-# $OpenBSD: cert-hostkey.sh,v 1.25 2021/06/08 22:30:27 djm Exp $
+# $OpenBSD: cert-hostkey.sh,v 1.26 2021/09/30 05:20:08 dtucker Exp $
# Placed in the Public Domain.
tid="certified host keys"
}
# Basic connect and revocation tests.
-for privsep in yes ; do
for ktype in $PLAIN_TYPES ; do
- verbose "$tid: host ${ktype} cert connect privsep $privsep"
+ verbose "$tid: host ${ktype} cert connect"
(
cat $OBJ/sshd_proxy_bak
echo HostKey $OBJ/cert_host_key_${ktype}
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
- echo UsePrivilegeSeparation $privsep
) > $OBJ/sshd_proxy
# test name expect success
attempt_connect "$ktype CA plaintext revocation" "no" \
-oRevokedHostKeys=$OBJ/host_revoked_ca
done
-done
# Revoked certificates with key present
kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig
done
cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-for privsep in yes ; do
for ktype in $PLAIN_TYPES ; do
- verbose "$tid: host ${ktype} revoked cert privsep $privsep"
+ verbose "$tid: host ${ktype} revoked cert"
(
cat $OBJ/sshd_proxy_bak
echo HostKey $OBJ/cert_host_key_${ktype}
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
- echo UsePrivilegeSeparation $privsep
) > $OBJ/sshd_proxy
cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
fail "ssh cert connect succeeded unexpectedly"
fi
done
-done
# Revoked CA
kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
-# $OpenBSD: cert-userkey.sh,v 1.26 2021/02/25 03:27:34 djm Exp $
+# $OpenBSD: cert-userkey.sh,v 1.27 2021/09/30 05:20:08 dtucker Exp $
# Placed in the Public Domain.
tid="certified user keys"
# Test explicitly-specified principals
for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
t=$(kname $ktype)
- for privsep in yes ; do
- _prefix="${ktype} privsep $privsep"
+ _prefix="${ktype}"
# Setup for AuthorizedPrincipalsFile
rm -f $OBJ/authorized_keys_$USER
(
cat $OBJ/sshd_proxy_bak
- echo "UsePrivilegeSeparation $privsep"
echo "AuthorizedPrincipalsFile " \
"$OBJ/authorized_principals_%u"
echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
rm -f $OBJ/authorized_principals_$USER
(
cat $OBJ/sshd_proxy_bak
- echo "UsePrivilegeSeparation $privsep"
echo "PubkeyAcceptedAlgorithms ${t}"
) > $OBJ/sshd_proxy
(
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
fi
- done
done
basic_tests() {
for ktype in $PLAIN_TYPES ; do
t=$(kname $ktype)
- for privsep in yes ; do
- _prefix="${ktype} privsep $privsep $auth"
+ _prefix="${ktype} $auth"
# Simple connect
verbose "$tid: ${_prefix} connect"
(
cat $OBJ/sshd_proxy_bak
- echo "UsePrivilegeSeparation $privsep"
echo "PubkeyAcceptedAlgorithms ${t}"
echo "$extra_sshd"
) > $OBJ/sshd_proxy
verbose "$tid: ${_prefix} revoked key"
(
cat $OBJ/sshd_proxy_bak
- echo "UsePrivilegeSeparation $privsep"
echo "RevokedKeys $OBJ/cert_user_key_revoked"
echo "PubkeyAcceptedAlgorithms ${t}"
echo "$extra_sshd"
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpecedly"
fi
- done
verbose "$tid: $auth CA does not authenticate"
(
-# $OpenBSD: hostkey-agent.sh,v 1.12 2021/09/29 01:32:21 djm Exp $
+# $OpenBSD: hostkey-agent.sh,v 1.13 2021/09/30 05:20:08 dtucker Exp $
# Placed in the Public Domain.
tid="hostkey agent"
fail "keytype $k failed"
fi
if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
- fail "bad SSH_CONNECTION key type $k privsep=$ps"
+ fail "bad SSH_CONNECTION key type $k"
fi
done
fail "cert type $k failed"
fi
if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
- fail "bad SSH_CONNECTION key type $k privsep=$ps"
+ fail "bad SSH_CONNECTION key type $k"
fi
done
-# $OpenBSD: login-timeout.sh,v 1.9 2017/08/07 00:53:51 dtucker Exp $
+# $OpenBSD: login-timeout.sh,v 1.10 2021/09/30 05:20:08 dtucker Exp $
# Placed in the Public Domain.
tid="connect after login grace timeout"
-trace "test login grace with privsep"
+trace "test login grace time"
cp $OBJ/sshd_config $OBJ/sshd_config.orig
grep -vi LoginGraceTime $OBJ/sshd_config.orig > $OBJ/sshd_config
echo "LoginGraceTime 10s" >> $OBJ/sshd_config
-# $OpenBSD: principals-command.sh,v 1.12 2021/09/30 04:22:50 dtucker Exp $
+# $OpenBSD: principals-command.sh,v 1.13 2021/09/30 05:20:08 dtucker Exp $
# Placed in the Public Domain.
tid="authorized principals command"
$SUDO chmod 0755 "$PRINCIPALS_COMMAND"
# Test explicitly-specified principals
-for privsep in yes ; do
- _prefix="privsep $privsep"
-
# Setup for AuthorizedPrincipalsCommand
rm -f $OBJ/authorized_keys_$USER
(
cat $OBJ/sshd_proxy_bak
- echo "UsePrivilegeSeparation $privsep"
echo "AuthorizedKeysFile none"
echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
"%u %t %T %i %s %F %f %k %K"
# XXX test failing command
# Empty authorized_principals
- verbose "$tid: ${_prefix} empty authorized_principals"
+ verbose "$tid: empty authorized_principals"
echo > $OBJ/authorized_principals_$USER
${SSH} -i $OBJ/cert_user_key \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
fi
# Wrong authorized_principals
- verbose "$tid: ${_prefix} wrong authorized_principals"
+ verbose "$tid: wrong authorized_principals"
echo gregorsamsa > $OBJ/authorized_principals_$USER
${SSH} -i $OBJ/cert_user_key \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
fi
# Correct authorized_principals
- verbose "$tid: ${_prefix} correct authorized_principals"
+ verbose "$tid: correct authorized_principals"
echo mekmitasdigoat > $OBJ/authorized_principals_$USER
${SSH} -i $OBJ/cert_user_key \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
fi
# authorized_principals with bad key option
- verbose "$tid: ${_prefix} authorized_principals bad key opt"
+ verbose "$tid: authorized_principals bad key opt"
echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
${SSH} -i $OBJ/cert_user_key \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
fi
# authorized_principals with command=false
- verbose "$tid: ${_prefix} authorized_principals command=false"
+ verbose "$tid: authorized_principals command=false"
echo 'command="false" mekmitasdigoat' > \
$OBJ/authorized_principals_$USER
${SSH} -i $OBJ/cert_user_key \
# authorized_principals with command=true
- verbose "$tid: ${_prefix} authorized_principals command=true"
+ verbose "$tid: authorized_principals command=true"
echo 'command="true" mekmitasdigoat' > \
$OBJ/authorized_principals_$USER
${SSH} -i $OBJ/cert_user_key \
fi
# Setup for principals= key option
+ # TODO: remove?
rm -f $OBJ/authorized_principals_$USER
(
cat $OBJ/sshd_proxy_bak
- echo "UsePrivilegeSeparation $privsep"
) > $OBJ/sshd_proxy
# Wrong principals list
- verbose "$tid: ${_prefix} wrong principals key option"
+ verbose "$tid: wrong principals key option"
(
printf 'cert-authority,principals="gregorsamsa" '
cat $OBJ/user_ca_key.pub
fi
# Correct principals list
- verbose "$tid: ${_prefix} correct principals key option"
+ verbose "$tid: correct principals key option"
(
printf 'cert-authority,principals="mekmitasdigoat" '
cat $OBJ/user_ca_key.pub
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
fi
-done
projects / openbsd / commitdiff