From: djm Date: Mon, 19 Jan 2015 06:01:32 +0000 (+0000) Subject: be a bit more careful in these tests to ensure that X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=f202ff7ee1dd52d0230341cde17a82dada39fc94;p=openbsd be a bit more careful in these tests to ensure that known_hosts is clean --- diff --git a/regress/usr.bin/ssh/cert-hostkey.sh b/regress/usr.bin/ssh/cert-hostkey.sh index baaa35b2ca5..51685dc2b54 100644 --- a/regress/usr.bin/ssh/cert-hostkey.sh +++ b/regress/usr.bin/ssh/cert-hostkey.sh @@ -1,9 +1,9 @@ -# $OpenBSD: cert-hostkey.sh,v 1.10 2014/12/04 22:31:50 djm Exp $ +# $OpenBSD: cert-hostkey.sh,v 1.11 2015/01/19 06:01:32 djm Exp $ # Placed in the Public Domain. tid="certified host keys" -rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/host_revoked_* +rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/host_revoked_* rm -f $OBJ/cert_host_key* $OBJ/host_krl_* cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak @@ -16,7 +16,8 @@ ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key ||\ printf '@cert-authority ' printf "$HOSTS " cat $OBJ/host_ca_key.pub -) > $OBJ/known_hosts-cert +) > $OBJ/known_hosts-cert.orig +cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert # Plain text revocation files touch $OBJ/host_revoked_empty @@ -79,6 +80,7 @@ attempt_connect() { _expect_success="$2" shift; shift verbose "$tid: $_ident expect success $_expect_success" + cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ "$@" -F $OBJ/ssh_proxy somehost true @@ -135,7 +137,8 @@ done test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey" printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n" done -) > $OBJ/known_hosts-cert +) > $OBJ/known_hosts-cert.orig +cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert for privsep in yes no ; do for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do verbose "$tid: host ${ktype} revoked cert privsep $privsep" @@ -146,6 +149,7 @@ for privsep in yes no ; do echo UsePrivilegeSeparation $privsep ) > $OBJ/sshd_proxy + cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 @@ -163,7 +167,8 @@ done printf '@revoked ' printf "* " cat $OBJ/host_ca_key.pub -) > $OBJ/known_hosts-cert +) > $OBJ/known_hosts-cert.orig +cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do verbose "$tid: host ${ktype} revoked cert" ( @@ -171,6 +176,7 @@ for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do echo HostKey $OBJ/cert_host_key_${ktype} echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub ) > $OBJ/sshd_proxy + cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 @@ -184,7 +190,8 @@ done printf '@cert-authority ' printf "$HOSTS " cat $OBJ/host_ca_key.pub -) > $OBJ/known_hosts-cert +) > $OBJ/known_hosts-cert.orig +cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert test_one() { ident=$1 @@ -209,6 +216,7 @@ test_one() { echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub ) > $OBJ/sshd_proxy + cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 @@ -271,7 +279,8 @@ done printf '@cert-authority ' printf "$HOSTS " cat $OBJ/host_ca_key.pub -) > $OBJ/known_hosts-cert +) > $OBJ/known_hosts-cert.orig +cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert for v in v01 v00 ; do for kt in $PLAIN_TYPES ; do type_has_legacy $kt || continue @@ -291,6 +300,7 @@ for v in v01 v00 ; do echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub ) > $OBJ/sshd_proxy + cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 @@ -300,4 +310,4 @@ for v in v01 v00 ; do done done -rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* +rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key* diff --git a/regress/usr.bin/ssh/hostkey-agent.sh b/regress/usr.bin/ssh/hostkey-agent.sh index 4562f42af8d..84fb2c2d226 100644 --- a/regress/usr.bin/ssh/hostkey-agent.sh +++ b/regress/usr.bin/ssh/hostkey-agent.sh @@ -1,12 +1,9 @@ -# $OpenBSD: hostkey-agent.sh,v 1.1 2015/01/17 18:54:30 djm Exp $ +# $OpenBSD: hostkey-agent.sh,v 1.2 2015/01/19 06:01:32 djm Exp $ # Placed in the Public Domain. tid="hostkey agent" -# Need full names here since they are used in HostKeyAlgorithms -HOSTKEY_TYPES="ecdsa-sha2-nistp256 ssh-ed25519 ssh-rsa ssh-dss" - -rm -f $OBJ/agent.* $OBJ/ssh_proxy.orig +rm -f $OBJ/agent.* $OBJ/ssh_proxy.orig $OBJ/known_hosts.orig trace "start agent" eval `${SSHAGENT} -s` > /dev/null @@ -15,31 +12,31 @@ r=$? grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig -echo "LogLevel debug3" >> $OBJ/sshd_proxy.orig -rm $OBJ/known_hosts trace "load hostkeys" -for k in $HOSTKEY_TYPES ; do +for k in `${SSH} -Q key-plain` ; do ${SSHKEYGEN} -qt $k -f $OBJ/agent.$k -N '' || fatal "ssh-keygen $k" ( echo -n 'localhost-with-alias,127.0.0.1,::1 ' cat $OBJ/agent.$k.pub - ) >> $OBJ/known_hosts + ) >> $OBJ/known_hosts.orig ${SSHADD} $OBJ/agent.$k >/dev/null 2>&1 || \ fatal "couldn't load key $OBJ/agent.$k" echo "Hostkey $OBJ/agent.${k}" >> sshd_proxy.orig # Remove private key so the server can't use it. rm $OBJ/agent.$k || fatal "couldn't rm $OBJ/agent.$k" done +cp $OBJ/known_hosts.orig $OBJ/known_hosts unset SSH_AUTH_SOCK for ps in no yes; do cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy - for k in $HOSTKEY_TYPES ; do + for k in `${SSH} -Q key-plain` ; do verbose "key type $k privsep=$ps" opts="-oHostKeyAlgorithms=$k -F $OBJ/ssh_proxy" + cp $OBJ/known_hosts.orig $OBJ/known_hosts SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'` if [ $? -ne 0 ]; then fail "protocol $p privsep=$ps failed"