-# $OpenBSD: cert-hostkey.sh,v 1.10 2014/12/04 22:31:50 djm Exp $
+# $OpenBSD: cert-hostkey.sh,v 1.11 2015/01/19 06:01:32 djm Exp $
# Placed in the Public Domain.
tid="certified host keys"
-rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/host_revoked_*
+rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/host_revoked_*
rm -f $OBJ/cert_host_key* $OBJ/host_krl_*
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
printf '@cert-authority '
printf "$HOSTS "
cat $OBJ/host_ca_key.pub
-) > $OBJ/known_hosts-cert
+) > $OBJ/known_hosts-cert.orig
+cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
# Plain text revocation files
touch $OBJ/host_revoked_empty
_expect_success="$2"
shift; shift
verbose "$tid: $_ident expect success $_expect_success"
+ cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
"$@" -F $OBJ/ssh_proxy somehost true
test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
done
-) > $OBJ/known_hosts-cert
+) > $OBJ/known_hosts-cert.orig
+cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
for privsep in yes no ; do
for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do
verbose "$tid: host ${ktype} revoked cert privsep $privsep"
echo UsePrivilegeSeparation $privsep
) > $OBJ/sshd_proxy
+ cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
printf '@revoked '
printf "* "
cat $OBJ/host_ca_key.pub
-) > $OBJ/known_hosts-cert
+) > $OBJ/known_hosts-cert.orig
+cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do
verbose "$tid: host ${ktype} revoked cert"
(
echo HostKey $OBJ/cert_host_key_${ktype}
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
) > $OBJ/sshd_proxy
+ cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
printf '@cert-authority '
printf "$HOSTS "
cat $OBJ/host_ca_key.pub
-) > $OBJ/known_hosts-cert
+) > $OBJ/known_hosts-cert.orig
+cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
test_one() {
ident=$1
echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
) > $OBJ/sshd_proxy
+ cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
printf '@cert-authority '
printf "$HOSTS "
cat $OBJ/host_ca_key.pub
-) > $OBJ/known_hosts-cert
+) > $OBJ/known_hosts-cert.orig
+cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
for v in v01 v00 ; do
for kt in $PLAIN_TYPES ; do
type_has_legacy $kt || continue
echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
) > $OBJ/sshd_proxy
+ cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
done
done
-rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
+rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key*
-# $OpenBSD: hostkey-agent.sh,v 1.1 2015/01/17 18:54:30 djm Exp $
+# $OpenBSD: hostkey-agent.sh,v 1.2 2015/01/19 06:01:32 djm Exp $
# Placed in the Public Domain.
tid="hostkey agent"
-# Need full names here since they are used in HostKeyAlgorithms
-HOSTKEY_TYPES="ecdsa-sha2-nistp256 ssh-ed25519 ssh-rsa ssh-dss"
-
-rm -f $OBJ/agent.* $OBJ/ssh_proxy.orig
+rm -f $OBJ/agent.* $OBJ/ssh_proxy.orig $OBJ/known_hosts.orig
trace "start agent"
eval `${SSHAGENT} -s` > /dev/null
grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig
echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig
-echo "LogLevel debug3" >> $OBJ/sshd_proxy.orig
-rm $OBJ/known_hosts
trace "load hostkeys"
-for k in $HOSTKEY_TYPES ; do
+for k in `${SSH} -Q key-plain` ; do
${SSHKEYGEN} -qt $k -f $OBJ/agent.$k -N '' || fatal "ssh-keygen $k"
(
echo -n 'localhost-with-alias,127.0.0.1,::1 '
cat $OBJ/agent.$k.pub
- ) >> $OBJ/known_hosts
+ ) >> $OBJ/known_hosts.orig
${SSHADD} $OBJ/agent.$k >/dev/null 2>&1 || \
fatal "couldn't load key $OBJ/agent.$k"
echo "Hostkey $OBJ/agent.${k}" >> sshd_proxy.orig
# Remove private key so the server can't use it.
rm $OBJ/agent.$k || fatal "couldn't rm $OBJ/agent.$k"
done
+cp $OBJ/known_hosts.orig $OBJ/known_hosts
unset SSH_AUTH_SOCK
for ps in no yes; do
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
- for k in $HOSTKEY_TYPES ; do
+ for k in `${SSH} -Q key-plain` ; do
verbose "key type $k privsep=$ps"
opts="-oHostKeyAlgorithms=$k -F $OBJ/ssh_proxy"
+ cp $OBJ/known_hosts.orig $OBJ/known_hosts
SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'`
if [ $? -ne 0 ]; then
fail "protocol $p privsep=$ps failed"
projects / openbsd / commitdiff