATH:/sbin/mekmitasdigoat \ + ${SSH} -F $OBJ/ssh_proxy somehost true + if [ $? -ne 0 ]; then + fail "connect failed" + fi + + verbose "AuthorizedKeysCommand without arguments" + # Check legacy behavior of no-args resulting in username being passed. + ( + grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak + echo AuthorizedKeysFile none + echo AuthorizedKeysCommand $KEY_COMMAND + echo AuthorizedKeysCommandUser ${LOGNAME} + ) > $OBJ/sshd_proxy + + # Ensure that $PATH is sanitised in sshd + env PATH=$PATH:/sbin/mekmitasdigoat \ + ${SSH} -F $OBJ/ssh_proxy somehost true if [ $? -ne 0 ]; then fail "connect failed" fi -- cgit v1.2.3 From 13640798c7dd011ece0a7d02841fe48e94cfa0e0 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 21 May 2015 06:44:25 +0000 Subject: upstream commit regress test for AuthorizedPrincipalsCommand Upstream-Regress-ID: c658fbf1ab6b6011dc83b73402322e396f1e1219 --- regress/Makefile | 5 +- regress/principals-command.sh | 139 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 142 insertions(+), 2 deletions(-) create mode 100644 regress/principals-command.sh (limited to 'regress') diff --git a/regress/Makefile b/regress/Makefile index 68df9b391..0ea179579 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.80 2015/04/23 05:01:19 dtucker Exp $ +# $OpenBSD: Makefile,v 1.81 2015/05/21 06:44:25 djm Exp $ REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec tests: prep $(REGRESS_TARGETS) @@ -73,7 +73,8 @@ LTESTS= connect \ limit-keytype \ hostkey-agent \ keygen-knownhosts \ - hostkey-rotate + hostkey-rotate \ + principals-command # dhgex \ diff --git a/regress/principals-command.sh b/regress/principals-command.sh new file mode 100644 index 000000000..c3816e081 --- /dev/null +++ b/regress/principals-command.sh @@ -0,0 +1,139 @@ +# $OpenBSD: principals-command.sh,v 1.1 2015/05/21 06:44:25 djm Exp $ +# Placed in the Public Domain. + +tid="authorized principals command" + +rm -f $OBJ/user_ca_key* $OBJ/cert_user_key* +cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak + +if [ -z "$SUDO" ]; then + fatal "need SUDO to create file in /var/run, test won't work without" +fi + +# Establish a AuthorizedPrincipalsCommand in /var/run where it will have +# acceptable directory permissions. +PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}" +cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" +#!/bin/sh +test "x\$1" != "x${LOGNAME}" && exit 1 +test -f "$OBJ/authorized_principals_${LOGNAME}" && + exec cat "$OBJ/authorized_principals_${LOGNAME}" +_EOF +test $? -eq 0 || fatal "couldn't prepare principals command" +$SUDO chmod 0755 "$PRINCIPALS_COMMAND" + +# Create a CA key and a user certificate. +${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ + fatal "ssh-keygen of user_ca_key failed" +${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key || \ + fatal "ssh-keygen of cert_user_key failed" +${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ + -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ + fatal "couldn't sign cert_user_key" + +# Test explicitly-specified principals +for privsep in yes no ; do + _prefix="privsep $privsep" + + # Setup for AuthorizedPrincipalsCommand + rm -f $OBJ/authorized_keys_$USER + ( + cat $OBJ/sshd_proxy_bak + echo "UsePrivilegeSeparation $privsep" + echo "AuthorizedKeysFile none" + echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u" + echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" + echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" + ) > $OBJ/sshd_proxy + + # XXX test missing command + # XXX test failing command + + # Empty authorized_principals + verbose "$tid: ${_prefix} empty authorized_principals" + echo > $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Wrong authorized_principals + verbose "$tid: ${_prefix} wrong authorized_principals" + echo gregorsamsa > $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Correct authorized_principals + verbose "$tid: ${_prefix} correct authorized_principals" + echo mekmitasdigoat > $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi + + # authorized_principals with bad key option + verbose "$tid: ${_prefix} authorized_principals bad key opt" + echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # authorized_principals with command=false + verbose "$tid: ${_prefix} authorized_principals command=false" + echo 'command="false" mekmitasdigoat' > \ + $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + + # authorized_principals with command=true + verbose "$tid: ${_prefix} authorized_principals command=true" + echo 'command="true" mekmitasdigoat' > \ + $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi + + # Setup for principals= key option + rm -f $OBJ/authorized_principals_$USER + ( + cat $OBJ/sshd_proxy_bak + echo "UsePrivilegeSeparation $privsep" + ) > $OBJ/sshd_proxy + + # Wrong principals list + verbose "$tid: ${_prefix} wrong principals key option" + ( + printf 'cert-authority,principals="gregorsamsa" ' + cat $OBJ/user_ca_key.pub + ) > $OBJ/authorized_keys_$USER + ${SSH} -2i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Correct principals list + verbose "$tid: ${_prefix} correct principals key option" + ( + printf 'cert-authority,principals="mekmitasdigoat" ' + cat $OBJ/user_ca_key.pub + ) > $OBJ/authorized_keys_$USER + ${SSH} -2i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi +done -- cgit v1.2.3 From db438f9285d64282d3ac9e8c0944f59f037c0151 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 29 May 2015 03:05:13 +0000 Subject: upstream commit make this work without SUDO set; ok dtucker@ Upstream-Regress-ID: bca88217b70bce2fe52b23b8e06bdeb82d98c715 --- regress/cfgparse.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'regress') diff --git a/regress/cfgparse.sh b/regress/cfgparse.sh index 95bd9a8a4..7f377d887 100644 --- a/regress/cfgparse.sh +++ b/regress/cfgparse.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cfgparse.sh,v 1.4 2015/05/04 01:51:39 dtucker Exp $ +# $OpenBSD: cfgparse.sh,v 1.5 2015/05/29 03:05:13 djm Exp $ # Placed in the Public Domain. tid="config parse" @@ -45,6 +45,7 @@ EOD fail "listenaddress order 1" # test 2: listenaddress first cat > $OBJ/sshd_config.1 < Date: Fri, 29 May 2015 18:27:21 +1000 Subject: skip, rather than fatal when run without SUDO set --- regress/principals-command.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'regress') diff --git a/regress/principals-command.sh b/regress/principals-command.sh index c3816e081..90064373d 100644 --- a/regress/principals-command.sh +++ b/regress/principals-command.sh @@ -6,8 +6,10 @@ tid="authorized principals command" rm -f $OBJ/user_ca_key* $OBJ/cert_user_key* cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak -if [ -z "$SUDO" ]; then - fatal "need SUDO to create file in /var/run, test won't work without" +if test -z "$SUDO" ; then + echo "skipped (SUDO not set)" + echo "need SUDO to create file in /var/run, test won't work without" + exit 0 fi # Establish a AuthorizedPrincipalsCommand in /var/run where it will have -- cgit v1.2.3 From a170f22baf18af0b1acf2788b8b715605f41a1f9 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Tue, 9 Jun 2015 22:41:13 -0700 Subject: Fix t12 rules for out of tree builds. --- regress/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'regress') diff --git a/regress/Makefile b/regress/Makefile index 0ea179579..cba83f4d6 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -182,10 +182,10 @@ t11: ${TEST_SSH_SSHKEYGEN} -E sha256 -lf ${.CURDIR}/rsa_openssh.pub |\ awk '{print $$2}' | diff - ${.CURDIR}/t11.ok -t12.out: - ${TEST_SSH_SSHKEYGEN} -q -t ed25519 -N '' -C 'test-comment-1234' -f $(OBJ)/$@ +$(OBJ)/t12.out: + ${TEST_SSH_SSHKEYGEN} -q -t ed25519 -N '' -C 'test-comment-1234' -f $@ -t12: t12.out +t12: $(OBJ)/t12.out ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t12.out.pub | grep test-comment-1234 >/dev/null t-exec: ${LTESTS:=.sh} -- cgit v1.2.3 From 52fb6b9b034fcfd24bf88cc7be313e9c31de9889 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 30 Jun 2015 16:05:40 +1000 Subject: skip IPv6-related portions on hosts without IPv6 with Tim Rice --- regress/cfgparse.sh | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) (limited to 'regress') diff --git a/regress/cfgparse.sh b/regress/cfgparse.sh index 7f377d887..736f38976 100644 --- a/regress/cfgparse.sh +++ b/regress/cfgparse.sh @@ -3,6 +3,11 @@ tid="config parse" +# This is a reasonable proxy for IPv6 support. +if ! config_defined HAVE_STRUCT_IN6_ADDR ; then + SKIP_IPV6=yes +fi + # We need to use the keys generated for the regression test because sshd -T # will fail if we're not running with SUDO (no permissions for real keys) or # if we are # running tests on a system that has never had sshd installed @@ -26,9 +31,12 @@ verbose "listenaddress order" cat > $OBJ/sshd_config.0 <> $OBJ/sshd_config.0 < $OBJ/sshd_config.1 <> $OBJ/sshd_config.1 <$OBJ/sshd_config.2 && diff $OBJ/sshd_config.0 $OBJ/sshd_config.2) || \ @@ -47,11 +58,14 @@ EOD cat > $OBJ/sshd_config.1 <> $OBJ/sshd_config.1 <$OBJ/sshd_config.2 && diff $OBJ/sshd_config.0 $OBJ/sshd_config.2) || \ -- cgit v1.2.3