summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2019-12-16 02:39:06 +0000
committerDamien Miller <djm@cvs.openbsd.org>2019-12-16 02:39:06 +0000
commitaa68a3b30cede5fa14c27134e04cd0f525c0ec49 (patch)
treec7b63d9f25527226c37e27905c6c3be35d1ce981
parent28ab07f8311fda81ee2cfb1a0f5ab4223de54a12 (diff)
test security key host keys in addition to user keys
-rw-r--r--regress/usr.bin/ssh/cert-hostkey.sh6
-rw-r--r--regress/usr.bin/ssh/hostkey-agent.sh6
-rw-r--r--regress/usr.bin/ssh/keygen-change.sh6
-rw-r--r--regress/usr.bin/ssh/keyscan.sh7
-rw-r--r--regress/usr.bin/ssh/keytype.sh8
-rw-r--r--regress/usr.bin/ssh/krl.sh4
-rw-r--r--regress/usr.bin/ssh/limit-keytype.sh4
-rw-r--r--regress/usr.bin/ssh/principals-command.sh4
-rw-r--r--regress/usr.bin/ssh/test-exec.sh12
9 files changed, 24 insertions, 33 deletions
diff --git a/regress/usr.bin/ssh/cert-hostkey.sh b/regress/usr.bin/ssh/cert-hostkey.sh
index 67a9795d00f..95d7c176a7b 100644
--- a/regress/usr.bin/ssh/cert-hostkey.sh
+++ b/regress/usr.bin/ssh/cert-hostkey.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: cert-hostkey.sh,v 1.21 2019/12/11 18:47:14 djm Exp $
+# $OpenBSD: cert-hostkey.sh,v 1.22 2019/12/16 02:39:05 djm Exp $
# Placed in the Public Domain.
tid="certified host keys"
@@ -9,7 +9,7 @@ rm -f $OBJ/cert_host_key* $OBJ/host_krl_*
# Allow all hostkey/pubkey types, prefer certs for the client
rsa=0
types=""
-for i in `$SSH -Q key | filter_sk`; do
+for i in `$SSH -Q key | maybe_filter_sk`; do
if [ -z "$types" ]; then
types="$i"
continue
@@ -70,7 +70,7 @@ touch $OBJ/host_revoked_plain
touch $OBJ/host_revoked_cert
cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca
-PLAIN_TYPES=`$SSH -Q key-plain | filter_sk | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
+PLAIN_TYPES=`echo "$SSH_KEYTYPES" | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
diff --git a/regress/usr.bin/ssh/hostkey-agent.sh b/regress/usr.bin/ssh/hostkey-agent.sh
index 7f490e013ab..d6736e24650 100644
--- a/regress/usr.bin/ssh/hostkey-agent.sh
+++ b/regress/usr.bin/ssh/hostkey-agent.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: hostkey-agent.sh,v 1.10 2019/12/11 18:47:14 djm Exp $
+# $OpenBSD: hostkey-agent.sh,v 1.11 2019/12/16 02:39:05 djm Exp $
# Placed in the Public Domain.
tid="hostkey agent"
@@ -14,7 +14,7 @@ grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig
echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig
trace "load hostkeys"
-for k in `${SSH} -Q key-plain | filter_sk` ; do
+for k in $SSH_KEYTYPES ; do
${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k"
(
printf 'localhost-with-alias,127.0.0.1,::1 '
@@ -31,7 +31,7 @@ cp $OBJ/known_hosts.orig $OBJ/known_hosts
unset SSH_AUTH_SOCK
for ps in yes; do
- for k in `${SSH} -Q key-plain | filter_sk` ; do
+ for k in $SSH_KEYTYPES ; do
verbose "key type $k privsep=$ps"
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
diff --git a/regress/usr.bin/ssh/keygen-change.sh b/regress/usr.bin/ssh/keygen-change.sh
index dd1bfda80e6..3863e33b528 100644
--- a/regress/usr.bin/ssh/keygen-change.sh
+++ b/regress/usr.bin/ssh/keygen-change.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: keygen-change.sh,v 1.8 2019/11/26 23:43:10 djm Exp $
+# $OpenBSD: keygen-change.sh,v 1.9 2019/12/16 02:39:05 djm Exp $
# Placed in the Public Domain.
tid="change passphrase for key"
@@ -6,9 +6,7 @@ tid="change passphrase for key"
S1="secret1"
S2="2secret"
-KEYTYPES=`${SSH} -Q key-plain | maybe_filter_sk`
-
-for t in $KEYTYPES; do
+for t in $SSH_KEYTYPES; do
trace "generating $t key"
rm -f $OBJ/$t-key
${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key
diff --git a/regress/usr.bin/ssh/keyscan.sh b/regress/usr.bin/ssh/keyscan.sh
index 0ce0c741098..b8593fede8f 100644
--- a/regress/usr.bin/ssh/keyscan.sh
+++ b/regress/usr.bin/ssh/keyscan.sh
@@ -1,10 +1,9 @@
-# $OpenBSD: keyscan.sh,v 1.11 2019/11/26 23:43:10 djm Exp $
+# $OpenBSD: keyscan.sh,v 1.12 2019/12/16 02:39:05 djm Exp $
# Placed in the Public Domain.
tid="keyscan"
-KEYTYPES=`${SSH} -Q key-plain | filter_sk`
-for i in $KEYTYPES; do
+for i in $SSH_KEYTYPES; do
if [ -z "$algs" ]; then
algs="$i"
else
@@ -15,7 +14,7 @@ echo "HostKeyAlgorithms $algs" >> $OBJ/sshd_config
start_sshd
-for t in $KEYTYPES; do
+for t in $SSH_KEYTYPES; do
trace "keyscan type $t"
${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \
> /dev/null 2>&1
diff --git a/regress/usr.bin/ssh/keytype.sh b/regress/usr.bin/ssh/keytype.sh
index 3fbcc964c69..d71f346265e 100644
--- a/regress/usr.bin/ssh/keytype.sh
+++ b/regress/usr.bin/ssh/keytype.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: keytype.sh,v 1.9 2019/11/26 23:43:10 djm Exp $
+# $OpenBSD: keytype.sh,v 1.10 2019/12/16 02:39:05 djm Exp $
# Placed in the Public Domain.
tid="login with different key types"
@@ -48,11 +48,7 @@ kname_to_ktype() {
tries="1 2 3"
for ut in $ktypes; do
user_type=`kname_to_ktype "$ut"`
- # SK keys are not supported for hostkeys.
- case "$ut" in
- *sk) htypes=ed25519-512;;
- *) htypes="$ut";;
- esac
+ htypes="$ut"
#htypes=$ktypes
for ht in $htypes; do
host_type=`kname_to_ktype "$ht"`
diff --git a/regress/usr.bin/ssh/krl.sh b/regress/usr.bin/ssh/krl.sh
index 1efd80bfe94..c381225ed7c 100644
--- a/regress/usr.bin/ssh/krl.sh
+++ b/regress/usr.bin/ssh/krl.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: krl.sh,v 1.10 2019/11/26 23:43:10 djm Exp $
+# $OpenBSD: krl.sh,v 1.11 2019/12/16 02:39:05 djm Exp $
# Placed in the Public Domain.
tid="key revocation lists"
@@ -7,7 +7,7 @@ tid="key revocation lists"
# w/out OpenSSL. Populate ktype[2-4] with the other types if supported.
ktype1=ed25519; ktype2=ed25519; ktype3=ed25519;
ktype4=ed25519; ktype5=ed25519; ktype6=ed25519;
-for t in `${SSH} -Q key-plain | maybe_filter_sk`; do
+for t in $SSH_KEYTYPES; do
case "$t" in
ecdsa*) ktype2=ecdsa ;;
ssh-rsa) ktype3=rsa ;;
diff --git a/regress/usr.bin/ssh/limit-keytype.sh b/regress/usr.bin/ssh/limit-keytype.sh
index abac05c0c2f..010a88cd7f2 100644
--- a/regress/usr.bin/ssh/limit-keytype.sh
+++ b/regress/usr.bin/ssh/limit-keytype.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: limit-keytype.sh,v 1.8 2019/11/26 23:43:10 djm Exp $
+# $OpenBSD: limit-keytype.sh,v 1.9 2019/12/16 02:39:05 djm Exp $
# Placed in the Public Domain.
tid="restrict pubkey type"
@@ -13,7 +13,7 @@ mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig
ktype1=ed25519; ktype2=ed25519; ktype3=ed25519;
ktype4=ed25519; ktype5=ed25519; ktype6=ed25519;
-for t in `${SSH} -Q key-plain | maybe_filter_sk`; do
+for t in $SSH_KEYTYPES ; do
case "$t" in
ssh-rsa) ktype2=rsa ;;
ecdsa*) ktype3=ecdsa ;; # unused
diff --git a/regress/usr.bin/ssh/principals-command.sh b/regress/usr.bin/ssh/principals-command.sh
index b21376449af..8fad2718bf9 100644
--- a/regress/usr.bin/ssh/principals-command.sh
+++ b/regress/usr.bin/ssh/principals-command.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: principals-command.sh,v 1.10 2019/12/11 18:47:14 djm Exp $
+# $OpenBSD: principals-command.sh,v 1.11 2019/12/16 02:39:05 djm Exp $
# Placed in the Public Domain.
tid="authorized principals command"
@@ -10,7 +10,7 @@ if [ -z "$SUDO" -a ! -w /var/run ]; then
fatal "need SUDO to create file in /var/run, test won't work without"
fi
-case "`${SSH} -Q key-plain`" in
+case "$SSH_KEYTYPES" in
*ssh-rsa*) userkeytype=rsa ;;
*) userkeytype=ed25519 ;;
esac
diff --git a/regress/usr.bin/ssh/test-exec.sh b/regress/usr.bin/ssh/test-exec.sh
index 30c1cace591..d8229b07ff6 100644
--- a/regress/usr.bin/ssh/test-exec.sh
+++ b/regress/usr.bin/ssh/test-exec.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: test-exec.sh,v 1.68 2019/11/26 23:43:10 djm Exp $
+# $OpenBSD: test-exec.sh,v 1.69 2019/12/16 02:39:05 djm Exp $
# Placed in the Public Domain.
USER=`id -un`
@@ -330,23 +330,21 @@ export SSH_SK_PROVIDER
if ! test -z "$SSH_SK_PROVIDER"; then
EXTRA_AGENT_ARGS='-P/*' # XXX want realpath(1)...
echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/ssh_config
+ echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_config
+ echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_proxy
fi
export EXTRA_AGENT_ARGS
-filter_sk() {
- grep -v ^sk
-}
-
maybe_filter_sk() {
if test -z "$SSH_SK_PROVIDER" ; then
- filter_sk
+ grep -v ^sk
else
cat
fi
}
SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk`
-SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | filter_sk`
+SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | maybe_filter_sk`
for t in ${SSH_KEYTYPES}; do
# generate user key