From d31e7c937ba0b97534f373cf5dea34675bcec602 Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Fri, 26 Jul 2019 04:22:21 +0000 Subject: upstream: Restrict limit-keytype to types supported by build. This means we have to skip a couple tests when only one key type is supported. OpenBSD-Regress-ID: 22d05befb9c7ce21ce8dc22acf1ffe9e2ef2e95e --- regress/limit-keytype.sh | 56 ++++++++++++++++++++++++++++++++++-------------- 1 file changed, 40 insertions(+), 16 deletions(-) (limited to 'regress') diff --git a/regress/limit-keytype.sh b/regress/limit-keytype.sh index 04f11977e..5c30af006 100644 --- a/regress/limit-keytype.sh +++ b/regress/limit-keytype.sh @@ -1,4 +1,4 @@ -# $OpenBSD: limit-keytype.sh,v 1.5 2018/03/12 00:52:57 djm Exp $ +# $OpenBSD: limit-keytype.sh,v 1.6 2019/07/26 04:22:21 dtucker Exp $ # Placed in the Public Domain. tid="restrict pubkey type" @@ -9,18 +9,27 @@ rm -f $OBJ/authorized_principals_$USER $OBJ/cert_user_key* mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig +ktype1=ed25519; ktype2=$ktype1; ktype3=$ktype1; ktype4=$ktype1 +for t in `${SSH} -Q key-plain`; do + case "$t" in + ssh-rsa) ktype2=rsa ;; + ecdsa*) ktype3=ecdsa ;; # unused + ssh-dss) ktype4=dsa ;; + esac +done + # Create a CA key -${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key ||\ +${SSHKEYGEN} -q -N '' -t $ktype1 -f $OBJ/user_ca_key ||\ fatal "ssh-keygen failed" # Make some keys and a certificate. -${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 || \ +${SSHKEYGEN} -q -N '' -t $ktype1 -f $OBJ/user_key1 || \ fatal "ssh-keygen failed" -${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_key2 || \ +${SSHKEYGEN} -q -N '' -t $ktype2 -f $OBJ/user_key2 || \ fatal "ssh-keygen failed" -${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_key3 || \ +${SSHKEYGEN} -q -N '' -t $ktype2 -f $OBJ/user_key3 || \ fatal "ssh-keygen failed" -${SSHKEYGEN} -q -N '' -t dsa -f $OBJ/user_key4 || \ +${SSHKEYGEN} -q -N '' -t $ktype4 -f $OBJ/user_key4 || \ fatal "ssh-keygen failed" ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ -z $$ -n ${USER},mekmitasdigoat $OBJ/user_key3 || @@ -51,6 +60,17 @@ prepare_config() { ) > $OBJ/sshd_proxy } +# Return the required parameter for PubkeyAcceptedKeyTypes corresponding to +# the supplied key type. +keytype() { + case "$1" in + ecdsa) printf "ecdsa-sha2-*" ;; + ed25519) printf "ssh-ed25519" ;; + dsa) printf "ssh-dss" ;; + rsa) printf "rsa-sha2-256,rsa-sha2-512,ssh-rsa" ;; + esac +} + prepare_config # Check we can log in with all key types. @@ -59,19 +79,21 @@ ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" # Allow plain Ed25519 and RSA. The certificate should fail. -verbose "allow rsa,ed25519" +verbose "allow $ktype2,$ktype1" prepare_config \ - "PubkeyAcceptedKeyTypes rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-ed25519" + "PubkeyAcceptedKeyTypes `keytype $ktype2`,`keytype $ktype1`" ${SSH} $certopts proxy true && fatal "cert succeeded" ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" # Allow Ed25519 only. -verbose "allow ed25519" -prepare_config "PubkeyAcceptedKeyTypes ssh-ed25519" +verbose "allow $ktype1" +prepare_config "PubkeyAcceptedKeyTypes `keytype $ktype1`" ${SSH} $certopts proxy true && fatal "cert succeeded" ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" -${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded" +if [ "$ktype1" != "$ktype2" ]; then + ${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded" +fi # Allow all certs. Plain keys should fail. verbose "allow cert only" @@ -82,16 +104,18 @@ ${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded" # Allow RSA in main config, Ed25519 for non-existent user. verbose "match w/ no match" -prepare_config "PubkeyAcceptedKeyTypes rsa-sha2-256,rsa-sha2-512,ssh-rsa" \ - "Match user x$USER" "PubkeyAcceptedKeyTypes +ssh-ed25519" +prepare_config "PubkeyAcceptedKeyTypes `keytype $ktype2`" \ + "Match user x$USER" "PubkeyAcceptedKeyTypes +`keytype $ktype1`" ${SSH} $certopts proxy true && fatal "cert succeeded" -${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded" +if [ "$ktype1" != "$ktype2" ]; then + ${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded" +fi ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" # Allow only DSA in main config, Ed25519 for user. verbose "match w/ matching" -prepare_config "PubkeyAcceptedKeyTypes ssh-dss" \ - "Match user $USER" "PubkeyAcceptedKeyTypes +ssh-ed25519" +prepare_config "PubkeyAcceptedKeyTypes `keytype $ktype4`" \ + "Match user $USER" "PubkeyAcceptedKeyTypes +`keytype $ktype1`" ${SSH} $certopts proxy true || fatal "cert failed" ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" ${SSH} $opts -i $OBJ/user_key4 proxy true && fatal "key4 succeeded" -- cgit v1.2.3