diff options
Diffstat (limited to 'crypto/openssh/regress/cert-userkey.sh')
-rwxr-xr-x | crypto/openssh/regress/cert-userkey.sh | 64 |
1 files changed, 34 insertions, 30 deletions
diff --git a/crypto/openssh/regress/cert-userkey.sh b/crypto/openssh/regress/cert-userkey.sh index b093a91..c38c00a 100755 --- a/crypto/openssh/regress/cert-userkey.sh +++ b/crypto/openssh/regress/cert-userkey.sh @@ -1,18 +1,17 @@ -# $OpenBSD: cert-userkey.sh,v 1.12 2013/12/06 13:52:46 markus Exp $ +# $OpenBSD: cert-userkey.sh,v 1.14 2015/07/10 06:23:25 markus Exp $ # Placed in the Public Domain. tid="certified user keys" rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak +cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` -type_has_legacy() { - case $1 in - ed25519*|ecdsa*) return 1 ;; - esac - return 0 +kname() { + n=`echo "$1" | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'` + echo "$n*,ssh-rsa*,ssh-ed25519*" } # Create a CA key @@ -28,18 +27,11 @@ for ktype in $PLAIN_TYPES ; do ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || fail "couldn't sign cert_user_key_${ktype}" - type_has_legacy $ktype || continue - cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 - cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub - verbose "$tid: sign host ${ktype}_v00 cert" - ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ - "regress user key for $USER" \ - -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 || - fatal "couldn't sign cert_user_key_${ktype}_v00" done # Test explicitly-specified principals -for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do +for ktype in $PLAIN_TYPES ; do + t=$(kname $ktype) for privsep in yes no ; do _prefix="${ktype} privsep $privsep" @@ -51,7 +43,12 @@ for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do echo "AuthorizedPrincipalsFile " \ "$OBJ/authorized_principals_%u" echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" + echo "PubkeyAcceptedKeyTypes ${t}" ) > $OBJ/sshd_proxy + ( + cat $OBJ/ssh_proxy_bak + echo "PubkeyAcceptedKeyTypes ${t}" + ) > $OBJ/ssh_proxy # Missing authorized_principals verbose "$tid: ${_prefix} missing authorized_principals" @@ -124,7 +121,12 @@ for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do ( cat $OBJ/sshd_proxy_bak echo "UsePrivilegeSeparation $privsep" + echo "PubkeyAcceptedKeyTypes ${t}" ) > $OBJ/sshd_proxy + ( + cat $OBJ/ssh_proxy_bak + echo "PubkeyAcceptedKeyTypes ${t}" + ) > $OBJ/ssh_proxy # Wrong principals list verbose "$tid: ${_prefix} wrong principals key option" @@ -165,7 +167,8 @@ basic_tests() { extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" fi - for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do + for ktype in $PLAIN_TYPES ; do + t=$(kname $ktype) for privsep in yes no ; do _prefix="${ktype} privsep $privsep $auth" # Simple connect @@ -173,8 +176,13 @@ basic_tests() { ( cat $OBJ/sshd_proxy_bak echo "UsePrivilegeSeparation $privsep" + echo "PubkeyAcceptedKeyTypes ${t}" echo "$extra_sshd" ) > $OBJ/sshd_proxy + ( + cat $OBJ/ssh_proxy_bak + echo "PubkeyAcceptedKeyTypes ${t}" + ) > $OBJ/ssh_proxy ${SSH} -2i $OBJ/cert_user_key_${ktype} \ -F $OBJ/ssh_proxy somehost true @@ -188,6 +196,7 @@ basic_tests() { cat $OBJ/sshd_proxy_bak echo "UsePrivilegeSeparation $privsep" echo "RevokedKeys $OBJ/cert_user_key_revoked" + echo "PubkeyAcceptedKeyTypes ${t}" echo "$extra_sshd" ) > $OBJ/sshd_proxy cp $OBJ/cert_user_key_${ktype}.pub \ @@ -220,6 +229,7 @@ basic_tests() { ( cat $OBJ/sshd_proxy_bak echo "RevokedKeys $OBJ/user_ca_key.pub" + echo "PubkeyAcceptedKeyTypes ${t}" echo "$extra_sshd" ) > $OBJ/sshd_proxy ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ @@ -232,6 +242,7 @@ basic_tests() { verbose "$tid: $auth CA does not authenticate" ( cat $OBJ/sshd_proxy_bak + echo "PubkeyAcceptedKeyTypes ${t}" echo "$extra_sshd" ) > $OBJ/sshd_proxy verbose "$tid: ensure CA key does not authenticate user" @@ -257,12 +268,7 @@ test_one() { fi for auth in $auth_choice ; do - for ktype in rsa rsa_v00 ; do - case $ktype in - *_v00) keyv="-t v00" ;; - *) keyv="" ;; - esac - + for ktype in rsa ed25519 ; do cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy if test "x$auth" = "xauthorized_keys" ; then # Add CA to authorized_keys @@ -274,6 +280,8 @@ test_one() { echo > $OBJ/authorized_keys_$USER echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \ >> $OBJ/sshd_proxy + echo "PubkeyAcceptedKeyTypes ${t}*" \ + >> $OBJ/sshd_proxy if test "x$auth_opt" != "x" ; then echo $auth_opt >> $OBJ/sshd_proxy fi @@ -282,8 +290,7 @@ test_one() { verbose "$tid: $ident auth $auth expect $result $ktype" ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ -I "regress user key for $USER" \ - $sign_opts $keyv \ - $OBJ/cert_user_key_${ktype} || + $sign_opts $OBJ/cert_user_key_${ktype} || fail "couldn't sign cert_user_key_${ktype}" ${SSH} -2i $OBJ/cert_user_key_${ktype} \ @@ -335,13 +342,10 @@ test_one "principals key option no principals" failure "" \ # Wrong certificate cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy -for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do - case $ktype in - *_v00) args="-t v00" ;; - *) args="" ;; - esac +for ktype in $PLAIN_TYPES ; do + t=$(kname $ktype) # Self-sign - ${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \ + ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ "regress user key for $USER" \ -n $USER $OBJ/cert_user_key_${ktype} || fail "couldn't sign cert_user_key_${ktype}" |