summaryrefslogtreecommitdiffstats
path: root/crypto/openssh/regress/cert-userkey.sh
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/openssh/regress/cert-userkey.sh')
-rwxr-xr-xcrypto/openssh/regress/cert-userkey.sh64
1 files changed, 34 insertions, 30 deletions
diff --git a/crypto/openssh/regress/cert-userkey.sh b/crypto/openssh/regress/cert-userkey.sh
index b093a91..c38c00a 100755
--- a/crypto/openssh/regress/cert-userkey.sh
+++ b/crypto/openssh/regress/cert-userkey.sh
@@ -1,18 +1,17 @@
-# $OpenBSD: cert-userkey.sh,v 1.12 2013/12/06 13:52:46 markus Exp $
+# $OpenBSD: cert-userkey.sh,v 1.14 2015/07/10 06:23:25 markus Exp $
# Placed in the Public Domain.
tid="certified user keys"
rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
-type_has_legacy() {
- case $1 in
- ed25519*|ecdsa*) return 1 ;;
- esac
- return 0
+kname() {
+ n=`echo "$1" | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'`
+ echo "$n*,ssh-rsa*,ssh-ed25519*"
}
# Create a CA key
@@ -28,18 +27,11 @@ for ktype in $PLAIN_TYPES ; do
${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
-z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
fail "couldn't sign cert_user_key_${ktype}"
- type_has_legacy $ktype || continue
- cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
- cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
- verbose "$tid: sign host ${ktype}_v00 cert"
- ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
- "regress user key for $USER" \
- -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
- fatal "couldn't sign cert_user_key_${ktype}_v00"
done
# Test explicitly-specified principals
-for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do
+for ktype in $PLAIN_TYPES ; do
+ t=$(kname $ktype)
for privsep in yes no ; do
_prefix="${ktype} privsep $privsep"
@@ -51,7 +43,12 @@ for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do
echo "AuthorizedPrincipalsFile " \
"$OBJ/authorized_principals_%u"
echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+ echo "PubkeyAcceptedKeyTypes ${t}"
) > $OBJ/sshd_proxy
+ (
+ cat $OBJ/ssh_proxy_bak
+ echo "PubkeyAcceptedKeyTypes ${t}"
+ ) > $OBJ/ssh_proxy
# Missing authorized_principals
verbose "$tid: ${_prefix} missing authorized_principals"
@@ -124,7 +121,12 @@ for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do
(
cat $OBJ/sshd_proxy_bak
echo "UsePrivilegeSeparation $privsep"
+ echo "PubkeyAcceptedKeyTypes ${t}"
) > $OBJ/sshd_proxy
+ (
+ cat $OBJ/ssh_proxy_bak
+ echo "PubkeyAcceptedKeyTypes ${t}"
+ ) > $OBJ/ssh_proxy
# Wrong principals list
verbose "$tid: ${_prefix} wrong principals key option"
@@ -165,7 +167,8 @@ basic_tests() {
extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
fi
- for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do
+ for ktype in $PLAIN_TYPES ; do
+ t=$(kname $ktype)
for privsep in yes no ; do
_prefix="${ktype} privsep $privsep $auth"
# Simple connect
@@ -173,8 +176,13 @@ basic_tests() {
(
cat $OBJ/sshd_proxy_bak
echo "UsePrivilegeSeparation $privsep"
+ echo "PubkeyAcceptedKeyTypes ${t}"
echo "$extra_sshd"
) > $OBJ/sshd_proxy
+ (
+ cat $OBJ/ssh_proxy_bak
+ echo "PubkeyAcceptedKeyTypes ${t}"
+ ) > $OBJ/ssh_proxy
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true
@@ -188,6 +196,7 @@ basic_tests() {
cat $OBJ/sshd_proxy_bak
echo "UsePrivilegeSeparation $privsep"
echo "RevokedKeys $OBJ/cert_user_key_revoked"
+ echo "PubkeyAcceptedKeyTypes ${t}"
echo "$extra_sshd"
) > $OBJ/sshd_proxy
cp $OBJ/cert_user_key_${ktype}.pub \
@@ -220,6 +229,7 @@ basic_tests() {
(
cat $OBJ/sshd_proxy_bak
echo "RevokedKeys $OBJ/user_ca_key.pub"
+ echo "PubkeyAcceptedKeyTypes ${t}"
echo "$extra_sshd"
) > $OBJ/sshd_proxy
${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
@@ -232,6 +242,7 @@ basic_tests() {
verbose "$tid: $auth CA does not authenticate"
(
cat $OBJ/sshd_proxy_bak
+ echo "PubkeyAcceptedKeyTypes ${t}"
echo "$extra_sshd"
) > $OBJ/sshd_proxy
verbose "$tid: ensure CA key does not authenticate user"
@@ -257,12 +268,7 @@ test_one() {
fi
for auth in $auth_choice ; do
- for ktype in rsa rsa_v00 ; do
- case $ktype in
- *_v00) keyv="-t v00" ;;
- *) keyv="" ;;
- esac
-
+ for ktype in rsa ed25519 ; do
cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
if test "x$auth" = "xauthorized_keys" ; then
# Add CA to authorized_keys
@@ -274,6 +280,8 @@ test_one() {
echo > $OBJ/authorized_keys_$USER
echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
>> $OBJ/sshd_proxy
+ echo "PubkeyAcceptedKeyTypes ${t}*" \
+ >> $OBJ/sshd_proxy
if test "x$auth_opt" != "x" ; then
echo $auth_opt >> $OBJ/sshd_proxy
fi
@@ -282,8 +290,7 @@ test_one() {
verbose "$tid: $ident auth $auth expect $result $ktype"
${SSHKEYGEN} -q -s $OBJ/user_ca_key \
-I "regress user key for $USER" \
- $sign_opts $keyv \
- $OBJ/cert_user_key_${ktype} ||
+ $sign_opts $OBJ/cert_user_key_${ktype} ||
fail "couldn't sign cert_user_key_${ktype}"
${SSH} -2i $OBJ/cert_user_key_${ktype} \
@@ -335,13 +342,10 @@ test_one "principals key option no principals" failure "" \
# Wrong certificate
cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
-for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do
- case $ktype in
- *_v00) args="-t v00" ;;
- *) args="" ;;
- esac
+for ktype in $PLAIN_TYPES ; do
+ t=$(kname $ktype)
# Self-sign
- ${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \
+ ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
"regress user key for $USER" \
-n $USER $OBJ/cert_user_key_${ktype} ||
fail "couldn't sign cert_user_key_${ktype}"
OpenPOWER on IntegriCloud