test AuthenticationMethods inside a Match block as well as in

the main config section

diff --git a/regress/usr.bin/ssh/multipubkey.sh b/regress/usr.bin/ssh/multipubkey.sh
index 9b22733..8cdda1a 100644 (file)
--- a/regress/usr.bin/ssh/multipubkey.sh
+++ b/regress/usr.bin/ssh/multipubkey.sh
@@ -1,4 +1,4 @@
-#      $OpenBSD: multipubkey.sh,v 1.3 2019/12/11 18:47:14 djm Exp $
+#      $OpenBSD: multipubkey.sh,v 1.4 2021/06/07 01:16:34 djm Exp $
 #      Placed in the Public Domain.
 
 tid="multiple pubkey"
@@ -31,27 +31,35 @@ grep -v IdentityFile $OBJ/ssh_proxy.orig > $OBJ/ssh_proxy
 opts="-oProtocol=2 -F $OBJ/ssh_proxy -oIdentitiesOnly=yes"
 opts="$opts -i $OBJ/cert_user_key1 -i $OBJ/user_key1 -i $OBJ/user_key2"
 
-for privsep in yes ; do
+for match in no yes ; do
        (
-               grep -v "Protocol"  $OBJ/sshd_proxy.orig
+               cat  $OBJ/sshd_proxy.orig
                echo "Protocol 2"
-               echo "UsePrivilegeSeparation $privsep"
-               echo "AuthenticationMethods publickey,publickey"
                echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
                echo "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
        ) > $OBJ/sshd_proxy
+       if test "$match" = "yes" ; then
+               echo "AuthenticationMethods none" >> $OBJ/sshd_proxy
+               echo "PubkeyAuthentication no" >> $OBJ/sshd_proxy
+               echo "Match all" >> $OBJ/sshd_proxy
+               echo "PubkeyAuthentication yes" >> $OBJ/sshd_proxy
+       fi
+       echo "AuthenticationMethods publickey,publickey" >> $OBJ/sshd_proxy
 
        # Single key should fail.
+       trace "match $match single key"
        rm -f $OBJ/authorized_principals_$USER
        cat $OBJ/user_key1.pub > $OBJ/authorized_keys_$USER
        ${SSH} $opts proxy true && fail "ssh succeeded with key"
 
        # Single key with same-public cert should fail.
+       trace "match $match pubkey + identical cert"
        echo mekmitasdigoat > $OBJ/authorized_principals_$USER
        cat $OBJ/user_key1.pub > $OBJ/authorized_keys_$USER
        ${SSH} $opts proxy true && fail "ssh succeeded with key+cert"
 
        # Multiple plain keys should succeed.
+       trace "match $match multiple public"
        rm -f $OBJ/authorized_principals_$USER
        cat $OBJ/user_key1.pub $OBJ/user_key2.pub > \
            $OBJ/authorized_keys_$USER
@@ -59,6 +67,7 @@ for privsep in yes ; do
        # Cert and different key should succeed
 
        # Key and different-public cert should succeed.
+       trace "match $match pubkey + different cert"
        echo mekmitasdigoat > $OBJ/authorized_principals_$USER
        cat $OBJ/user_key2.pub > $OBJ/authorized_keys_$USER
        ${SSH} $opts proxy true || fail "ssh failed with key/cert"