From 773d7cab3491aecbc30a1aeed07f6302b0fc24d2 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 30 Apr 2017 23:34:55 +0000 Subject: [PATCH] eliminate explicit specification of protocol in tests and loops over protocol. We only support SSHv2 now. --- regress/usr.bin/ssh/agent-pkcs11.sh | 4 +- regress/usr.bin/ssh/agent.sh | 38 ++--- regress/usr.bin/ssh/banner.sh | 8 +- regress/usr.bin/ssh/broken-pipe.sh | 17 +- regress/usr.bin/ssh/brokenkeys.sh | 6 +- regress/usr.bin/ssh/cert-file.sh | 131 ++++++++-------- regress/usr.bin/ssh/cert-hostkey.sh | 14 +- regress/usr.bin/ssh/cert-userkey.sh | 36 ++--- regress/usr.bin/ssh/cfgmatch.sh | 76 ++++----- regress/usr.bin/ssh/cipher-speed.sh | 26 +-- regress/usr.bin/ssh/connect-privsep.sh | 30 ++-- regress/usr.bin/ssh/connect.sh | 12 +- regress/usr.bin/ssh/dynamic-forward.sh | 73 +++++---- regress/usr.bin/ssh/exit-status.sh | 34 ++-- regress/usr.bin/ssh/forcecommand.sh | 23 +-- regress/usr.bin/ssh/forward-control.sh | 109 ++++++------- regress/usr.bin/ssh/forwarding.sh | 174 ++++++++++----------- regress/usr.bin/ssh/host-expand.sh | 9 +- regress/usr.bin/ssh/hostkey-agent.sh | 4 +- regress/usr.bin/ssh/integrity.sh | 4 +- regress/usr.bin/ssh/key-options.sh | 52 +++--- regress/usr.bin/ssh/keygen-change.sh | 5 +- regress/usr.bin/ssh/keyscan.sh | 6 +- regress/usr.bin/ssh/localcommand.sh | 14 +- regress/usr.bin/ssh/misc/kexfuzz/kexfuzz.c | 4 +- regress/usr.bin/ssh/multiplex.sh | 6 +- regress/usr.bin/ssh/principals-command.sh | 18 +-- regress/usr.bin/ssh/proto-mismatch.sh | 12 +- regress/usr.bin/ssh/proto-version.sh | 14 +- regress/usr.bin/ssh/proxy-connect.sh | 41 +++-- regress/usr.bin/ssh/putty-transfer.sh | 45 +++--- regress/usr.bin/ssh/reconfigure.sh | 22 ++- regress/usr.bin/ssh/reexec.sh | 20 +-- regress/usr.bin/ssh/stderr-after-eof.sh | 4 +- regress/usr.bin/ssh/stderr-data.sh | 14 +- regress/usr.bin/ssh/test-exec.sh | 26 +-- regress/usr.bin/ssh/transfer.sh | 29 ++-- regress/usr.bin/ssh/try-ciphers.sh | 24 +-- regress/usr.bin/ssh/yes-head.sh | 20 ++- 39 files changed, 519 insertions(+), 685 deletions(-) diff --git a/regress/usr.bin/ssh/agent-pkcs11.sh b/regress/usr.bin/ssh/agent-pkcs11.sh index 3aa20c8b1ee..db3018b885f 100644 --- a/regress/usr.bin/ssh/agent-pkcs11.sh +++ b/regress/usr.bin/ssh/agent-pkcs11.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent-pkcs11.sh,v 1.2 2015/01/12 11:46:32 djm Exp $ +# $OpenBSD: agent-pkcs11.sh,v 1.3 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="pkcs11 agent test" @@ -53,7 +53,7 @@ else fi trace "pkcs11 connect via agent" - ${SSH} -2 -F $OBJ/ssh_proxy somehost exit 5 + ${SSH} -F $OBJ/ssh_proxy somehost exit 5 r=$? if [ $r -ne 5 ]; then fail "ssh connect failed (exit code $r)" diff --git a/regress/usr.bin/ssh/agent.sh b/regress/usr.bin/ssh/agent.sh index c5e2794b763..0baf0c74a28 100644 --- a/regress/usr.bin/ssh/agent.sh +++ b/regress/usr.bin/ssh/agent.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent.sh,v 1.11 2015/03/03 22:35:19 markus Exp $ +# $OpenBSD: agent.sh,v 1.12 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="simple agent test" @@ -46,28 +46,24 @@ else fi trace "simple connect via agent" - for p in ${SSH_PROTOCOLS}; do - ${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p - r=$? - if [ $r -ne 5$p ]; then - fail "ssh connect with protocol $p failed (exit code $r)" - fi - done + ${SSH} -F $OBJ/ssh_proxy somehost exit 52 + r=$? + if [ $r -ne 52 ]; then + fail "ssh connect with failed (exit code $r)" + fi trace "agent forwarding" - for p in ${SSH_PROTOCOLS}; do - ${SSH} -A -$p -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 - r=$? - if [ $r -ne 0 ]; then - fail "ssh-add -l via agent fwd proto $p failed (exit code $r)" - fi - ${SSH} -A -$p -F $OBJ/ssh_proxy somehost \ - "${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p" - r=$? - if [ $r -ne 5$p ]; then - fail "agent fwd proto $p failed (exit code $r)" - fi - done + ${SSH} -A -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 + r=$? + if [ $r -ne 0 ]; then + fail "ssh-add -l via agent fwd failed (exit code $r)" + fi + ${SSH} -A -F $OBJ/ssh_proxy somehost \ + "${SSH} -F $OBJ/ssh_proxy somehost exit 52" + r=$? + if [ $r -ne 52 ]; then + fail "agent fwd failed (exit code $r)" + fi trace "delete all agent keys" ${SSHADD} -D > /dev/null 2>&1 diff --git a/regress/usr.bin/ssh/banner.sh b/regress/usr.bin/ssh/banner.sh index 0b9c9500749..0d9654fe247 100644 --- a/regress/usr.bin/ssh/banner.sh +++ b/regress/usr.bin/ssh/banner.sh @@ -1,4 +1,4 @@ -# $OpenBSD: banner.sh,v 1.2 2003/10/11 11:49:49 dtucker Exp $ +# $OpenBSD: banner.sh,v 1.3 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="banner" @@ -9,7 +9,7 @@ touch $OBJ/empty.in trace "test missing banner file" verbose "test $tid: missing banner file" -( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ +( ${SSH} -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ cmp $OBJ/empty.in $OBJ/banner.out ) || \ fail "missing banner file" @@ -30,14 +30,14 @@ for s in 0 10 100 1000 10000 100000 ; do trace "test banner size $s" verbose "test $tid: size $s" - ( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ + ( ${SSH} -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ cmp $OBJ/banner.in $OBJ/banner.out ) || \ fail "banner size $s mismatch" done trace "test suppress banner (-q)" verbose "test $tid: suppress banner (-q)" -( ${SSH} -q -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ +( ${SSH} -q -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ cmp $OBJ/empty.in $OBJ/banner.out ) || \ fail "suppress banner (-q)" diff --git a/regress/usr.bin/ssh/broken-pipe.sh b/regress/usr.bin/ssh/broken-pipe.sh index a416f7a3b52..c69276e2705 100644 --- a/regress/usr.bin/ssh/broken-pipe.sh +++ b/regress/usr.bin/ssh/broken-pipe.sh @@ -1,15 +1,12 @@ -# $OpenBSD: broken-pipe.sh,v 1.5 2015/03/03 22:35:19 markus Exp $ +# $OpenBSD: broken-pipe.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="broken pipe test" -for p in ${SSH_PROTOCOLS}; do - trace "protocol $p" - for i in 1 2 3 4; do - ${SSH} -$p -F $OBJ/ssh_config_config nexthost echo $i 2> /dev/null | true - r=$? - if [ $r -ne 0 ]; then - fail "broken pipe returns $r for protocol $p" - fi - done +for i in 1 2 3 4; do + ${SSH} -F $OBJ/ssh_config_config nexthost echo $i 2> /dev/null | true + r=$? + if [ $r -ne 0 ]; then + fail "broken pipe returns $r" + fi done diff --git a/regress/usr.bin/ssh/brokenkeys.sh b/regress/usr.bin/ssh/brokenkeys.sh index 3e70c348ac3..9d5a54fa9db 100644 --- a/regress/usr.bin/ssh/brokenkeys.sh +++ b/regress/usr.bin/ssh/brokenkeys.sh @@ -1,4 +1,4 @@ -# $OpenBSD: brokenkeys.sh,v 1.1 2004/10/29 23:59:22 djm Exp $ +# $OpenBSD: brokenkeys.sh,v 1.2 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="broken keys" @@ -14,9 +14,9 @@ echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEABTM= bad key" > $KEYS cat ${KEYS}.bak >> ${KEYS} cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER -${SSH} -2 -F $OBJ/ssh_config somehost true +${SSH} -F $OBJ/ssh_config somehost true if [ $? -ne 0 ]; then - fail "ssh connect with protocol $p failed" + fail "ssh connect with failed" fi mv ${KEYS}.bak ${KEYS} diff --git a/regress/usr.bin/ssh/cert-file.sh b/regress/usr.bin/ssh/cert-file.sh index 43b8e02014c..8fd62c7730d 100644 --- a/regress/usr.bin/ssh/cert-file.sh +++ b/regress/usr.bin/ssh/cert-file.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-file.sh,v 1.5 2017/03/11 23:44:16 djm Exp $ +# $OpenBSD: cert-file.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="ssh with certificates" @@ -54,66 +54,64 @@ cat $OBJ/ssh_proxy | grep -v IdentityFile > $OBJ/no_identity_config # XXX: verify that certificate used was what we expect. Needs exposure of # keys via enviornment variable or similar. -for p in ${SSH_PROTOCOLS}; do # Key with no .pub should work - finding the equivalent *-cert.pub. - verbose "protocol $p: identity cert with no plain public file" - ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ - -i $OBJ/user_key3 somehost exit 5$p - [ $? -ne 5$p ] && fail "ssh failed" - - # CertificateFile matching private key with no .pub file should work. - verbose "protocol $p: CertificateFile with no plain public file" - ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ - -oCertificateFile=$OBJ/user_key3-cert.pub \ - -i $OBJ/user_key3 somehost exit 5$p - [ $? -ne 5$p ] && fail "ssh failed" - - # Just keys should fail - verbose "protocol $p: plain keys" - ${SSH} $opts2 somehost exit 5$p - r=$? - if [ $r -eq 5$p ]; then - fail "ssh succeeded with no certs in protocol $p" - fi - - # Keys with untrusted cert should fail. - verbose "protocol $p: untrusted cert" - opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" - ${SSH} $opts3 somehost exit 5$p - r=$? - if [ $r -eq 5$p ]; then - fail "ssh succeeded with bad cert in protocol $p" - fi - - # Good cert with bad key should fail. - verbose "protocol $p: good cert, bad key" - opts3="$opts -i $OBJ/user_key2" - opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" - ${SSH} $opts3 somehost exit 5$p - r=$? - if [ $r -eq 5$p ]; then - fail "ssh succeeded with no matching key in protocol $p" - fi - - # Keys with one trusted cert, should succeed. - verbose "protocol $p: single trusted" - opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" - ${SSH} $opts3 somehost exit 5$p - r=$? - if [ $r -ne 5$p ]; then - fail "ssh failed with trusted cert and key in protocol $p" - fi - - # Multiple certs and keys, with one trusted cert, should succeed. - verbose "protocol $p: multiple trusted" - opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" - opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" - ${SSH} $opts3 somehost exit 5$p - r=$? - if [ $r -ne 5$p ]; then - fail "ssh failed with multiple certs in protocol $p" - fi -done +verbose "identity cert with no plain public file" +${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ + -i $OBJ/user_key3 somehost exit 52 +[ $? -ne 52 ] && fail "ssh failed" + +# CertificateFile matching private key with no .pub file should work. +verbose "CertificateFile with no plain public file" +${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ + -oCertificateFile=$OBJ/user_key3-cert.pub \ + -i $OBJ/user_key3 somehost exit 52 +[ $? -ne 52 ] && fail "ssh failed" + +# Just keys should fail +verbose "plain keys" +${SSH} $opts2 somehost exit 52 +r=$? +if [ $r -eq 52 ]; then + fail "ssh succeeded with no certs" +fi + +# Keys with untrusted cert should fail. +verbose "untrusted cert" +opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" +${SSH} $opts3 somehost exit 52 +r=$? +if [ $r -eq 52 ]; then + fail "ssh succeeded with bad cert" +fi + +# Good cert with bad key should fail. +verbose "good cert, bad key" +opts3="$opts -i $OBJ/user_key2" +opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" +${SSH} $opts3 somehost exit 52 +r=$? +if [ $r -eq 52 ]; then + fail "ssh succeeded with no matching key" +fi + +# Keys with one trusted cert, should succeed. +verbose "single trusted" +opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" +${SSH} $opts3 somehost exit 52 +r=$? +if [ $r -ne 52 ]; then + fail "ssh failed with trusted cert and key" +fi + +# Multiple certs and keys, with one trusted cert, should succeed. +verbose "multiple trusted" +opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" +opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" +${SSH} $opts3 somehost exit 52 +r=$? +if [ $r -ne 52 ]; then + fail "ssh failed with multiple certs" +fi #next, using an agent in combination with the keys SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1 @@ -139,26 +137,25 @@ if [ $? -ne 0 ]; then fi # try ssh with the agent and certificates -# note: ssh agent only uses certificates in protocol 2 opts="-F $OBJ/ssh_proxy" # with no certificates, shoud fail -${SSH} -2 $opts somehost exit 52 +${SSH} $opts somehost exit 52 if [ $? -eq 52 ]; then - fail "ssh connect with agent in protocol 2 succeeded with no cert" + fail "ssh connect with agent in succeeded with no cert" fi #with an untrusted certificate, should fail opts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub" -${SSH} -2 $opts somehost exit 52 +${SSH} $opts somehost exit 52 if [ $? -eq 52 ]; then - fail "ssh connect with agent in protocol 2 succeeded with bad cert" + fail "ssh connect with agent in succeeded with bad cert" fi #with an additional trusted certificate, should succeed opts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub" -${SSH} -2 $opts somehost exit 52 +${SSH} $opts somehost exit 52 if [ $? -ne 52 ]; then - fail "ssh connect with agent in protocol 2 failed with good cert" + fail "ssh connect with agent in failed with good cert" fi trace "kill agent" diff --git a/regress/usr.bin/ssh/cert-hostkey.sh b/regress/usr.bin/ssh/cert-hostkey.sh index 62261cf8b3b..3d5732a5d4f 100644 --- a/regress/usr.bin/ssh/cert-hostkey.sh +++ b/regress/usr.bin/ssh/cert-hostkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-hostkey.sh,v 1.14 2016/05/02 09:52:00 djm Exp $ +# $OpenBSD: cert-hostkey.sh,v 1.15 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="certified host keys" @@ -104,7 +104,7 @@ attempt_connect() { shift; shift verbose "$tid: $_ident expect success $_expect_success" cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert - ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ + ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \ -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ "$@" -F $OBJ/ssh_proxy somehost true _r=$? @@ -169,7 +169,7 @@ for privsep in yes no ; do ) > $OBJ/sshd_proxy cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert - ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ + ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \ -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 if [ $? -eq 0 ]; then @@ -190,7 +190,7 @@ for ktype in $PLAIN_TYPES ; do echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub ) > $OBJ/sshd_proxy cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert - ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ + ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \ -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 if [ $? -eq 0 ]; then @@ -222,7 +222,7 @@ test_one() { ) > $OBJ/sshd_proxy cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert - ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ + ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \ -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 rc=$? @@ -271,7 +271,7 @@ for ktype in $PLAIN_TYPES ; do echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub ) > $OBJ/sshd_proxy - ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ + ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \ -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ -F $OBJ/ssh_proxy somehost true if [ $? -ne 0 ]; then @@ -303,7 +303,7 @@ for kt in $PLAIN_TYPES ; do ) > $OBJ/sshd_proxy cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert - ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ + ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \ -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 if [ $? -eq 0 ]; then diff --git a/regress/usr.bin/ssh/cert-userkey.sh b/regress/usr.bin/ssh/cert-userkey.sh index 7005fd55eb6..6a23fe300bf 100644 --- a/regress/usr.bin/ssh/cert-userkey.sh +++ b/regress/usr.bin/ssh/cert-userkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-userkey.sh,v 1.17 2016/11/30 03:01:33 djm Exp $ +# $OpenBSD: cert-userkey.sh,v 1.18 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="certified user keys" @@ -67,7 +67,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do # Missing authorized_principals verbose "$tid: ${_prefix} missing authorized_principals" rm -f $OBJ/authorized_principals_$USER - ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + ${SSH} -i $OBJ/cert_user_key_${ktype} \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 if [ $? -eq 0 ]; then fail "ssh cert connect succeeded unexpectedly" @@ -76,7 +76,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do # Empty authorized_principals verbose "$tid: ${_prefix} empty authorized_principals" echo > $OBJ/authorized_principals_$USER - ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + ${SSH} -i $OBJ/cert_user_key_${ktype} \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 if [ $? -eq 0 ]; then fail "ssh cert connect succeeded unexpectedly" @@ -85,7 +85,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do # Wrong authorized_principals verbose "$tid: ${_prefix} wrong authorized_principals" echo gregorsamsa > $OBJ/authorized_principals_$USER - ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + ${SSH} -i $OBJ/cert_user_key_${ktype} \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 if [ $? -eq 0 ]; then fail "ssh cert connect succeeded unexpectedly" @@ -94,7 +94,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do # Correct authorized_principals verbose "$tid: ${_prefix} correct authorized_principals" echo mekmitasdigoat > $OBJ/authorized_principals_$USER - ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + ${SSH} -i $OBJ/cert_user_key_${ktype} \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 if [ $? -ne 0 ]; then fail "ssh cert connect failed" @@ -103,7 +103,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do # authorized_principals with bad key option verbose "$tid: ${_prefix} authorized_principals bad key opt" echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER - ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + ${SSH} -i $OBJ/cert_user_key_${ktype} \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 if [ $? -eq 0 ]; then fail "ssh cert connect succeeded unexpectedly" @@ -113,7 +113,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do verbose "$tid: ${_prefix} authorized_principals command=false" echo 'command="false" mekmitasdigoat' > \ $OBJ/authorized_principals_$USER - ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + ${SSH} -i $OBJ/cert_user_key_${ktype} \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 if [ $? -eq 0 ]; then fail "ssh cert connect succeeded unexpectedly" @@ -124,7 +124,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do verbose "$tid: ${_prefix} authorized_principals command=true" echo 'command="true" mekmitasdigoat' > \ $OBJ/authorized_principals_$USER - ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + ${SSH} -i $OBJ/cert_user_key_${ktype} \ -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 if [ $? -ne 0 ]; then fail "ssh cert connect failed" @@ -148,7 +148,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do printf 'cert-authority,principals="gregorsamsa" ' cat $OBJ/user_ca_key.pub ) > $OBJ/authorized_keys_$USER - ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + ${SSH} -i $OBJ/cert_user_key_${ktype} \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 if [ $? -eq 0 ]; then fail "ssh cert connect succeeded unexpectedly" @@ -160,7 +160,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do printf 'cert-authority,principals="mekmitasdigoat" ' cat $OBJ/user_ca_key.pub ) > $OBJ/authorized_keys_$USER - ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + ${SSH} -i $OBJ/cert_user_key_${ktype} \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 if [ $? -ne 0 ]; then fail "ssh cert connect failed" @@ -198,7 +198,7 @@ basic_tests() { echo "PubkeyAcceptedKeyTypes ${t}" ) > $OBJ/ssh_proxy - ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + ${SSH} -i $OBJ/cert_user_key_${ktype} \ -F $OBJ/ssh_proxy somehost true if [ $? -ne 0 ]; then fail "ssh cert connect failed" @@ -215,7 +215,7 @@ basic_tests() { ) > $OBJ/sshd_proxy cp $OBJ/cert_user_key_${ktype}.pub \ $OBJ/cert_user_key_revoked - ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + ${SSH} -i $OBJ/cert_user_key_${ktype} \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 if [ $? -eq 0 ]; then fail "ssh cert connect succeeded unexpecedly" @@ -224,14 +224,14 @@ basic_tests() { rm $OBJ/cert_user_key_revoked ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \ $OBJ/cert_user_key_${ktype}.pub - ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + ${SSH} -i $OBJ/cert_user_key_${ktype} \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 if [ $? -eq 0 ]; then fail "ssh cert connect succeeded unexpecedly" fi verbose "$tid: ${_prefix} empty KRL" ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked - ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + ${SSH} -i $OBJ/cert_user_key_${ktype} \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 if [ $? -ne 0 ]; then fail "ssh cert connect failed" @@ -246,7 +246,7 @@ basic_tests() { echo "PubkeyAcceptedKeyTypes ${t}" echo "$extra_sshd" ) > $OBJ/sshd_proxy - ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ + ${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ somehost true >/dev/null 2>&1 if [ $? -eq 0 ]; then fail "ssh cert connect succeeded unexpecedly" @@ -260,7 +260,7 @@ basic_tests() { echo "$extra_sshd" ) > $OBJ/sshd_proxy verbose "$tid: ensure CA key does not authenticate user" - ${SSH} -2i $OBJ/user_ca_key \ + ${SSH} -i $OBJ/user_ca_key \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 if [ $? -eq 0 ]; then fail "ssh cert connect with CA key succeeded unexpectedly" @@ -307,7 +307,7 @@ test_one() { $sign_opts $OBJ/cert_user_key_${ktype} || fail "couldn't sign cert_user_key_${ktype}" - ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + ${SSH} -i $OBJ/cert_user_key_${ktype} \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 rc=$? if [ "x$result" = "xsuccess" ] ; then @@ -378,7 +378,7 @@ for ktype in $PLAIN_TYPES ; do -n $USER $OBJ/cert_user_key_${ktype} || fatal "couldn't sign cert_user_key_${ktype}" verbose "$tid: user ${ktype} connect wrong cert" - ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ + ${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ somehost true >/dev/null 2>&1 if [ $? -eq 0 ]; then fail "ssh cert connect $ident succeeded unexpectedly" diff --git a/regress/usr.bin/ssh/cfgmatch.sh b/regress/usr.bin/ssh/cfgmatch.sh index 05629639865..2504d04f4c5 100644 --- a/regress/usr.bin/ssh/cfgmatch.sh +++ b/regress/usr.bin/ssh/cfgmatch.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cfgmatch.sh,v 1.9 2015/03/03 22:35:19 markus Exp $ +# $OpenBSD: cfgmatch.sh,v 1.10 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="sshd_config match" @@ -13,7 +13,7 @@ echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy start_client() { rm -f $pidfile - ${SSH} -q -$p $fwd "$@" somehost \ + ${SSH} -q $fwd "$@" somehost \ exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ >>$TEST_REGRESS_LOGFILE 2>&1 & client_pid=$! @@ -56,22 +56,18 @@ start_sshd #set -x # Test Match + PermitOpen in sshd_config. This should be permitted -for p in ${SSH_PROTOCOLS}; do - trace "match permitopen localhost proto $p" - start_client -F $OBJ/ssh_config - ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ - fail "match permitopen permit proto $p" - stop_client -done +trace "match permitopen localhost" +start_client -F $OBJ/ssh_config +${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ + fail "match permitopen permit" +stop_client # Same but from different source. This should not be permitted -for p in ${SSH_PROTOCOLS}; do - trace "match permitopen proxy proto $p" - start_client -F $OBJ/ssh_proxy - ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ - fail "match permitopen deny proto $p" - stop_client -done +trace "match permitopen proxy" +start_client -F $OBJ/ssh_proxy +${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ + fail "match permitopen deny" +stop_client # Retry previous with key option, should also be denied. cp /dev/null $OBJ/authorized_keys_$USER @@ -79,23 +75,19 @@ for t in ${SSH_KEYTYPES}; do printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER done -for p in ${SSH_PROTOCOLS}; do - trace "match permitopen proxy w/key opts proto $p" - start_client -F $OBJ/ssh_proxy - ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ - fail "match permitopen deny w/key opt proto $p" - stop_client -done +trace "match permitopen proxy w/key opts" +start_client -F $OBJ/ssh_proxy +${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ + fail "match permitopen deny w/key opt" +stop_client # Test both sshd_config and key options permitting the same dst/port pair. # Should be permitted. -for p in ${SSH_PROTOCOLS}; do - trace "match permitopen localhost proto $p" - start_client -F $OBJ/ssh_config - ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ - fail "match permitopen permit proto $p" - stop_client -done +trace "match permitopen localhost" +start_client -F $OBJ/ssh_config +${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ + fail "match permitopen permit" +stop_client cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy @@ -103,13 +95,11 @@ echo "Match User $USER" >>$OBJ/sshd_proxy echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy # Test that a Match overrides a PermitOpen in the global section -for p in ${SSH_PROTOCOLS}; do - trace "match permitopen proxy w/key opts proto $p" - start_client -F $OBJ/ssh_proxy - ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ - fail "match override permitopen proto $p" - stop_client -done +trace "match permitopen proxy w/key opts" +start_client -F $OBJ/ssh_proxy +${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ + fail "match override permitopen" +stop_client cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy @@ -118,10 +108,8 @@ echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy # Test that a rule that doesn't match doesn't override, plus test a # PermitOpen entry that's not at the start of the list -for p in ${SSH_PROTOCOLS}; do - trace "nomatch permitopen proxy w/key opts proto $p" - start_client -F $OBJ/ssh_proxy - ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ - fail "nomatch override permitopen proto $p" - stop_client -done +trace "nomatch permitopen proxy w/key opts" +start_client -F $OBJ/ssh_proxy +${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ + fail "nomatch override permitopen" +stop_client diff --git a/regress/usr.bin/ssh/cipher-speed.sh b/regress/usr.bin/ssh/cipher-speed.sh index cb56f0d51cb..22d1d7f14fb 100644 --- a/regress/usr.bin/ssh/cipher-speed.sh +++ b/regress/usr.bin/ssh/cipher-speed.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cipher-speed.sh,v 1.13 2015/03/24 20:22:17 markus Exp $ +# $OpenBSD: cipher-speed.sh,v 1.14 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="cipher speed" @@ -11,16 +11,16 @@ getbytes () tries="1 2" for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do - trace "proto 2 cipher $c mac $m" + trace "cipher $c mac $m" for x in $tries; do printf "$c/$m:\t" ( ${SSH} -o 'compression no' \ - -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \ + -F $OBJ/ssh_proxy -m $m -c $c somehost \ exec sh -c \'"dd of=/dev/null obs=32k"\' \ < ${DATA} ) 2>&1 | getbytes if [ $? -ne 0 ]; then - fail "ssh -2 failed with mac $m cipher $c" + fail "ssh failed with mac $m cipher $c" fi done # No point trying all MACs for AEAD ciphers since they are ignored. @@ -30,21 +30,3 @@ for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do n=$(($n + 1)) done; done -if ssh_version 1; then - ciphers="3des blowfish" -else - ciphers="" -fi -for c in $ciphers; do - trace "proto 1 cipher $c" - for x in $tries; do - printf "$c:\t" - ( ${SSH} -o 'compression no' \ - -F $OBJ/ssh_proxy -1 -c $c somehost \ - exec sh -c \'"dd of=/dev/null obs=32k"\' \ - < ${DATA} ) 2>&1 | getbytes - if [ $? -ne 0 ]; then - fail "ssh -1 failed with cipher $c" - fi - done -done diff --git a/regress/usr.bin/ssh/connect-privsep.sh b/regress/usr.bin/ssh/connect-privsep.sh index 0ce6977f6ab..342c3e12397 100644 --- a/regress/usr.bin/ssh/connect-privsep.sh +++ b/regress/usr.bin/ssh/connect-privsep.sh @@ -1,4 +1,4 @@ -# $OpenBSD: connect-privsep.sh,v 1.8 2016/11/01 13:43:27 tb Exp $ +# $OpenBSD: connect-privsep.sh,v 1.9 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="proxy connect with privsep" @@ -6,30 +6,26 @@ tid="proxy connect with privsep" cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig echo 'UsePrivilegeSeparation yes' >> $OBJ/sshd_proxy -for p in ${SSH_PROTOCOLS}; do - ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true - if [ $? -ne 0 ]; then - fail "ssh privsep+proxyconnect protocol $p failed" - fi -done +${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true +if [ $? -ne 0 ]; then + fail "ssh privsep+proxyconnect failed" +fi cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy echo 'UsePrivilegeSeparation sandbox' >> $OBJ/sshd_proxy -for p in ${SSH_PROTOCOLS}; do - ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true - if [ $? -ne 0 ]; then - fail "ssh privsep/sandbox+proxyconnect protocol $p failed" - fi -done +${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true +if [ $? -ne 0 ]; then + fail "ssh privsep/sandbox+proxyconnect failed" +fi # Because sandbox is sensitive to changes in libc, especially malloc, retest # with every malloc.conf option (and none). for m in '' C F G J R S U X '<' '>'; do - for p in ${SSH_PROTOCOLS}; do - env MALLOC_OPTIONS="$m" ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true + env MALLOC_OPTIONS="$m" \ + ${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true if [ $? -ne 0 ]; then - fail "ssh privsep/sandbox+proxyconnect protocol $p mopt '$m' failed" + fail "ssh privsep/sandbox+proxyconnect mopt '$m' failed" fi - done done + diff --git a/regress/usr.bin/ssh/connect.sh b/regress/usr.bin/ssh/connect.sh index f0d55d343d8..1b344b6034e 100644 --- a/regress/usr.bin/ssh/connect.sh +++ b/regress/usr.bin/ssh/connect.sh @@ -1,13 +1,11 @@ -# $OpenBSD: connect.sh,v 1.5 2015/03/03 22:35:19 markus Exp $ +# $OpenBSD: connect.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="simple connect" start_sshd -for p in ${SSH_PROTOCOLS}; do - ${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true - if [ $? -ne 0 ]; then - fail "ssh connect with protocol $p failed" - fi -done +${SSH} -F $OBJ/ssh_config somehost true +if [ $? -ne 0 ]; then + fail "ssh connect with failed" +fi diff --git a/regress/usr.bin/ssh/dynamic-forward.sh b/regress/usr.bin/ssh/dynamic-forward.sh index 80cbc195503..346a3ac921c 100644 --- a/regress/usr.bin/ssh/dynamic-forward.sh +++ b/regress/usr.bin/ssh/dynamic-forward.sh @@ -1,4 +1,4 @@ -# $OpenBSD: dynamic-forward.sh,v 1.11 2015/03/03 22:35:19 markus Exp $ +# $OpenBSD: dynamic-forward.sh,v 1.12 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="dynamic forwarding" @@ -17,43 +17,42 @@ trace "will use ProxyCommand $proxycmd" start_sshd -for p in ${SSH_PROTOCOLS}; do - n=0 - error="1" - trace "start dynamic forwarding, fork to background" - while [ "$error" -ne 0 -a "$n" -lt 3 ]; do - n=`expr $n + 1` - ${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q \ - -oExitOnForwardFailure=yes somehost exec sh -c \ - \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' - error=$? - if [ "$error" -ne 0 ]; then - trace "forward failed proto $p attempt $n err $error" - sleep $n - fi - done +n=0 +error="1" +trace "start dynamic forwarding, fork to background" +while [ "$error" -ne 0 -a "$n" -lt 3 ]; do + n=`expr $n + 1` + ${SSH} -F $OBJ/ssh_config -f -D $FWDPORT -q \ + -oExitOnForwardFailure=yes somehost exec sh -c \ + \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' + error=$? if [ "$error" -ne 0 ]; then - fatal "failed to start dynamic forwarding proto $p" + trace "forward failed attempt $n err $error" + sleep $n fi +done +if [ "$error" -ne 0 ]; then + fatal "failed to start dynamic forwarding" +fi - for s in 4 5; do - for h in 127.0.0.1 localhost; do - trace "testing ssh protocol $p socks version $s host $h" - ${SSH} -F $OBJ/ssh_config \ - -o "ProxyCommand ${proxycmd}${s} $h $PORT" \ - somehost cat ${DATA} > ${COPY} - test -f ${COPY} || fail "failed copy ${DATA}" - cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" - done - done - - if [ -f $OBJ/remote_pid ]; then - remote=`cat $OBJ/remote_pid` - trace "terminate remote shell, pid $remote" - if [ $remote -gt 1 ]; then - kill -HUP $remote - fi - else - fail "no pid file: $OBJ/remote_pid" - fi +for s in 4 5; do + for h in 127.0.0.1 localhost; do + trace "testing ssh socks version $s host $h" + ${SSH} -F $OBJ/ssh_config \ + -o "ProxyCommand ${proxycmd}${s} $h $PORT" \ + somehost cat ${DATA} > ${COPY} + test -f ${COPY} || fail "failed copy ${DATA}" + cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" + done done + +if [ -f $OBJ/remote_pid ]; then + remote=`cat $OBJ/remote_pid` + trace "terminate remote shell, pid $remote" + if [ $remote -gt 1 ]; then + kill -HUP $remote + fi +else + fail "no pid file: $OBJ/remote_pid" +fi + diff --git a/regress/usr.bin/ssh/exit-status.sh b/regress/usr.bin/ssh/exit-status.sh index 397d8d732fe..aadf99fb3c8 100644 --- a/regress/usr.bin/ssh/exit-status.sh +++ b/regress/usr.bin/ssh/exit-status.sh @@ -1,24 +1,22 @@ -# $OpenBSD: exit-status.sh,v 1.7 2015/03/03 22:35:19 markus Exp $ +# $OpenBSD: exit-status.sh,v 1.8 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="remote exit status" -for p in ${SSH_PROTOCOLS}; do - for s in 0 1 4 5 44; do - trace "proto $p status $s" - verbose "test $tid: proto $p status $s" - ${SSH} -$p -F $OBJ/ssh_proxy otherhost exit $s - r=$? - if [ $r -ne $s ]; then - fail "exit code mismatch for protocol $p: $r != $s" - fi +for s in 0 1 4 5 44; do + trace "status $s" + verbose "test $tid: status $s" + ${SSH} -F $OBJ/ssh_proxy otherhost exit $s + r=$? + if [ $r -ne $s ]; then + fail "exit code mismatch for: $r != $s" + fi - # same with early close of stdout/err - ${SSH} -$p -F $OBJ/ssh_proxy -n otherhost \ - exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\' - r=$? - if [ $r -ne $s ]; then - fail "exit code (with sleep) mismatch for protocol $p: $r != $s" - fi - done + # same with early close of stdout/err + ${SSH} -F $OBJ/ssh_proxy -n otherhost exec \ + sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\' + r=$? + if [ $r -ne $s ]; then + fail "exit code (with sleep) mismatch for: $r != $s" + fi done diff --git a/regress/usr.bin/ssh/forcecommand.sh b/regress/usr.bin/ssh/forcecommand.sh index 8a9b090ea5d..e059f1fdbc6 100644 --- a/regress/usr.bin/ssh/forcecommand.sh +++ b/regress/usr.bin/ssh/forcecommand.sh @@ -1,4 +1,4 @@ -# $OpenBSD: forcecommand.sh,v 1.3 2015/03/03 22:35:19 markus Exp $ +# $OpenBSD: forcecommand.sh,v 1.4 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="forced command" @@ -11,11 +11,8 @@ for t in ${SSH_KEYTYPES}; do cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER done -for p in ${SSH_PROTOCOLS}; do - trace "forced command in key option proto $p" - ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ || - fail "forced command in key proto $p" -done +trace "forced command in key option" +${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key" cp /dev/null $OBJ/authorized_keys_$USER for t in ${SSH_KEYTYPES}; do @@ -26,19 +23,13 @@ done cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy echo "ForceCommand true" >> $OBJ/sshd_proxy -for p in ${SSH_PROTOCOLS}; do - trace "forced command in sshd_config overrides key option proto $p" - ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ || - fail "forced command in key proto $p" -done +trace "forced command in sshd_config overrides key option" +${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key" cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy echo "ForceCommand false" >> $OBJ/sshd_proxy echo "Match User $USER" >> $OBJ/sshd_proxy echo " ForceCommand true" >> $OBJ/sshd_proxy -for p in ${SSH_PROTOCOLS}; do - trace "forced command with match proto $p" - ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ || - fail "forced command in key proto $p" -done +trace "forced command with match" +${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key" diff --git a/regress/usr.bin/ssh/forward-control.sh b/regress/usr.bin/ssh/forward-control.sh index d9289282d1c..49382771f0e 100644 --- a/regress/usr.bin/ssh/forward-control.sh +++ b/regress/usr.bin/ssh/forward-control.sh @@ -1,4 +1,4 @@ -# $OpenBSD: forward-control.sh,v 1.3 2015/03/03 22:35:19 markus Exp $ +# $OpenBSD: forward-control.sh,v 1.4 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="sshd control of local and remote forwarding" @@ -32,13 +32,12 @@ wait_for_process_to_exit() { return 0 } -# usage: check_lfwd protocol Y|N message +# usage: check_lfwd Y|N message check_lfwd() { - _proto=$1 - _expected=$2 - _message=$3 + _expected=$1 + _message=$2 rm -f $READY - ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \ + ${SSH} -F $OBJ/ssh_proxy \ -L$LFWD_PORT:127.0.0.1:$PORT \ -o ExitOnForwardFailure=yes \ -n host "sleep 60 & echo \$! > $READY ; wait " \ @@ -62,13 +61,12 @@ check_lfwd() { fi } -# usage: check_rfwd protocol Y|N message +# usage: check_rfwd Y|N message check_rfwd() { - _proto=$1 - _expected=$2 - _message=$3 + _expected=$1 + _message=$2 rm -f $READY - ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \ + ${SSH} -F $OBJ/ssh_proxy \ -R$RFWD_PORT:127.0.0.1:$PORT \ -o ExitOnForwardFailure=yes \ -n host "sleep 60 & echo \$! > $READY ; wait " \ @@ -99,10 +97,8 @@ cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak # Sanity check: ensure the default config allows forwarding -for p in ${SSH_PROTOCOLS} ; do - check_lfwd $p Y "proto $p, default configuration" - check_rfwd $p Y "proto $p, default configuration" -done +check_lfwd Y "default configuration" +check_rfwd Y "default configuration" # Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N all_tests() { @@ -115,49 +111,46 @@ all_tests() { _permit_rfwd=$7 _badfwd=127.0.0.1:22 _goodfwd=127.0.0.1:${PORT} - for _proto in ${SSH_PROTOCOLS} ; do - cp ${OBJ}/authorized_keys_${USER}.bak \ - ${OBJ}/authorized_keys_${USER} - _prefix="proto $_proto, AllowTcpForwarding=$_tcpfwd" - # No PermitOpen - ( cat ${OBJ}/sshd_proxy.bak ; - echo "AllowTcpForwarding $_tcpfwd" ) \ - > ${OBJ}/sshd_proxy - check_lfwd $_proto $_plain_lfwd "$_prefix" - check_rfwd $_proto $_plain_rfwd "$_prefix" - # PermitOpen via sshd_config that doesn't match - ( cat ${OBJ}/sshd_proxy.bak ; - echo "AllowTcpForwarding $_tcpfwd" ; - echo "PermitOpen $_badfwd" ) \ - > ${OBJ}/sshd_proxy - check_lfwd $_proto $_nopermit_lfwd "$_prefix, !PermitOpen" - check_rfwd $_proto $_nopermit_rfwd "$_prefix, !PermitOpen" - # PermitOpen via sshd_config that does match - ( cat ${OBJ}/sshd_proxy.bak ; - echo "AllowTcpForwarding $_tcpfwd" ; - echo "PermitOpen $_badfwd $_goodfwd" ) \ - > ${OBJ}/sshd_proxy - # NB. permitopen via authorized_keys should have same - # success/fail as via sshd_config - # permitopen via authorized_keys that doesn't match - sed "s/^/permitopen=\"$_badfwd\" /" \ - < ${OBJ}/authorized_keys_${USER}.bak \ - > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail" - ( cat ${OBJ}/sshd_proxy.bak ; - echo "AllowTcpForwarding $_tcpfwd" ) \ - > ${OBJ}/sshd_proxy - check_lfwd $_proto $_nopermit_lfwd "$_prefix, !permitopen" - check_rfwd $_proto $_nopermit_rfwd "$_prefix, !permitopen" - # permitopen via authorized_keys that does match - sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \ - < ${OBJ}/authorized_keys_${USER}.bak \ - > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail" - ( cat ${OBJ}/sshd_proxy.bak ; - echo "AllowTcpForwarding $_tcpfwd" ) \ - > ${OBJ}/sshd_proxy - check_lfwd $_proto $_permit_lfwd "$_prefix, permitopen" - check_rfwd $_proto $_permit_rfwd "$_prefix, permitopen" - done + cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER} + _prefix="AllowTcpForwarding=$_tcpfwd" + # No PermitOpen + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ) \ + > ${OBJ}/sshd_proxy + check_lfwd $_plain_lfwd "$_prefix" + check_rfwd $_plain_rfwd "$_prefix" + # PermitOpen via sshd_config that doesn't match + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ; + echo "PermitOpen $_badfwd" ) \ + > ${OBJ}/sshd_proxy + check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen" + check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen" + # PermitOpen via sshd_config that does match + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ; + echo "PermitOpen $_badfwd $_goodfwd" ) \ + > ${OBJ}/sshd_proxy + # NB. permitopen via authorized_keys should have same + # success/fail as via sshd_config + # permitopen via authorized_keys that doesn't match + sed "s/^/permitopen=\"$_badfwd\" /" \ + < ${OBJ}/authorized_keys_${USER}.bak \ + > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail" + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ) \ + > ${OBJ}/sshd_proxy + check_lfwd $_nopermit_lfwd "$_prefix, !permitopen" + check_rfwd $_nopermit_rfwd "$_prefix, !permitopen" + # permitopen via authorized_keys that does match + sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \ + < ${OBJ}/authorized_keys_${USER}.bak \ + > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail" + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ) \ + > ${OBJ}/sshd_proxy + check_lfwd $_permit_lfwd "$_prefix, permitopen" + check_rfwd $_permit_rfwd "$_prefix, permitopen" } # no-permitopen mismatch-permitopen match-permitopen diff --git a/regress/usr.bin/ssh/forwarding.sh b/regress/usr.bin/ssh/forwarding.sh index dd526eeeaa5..d126b6b88d2 100644 --- a/regress/usr.bin/ssh/forwarding.sh +++ b/regress/usr.bin/ssh/forwarding.sh @@ -1,4 +1,4 @@ -# $OpenBSD: forwarding.sh,v 1.19 2017/01/30 05:22:14 djm Exp $ +# $OpenBSD: forwarding.sh,v 1.20 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="local and remote forwarding" @@ -20,30 +20,24 @@ for j in 0 1 2; do last=$a done done -for p in ${SSH_PROTOCOLS}; do - q=`expr 3 - $p` - if ! ssh_version $q; then - q=$p - fi - trace "start forwarding, fork to background" - rm -f $CTL - ${SSH} -S $CTL -M -$p -F $OBJ/ssh_config -f $fwd somehost sleep 10 - trace "transfer over forwarded channels and check result" - ${SSH} -$q -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \ - somehost cat ${DATA} > ${COPY} - test -s ${COPY} || fail "failed copy of ${DATA}" - cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" +trace "start forwarding, fork to background" +rm -f $CTL +${SSH} -S $CTL -M -F $OBJ/ssh_config -f $fwd somehost sleep 10 - ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost -done +trace "transfer over forwarded channels and check result" +${SSH} -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \ + somehost cat ${DATA} > ${COPY} +test -s ${COPY} || fail "failed copy of ${DATA}" +cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" + +${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost -for p in ${SSH_PROTOCOLS}; do for d in L R; do - trace "exit on -$d forward failure, proto $p" + trace "exit on -$d forward failure" # this one should succeed - ${SSH} -$p -F $OBJ/ssh_config \ + ${SSH} -F $OBJ/ssh_config \ -$d ${base}01:127.0.0.1:$PORT \ -$d ${base}02:127.0.0.1:$PORT \ -$d ${base}03:127.0.0.1:$PORT \ @@ -53,7 +47,7 @@ for d in L R; do fatal "connection failed, should not" else # this one should fail - ${SSH} -q -$p -F $OBJ/ssh_config \ + ${SSH} -q -F $OBJ/ssh_config \ -$d ${base}01:127.0.0.1:$PORT \ -$d ${base}02:127.0.0.1:$PORT \ -$d ${base}03:127.0.0.1:$PORT \ @@ -66,82 +60,74 @@ for d in L R; do fi fi done -done -for p in ${SSH_PROTOCOLS}; do - trace "simple clear forwarding proto $p" - ${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true - - trace "clear local forward proto $p" - rm -f $CTL - ${SSH} -S $CTL -M -$p -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \ - -oClearAllForwardings=yes somehost sleep 10 - if [ $? != 0 ]; then - fail "connection failed with cleared local forwarding" - else - # this one should fail - ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 somehost true \ - >>$TEST_REGRESS_LOGFILE 2>&1 && \ - fail "local forwarding not cleared" - fi - ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost - - trace "clear remote forward proto $p" - rm -f $CTL - ${SSH} -S $CTL -M -$p -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \ - -oClearAllForwardings=yes somehost sleep 10 - if [ $? != 0 ]; then - fail "connection failed with cleared remote forwarding" - else - # this one should fail - ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 somehost true \ - >>$TEST_REGRESS_LOGFILE 2>&1 && \ - fail "remote forwarding not cleared" - fi - ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost -done - -for p in 2; do - trace "stdio forwarding proto $p" - cmd="${SSH} -$p -F $OBJ/ssh_config" - $cmd -o "ProxyCommand $cmd -q -W localhost:$PORT somehost" \ - somehost true - if [ $? != 0 ]; then - fail "stdio forwarding proto $p" - fi -done +trace "simple clear forwarding" +${SSH} -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true + +trace "clear local forward" +rm -f $CTL +${SSH} -S $CTL -M -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \ + -oClearAllForwardings=yes somehost sleep 10 +if [ $? != 0 ]; then + fail "connection failed with cleared local forwarding" +else + # this one should fail + ${SSH} -F $OBJ/ssh_config -p ${base}01 somehost true \ + >>$TEST_REGRESS_LOGFILE 2>&1 && \ + fail "local forwarding not cleared" +fi +${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost + +trace "clear remote forward" +rm -f $CTL +${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \ + -oClearAllForwardings=yes somehost sleep 10 +if [ $? != 0 ]; then + fail "connection failed with cleared remote forwarding" +else + # this one should fail + ${SSH} -F $OBJ/ssh_config -p ${base}01 somehost true \ + >>$TEST_REGRESS_LOGFILE 2>&1 && \ + fail "remote forwarding not cleared" +fi +${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost + +trace "stdio forwarding" +cmd="${SSH} -F $OBJ/ssh_config" +$cmd -o "ProxyCommand $cmd -q -W localhost:$PORT somehost" somehost true +if [ $? != 0 ]; then + fail "stdio forwarding" +fi echo "LocalForward ${base}01 127.0.0.1:$PORT" >> $OBJ/ssh_config echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> $OBJ/ssh_config -for p in ${SSH_PROTOCOLS}; do - trace "config file: start forwarding, fork to background" - rm -f $CTL - ${SSH} -S $CTL -M -$p -F $OBJ/ssh_config -f somehost sleep 10 - - trace "config file: transfer over forwarded channels and check result" - ${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \ - somehost cat ${DATA} > ${COPY} - test -s ${COPY} || fail "failed copy of ${DATA}" - cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" - - ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost -done -for p in 2; do - trace "transfer over chained unix domain socket forwards and check result" - rm -f $OBJ/unix-[123].fwd - rm -f $CTL $CTL.[123] - ${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R${base}01:[$OBJ/unix-1.fwd] somehost sleep 10 - ${SSH} -S $CTL.1 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-1.fwd]:[$OBJ/unix-2.fwd] somehost sleep 10 - ${SSH} -S $CTL.2 -M -f -F $OBJ/ssh_config -R[$OBJ/unix-2.fwd]:[$OBJ/unix-3.fwd] somehost sleep 10 - ${SSH} -S $CTL.3 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-3.fwd]:127.0.0.1:$PORT somehost sleep 10 - ${SSH} -F $OBJ/ssh_config -p${base}01 -o 'ConnectionAttempts=4' \ - somehost cat ${DATA} > ${COPY} - test -s ${COPY} || fail "failed copy ${DATA}" - cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" - - ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost - ${SSH} -F $OBJ/ssh_config -S $CTL.1 -O exit somehost - ${SSH} -F $OBJ/ssh_config -S $CTL.2 -O exit somehost - ${SSH} -F $OBJ/ssh_config -S $CTL.3 -O exit somehost -done +trace "config file: start forwarding, fork to background" +rm -f $CTL +${SSH} -S $CTL -M -F $OBJ/ssh_config -f somehost sleep 10 + +trace "config file: transfer over forwarded channels and check result" +${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \ + somehost cat ${DATA} > ${COPY} +test -s ${COPY} || fail "failed copy of ${DATA}" +cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" + +${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost + +trace "transfer over chained unix domain socket forwards and check result" +rm -f $OBJ/unix-[123].fwd +rm -f $CTL $CTL.[123] +${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R${base}01:[$OBJ/unix-1.fwd] somehost sleep 10 +${SSH} -S $CTL.1 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-1.fwd]:[$OBJ/unix-2.fwd] somehost sleep 10 +${SSH} -S $CTL.2 -M -f -F $OBJ/ssh_config -R[$OBJ/unix-2.fwd]:[$OBJ/unix-3.fwd] somehost sleep 10 +${SSH} -S $CTL.3 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-3.fwd]:127.0.0.1:$PORT somehost sleep 10 +${SSH} -F $OBJ/ssh_config -p${base}01 -o 'ConnectionAttempts=4' \ + somehost cat ${DATA} > ${COPY} +test -s ${COPY} || fail "failed copy ${DATA}" +cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" + +${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost +${SSH} -F $OBJ/ssh_config -S $CTL.1 -O exit somehost +${SSH} -F $OBJ/ssh_config -S $CTL.2 -O exit somehost +${SSH} -F $OBJ/ssh_config -S $CTL.3 -O exit somehost + diff --git a/regress/usr.bin/ssh/host-expand.sh b/regress/usr.bin/ssh/host-expand.sh index 2a95bfe1b37..9444f7fb619 100644 --- a/regress/usr.bin/ssh/host-expand.sh +++ b/regress/usr.bin/ssh/host-expand.sh @@ -1,4 +1,4 @@ -# $OpenBSD: host-expand.sh,v 1.4 2015/03/03 22:35:19 markus Exp $ +# $OpenBSD: host-expand.sh,v 1.5 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="expand %h and %n" @@ -11,9 +11,6 @@ somehost 127.0.0.1 EOE -for p in ${SSH_PROTOCOLS}; do - verbose "test $tid: proto $p" - ${SSH} -F $OBJ/ssh_proxy -$p somehost true >$OBJ/actual - diff $OBJ/expect $OBJ/actual || fail "$tid proto $p" -done +${SSH} -F $OBJ/ssh_proxy somehost true >$OBJ/actual +diff $OBJ/expect $OBJ/actual || fail "$tid" diff --git a/regress/usr.bin/ssh/hostkey-agent.sh b/regress/usr.bin/ssh/hostkey-agent.sh index 094700da62f..811b6b9ab25 100644 --- a/regress/usr.bin/ssh/hostkey-agent.sh +++ b/regress/usr.bin/ssh/hostkey-agent.sh @@ -1,4 +1,4 @@ -# $OpenBSD: hostkey-agent.sh,v 1.6 2015/07/10 06:23:25 markus Exp $ +# $OpenBSD: hostkey-agent.sh,v 1.7 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="hostkey agent" @@ -40,7 +40,7 @@ for ps in no yes; do cp $OBJ/known_hosts.orig $OBJ/known_hosts SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'` if [ $? -ne 0 ]; then - fail "protocol $p privsep=$ps failed" + fail "privsep=$ps failed" fi if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then fail "bad SSH_CONNECTION key type $k privsep=$ps" diff --git a/regress/usr.bin/ssh/integrity.sh b/regress/usr.bin/ssh/integrity.sh index 12e91e9d88d..062a8cfd6bf 100644 --- a/regress/usr.bin/ssh/integrity.sh +++ b/regress/usr.bin/ssh/integrity.sh @@ -1,4 +1,4 @@ -# $OpenBSD: integrity.sh,v 1.22 2017/04/28 04:16:27 dtucker Exp $ +# $OpenBSD: integrity.sh,v 1.23 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="integrity" @@ -41,7 +41,7 @@ for m in $macs; do macopt="-m $m -c aes128-ctr" fi verbose "test $tid: $m @$off" - ${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \ + ${SSH} $macopt -F $OBJ/ssh_proxy -o "$pxy" \ -oServerAliveInterval=1 -oServerAliveCountMax=30 \ 999.999.999.999 'printf "%4096s" " "' >/dev/null if [ $? -eq 0 ]; then diff --git a/regress/usr.bin/ssh/key-options.sh b/regress/usr.bin/ssh/key-options.sh index 7a68ad358b7..2adee683347 100644 --- a/regress/usr.bin/ssh/key-options.sh +++ b/regress/usr.bin/ssh/key-options.sh @@ -1,4 +1,4 @@ -# $OpenBSD: key-options.sh,v 1.3 2015/03/03 22:35:19 markus Exp $ +# $OpenBSD: key-options.sh,v 1.4 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="key options" @@ -8,64 +8,56 @@ authkeys="$OBJ/authorized_keys_${USER}" cp $authkeys $origkeys # Test command= forced command -for p in ${SSH_PROTOCOLS}; do - for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do +for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do sed "s/.*/$c &/" $origkeys >$authkeys - verbose "key option proto $p $c" - r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost echo foo` + verbose "key option $c" + r=`${SSH} -q -F $OBJ/ssh_proxy somehost echo foo` if [ "$r" = "foo" ]; then fail "key option forced command not restricted" fi if [ "$r" != "bar" ]; then fail "key option forced command not executed" fi - done done # Test no-pty sed 's/.*/no-pty &/' $origkeys >$authkeys -for p in ${SSH_PROTOCOLS}; do - verbose "key option proto $p no-pty" - r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost tty` - if [ -f "$r" ]; then - fail "key option failed proto $p no-pty (pty $r)" - fi -done +verbose "key option proto no-pty" +r=`${SSH} -q -F $OBJ/ssh_proxy somehost tty` +if [ -f "$r" ]; then + fail "key option failed no-pty (pty $r)" +fi # Test environment= echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys -for p in ${SSH_PROTOCOLS}; do - verbose "key option proto $p environment" - r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo $FOO'` - if [ "$r" != "bar" ]; then - fail "key option environment not set" - fi -done +verbose "key option environment" +r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo $FOO'` +if [ "$r" != "bar" ]; then + fail "key option environment not set" +fi # Test from= restriction start_sshd -for p in ${SSH_PROTOCOLS}; do - for f in 127.0.0.1 '127.0.0.0\/8'; do +for f in 127.0.0.1 '127.0.0.0\/8'; do cat $origkeys >$authkeys - ${SSH} -$p -q -F $OBJ/ssh_proxy somehost true + ${SSH} -q -F $OBJ/ssh_proxy somehost true if [ $? -ne 0 ]; then - fail "key option proto $p failed without restriction" + fail "key option failed without restriction" fi sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys from=`head -1 $authkeys | cut -f1 -d ' '` - verbose "key option proto $p $from" - r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo true'` + verbose "key option $from" + r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'` if [ "$r" = "true" ]; then - fail "key option proto $p $from not restricted" + fail "key option $from not restricted" fi - r=`${SSH} -$p -q -F $OBJ/ssh_config somehost 'echo true'` + r=`${SSH} -q -F $OBJ/ssh_config somehost 'echo true'` if [ "$r" != "true" ]; then - fail "key option proto $p $from not allowed but should be" + fail "key option $from not allowed but should be" fi - done done rm -f "$origkeys" diff --git a/regress/usr.bin/ssh/keygen-change.sh b/regress/usr.bin/ssh/keygen-change.sh index e56185050dd..8b8acd52fb9 100644 --- a/regress/usr.bin/ssh/keygen-change.sh +++ b/regress/usr.bin/ssh/keygen-change.sh @@ -1,4 +1,4 @@ -# $OpenBSD: keygen-change.sh,v 1.5 2015/03/03 22:35:19 markus Exp $ +# $OpenBSD: keygen-change.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="change passphrase for key" @@ -7,9 +7,6 @@ S1="secret1" S2="2secret" KEYTYPES=`${SSH} -Q key-plain` -if ssh_version 1; then - KEYTYPES="${KEYTYPES} rsa1" -fi for t in $KEYTYPES; do # generate user key for agent diff --git a/regress/usr.bin/ssh/keyscan.sh b/regress/usr.bin/ssh/keyscan.sh index f97364b76e7..3bde1219a60 100644 --- a/regress/usr.bin/ssh/keyscan.sh +++ b/regress/usr.bin/ssh/keyscan.sh @@ -1,4 +1,4 @@ -# $OpenBSD: keyscan.sh,v 1.5 2015/09/11 03:44:21 djm Exp $ +# $OpenBSD: keyscan.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="keyscan" @@ -9,10 +9,6 @@ rm -f ${OBJ}/host.dsa start_sshd KEYTYPES=`${SSH} -Q key-plain` -if ssh_version 1; then - KEYTYPES="${KEYTYPES} rsa1" -fi - for t in $KEYTYPES; do trace "keyscan type $t" ${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \ diff --git a/regress/usr.bin/ssh/localcommand.sh b/regress/usr.bin/ssh/localcommand.sh index 220f19a4d48..5224a16b24d 100644 --- a/regress/usr.bin/ssh/localcommand.sh +++ b/regress/usr.bin/ssh/localcommand.sh @@ -1,4 +1,4 @@ -# $OpenBSD: localcommand.sh,v 1.3 2015/03/03 22:35:19 markus Exp $ +# $OpenBSD: localcommand.sh,v 1.4 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="localcommand" @@ -6,10 +6,8 @@ tid="localcommand" echo 'PermitLocalCommand yes' >> $OBJ/ssh_proxy echo 'LocalCommand echo foo' >> $OBJ/ssh_proxy -for p in ${SSH_PROTOCOLS}; do - verbose "test $tid: proto $p localcommand" - a=`${SSH} -F $OBJ/ssh_proxy -$p somehost true` - if [ "$a" != "foo" ] ; then - fail "$tid proto $p" - fi -done +verbose "test $tid: proto $p localcommand" +a=`${SSH} -F $OBJ/ssh_proxy somehost true` +if [ "$a" != "foo" ] ; then + fail "$tid proto $p" +fi diff --git a/regress/usr.bin/ssh/misc/kexfuzz/kexfuzz.c b/regress/usr.bin/ssh/misc/kexfuzz/kexfuzz.c index 4c1f5644db5..daf60306f6a 100644 --- a/regress/usr.bin/ssh/misc/kexfuzz/kexfuzz.c +++ b/regress/usr.bin/ssh/misc/kexfuzz/kexfuzz.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexfuzz.c,v 1.3 2016/10/11 21:49:54 djm Exp $ */ +/* $OpenBSD: kexfuzz.c,v 1.4 2017/04/30 23:34:55 djm Exp $ */ /* * Fuzz harness for KEX code * @@ -412,7 +412,7 @@ main(int argc, char **argv) close(fd); /* XXX check that it is a private key */ /* XXX support certificates */ - if (key == NULL || key->type == KEY_UNSPEC || key->type == KEY_RSA1) + if (key == NULL || key->type == KEY_UNSPEC) badusage("Invalid key file (-k flag)"); /* Replace (fuzz) mode */ diff --git a/regress/usr.bin/ssh/multiplex.sh b/regress/usr.bin/ssh/multiplex.sh index f32a25f7131..2bddee7f5c1 100644 --- a/regress/usr.bin/ssh/multiplex.sh +++ b/regress/usr.bin/ssh/multiplex.sh @@ -1,4 +1,4 @@ -# $OpenBSD: multiplex.sh,v 1.27 2014/12/22 06:14:29 djm Exp $ +# $OpenBSD: multiplex.sh,v 1.28 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. CTL=$OBJ/ctl-sock @@ -94,7 +94,7 @@ for s in 0 1 4 5 44; do ${SSH} -F $OBJ/ssh_config -S $CTL otherhost exit $s r=$? if [ $r -ne $s ]; then - fail "exit code mismatch for protocol $p: $r != $s" + fail "exit code mismatch: $r != $s" fi # same with early close of stdout/err @@ -103,7 +103,7 @@ for s in 0 1 4 5 44; do exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\' r=$? if [ $r -ne $s ]; then - fail "exit code (with sleep) mismatch for protocol $p: $r != $s" + fail "exit code (with sleep) mismatch: $r != $s" fi done diff --git a/regress/usr.bin/ssh/principals-command.sh b/regress/usr.bin/ssh/principals-command.sh index 37d23ab3331..280d2c89ed3 100644 --- a/regress/usr.bin/ssh/principals-command.sh +++ b/regress/usr.bin/ssh/principals-command.sh @@ -1,4 +1,4 @@ -# $OpenBSD: principals-command.sh,v 1.3 2016/09/26 21:34:38 bluhm Exp $ +# $OpenBSD: principals-command.sh,v 1.4 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="authorized principals command" @@ -68,7 +68,7 @@ for privsep in yes no ; do # Empty authorized_principals verbose "$tid: ${_prefix} empty authorized_principals" echo > $OBJ/authorized_principals_$USER - ${SSH} -2i $OBJ/cert_user_key \ + ${SSH} -i $OBJ/cert_user_key \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 if [ $? -eq 0 ]; then fail "ssh cert connect succeeded unexpectedly" @@ -77,7 +77,7 @@ for privsep in yes no ; do # Wrong authorized_principals verbose "$tid: ${_prefix} wrong authorized_principals" echo gregorsamsa > $OBJ/authorized_principals_$USER - ${SSH} -2i $OBJ/cert_user_key \ + ${SSH} -i $OBJ/cert_user_key \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 if [ $? -eq 0 ]; then fail "ssh cert connect succeeded unexpectedly" @@ -86,7 +86,7 @@ for privsep in yes no ; do # Correct authorized_principals verbose "$tid: ${_prefix} correct authorized_principals" echo mekmitasdigoat > $OBJ/authorized_principals_$USER - ${SSH} -2i $OBJ/cert_user_key \ + ${SSH} -i $OBJ/cert_user_key \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 if [ $? -ne 0 ]; then fail "ssh cert connect failed" @@ -95,7 +95,7 @@ for privsep in yes no ; do # authorized_principals with bad key option verbose "$tid: ${_prefix} authorized_principals bad key opt" echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER - ${SSH} -2i $OBJ/cert_user_key \ + ${SSH} -i $OBJ/cert_user_key \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 if [ $? -eq 0 ]; then fail "ssh cert connect succeeded unexpectedly" @@ -105,7 +105,7 @@ for privsep in yes no ; do verbose "$tid: ${_prefix} authorized_principals command=false" echo 'command="false" mekmitasdigoat' > \ $OBJ/authorized_principals_$USER - ${SSH} -2i $OBJ/cert_user_key \ + ${SSH} -i $OBJ/cert_user_key \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 if [ $? -eq 0 ]; then fail "ssh cert connect succeeded unexpectedly" @@ -116,7 +116,7 @@ for privsep in yes no ; do verbose "$tid: ${_prefix} authorized_principals command=true" echo 'command="true" mekmitasdigoat' > \ $OBJ/authorized_principals_$USER - ${SSH} -2i $OBJ/cert_user_key \ + ${SSH} -i $OBJ/cert_user_key \ -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 if [ $? -ne 0 ]; then fail "ssh cert connect failed" @@ -135,7 +135,7 @@ for privsep in yes no ; do printf 'cert-authority,principals="gregorsamsa" ' cat $OBJ/user_ca_key.pub ) > $OBJ/authorized_keys_$USER - ${SSH} -2i $OBJ/cert_user_key \ + ${SSH} -i $OBJ/cert_user_key \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 if [ $? -eq 0 ]; then fail "ssh cert connect succeeded unexpectedly" @@ -147,7 +147,7 @@ for privsep in yes no ; do printf 'cert-authority,principals="mekmitasdigoat" ' cat $OBJ/user_ca_key.pub ) > $OBJ/authorized_keys_$USER - ${SSH} -2i $OBJ/cert_user_key \ + ${SSH} -i $OBJ/cert_user_key \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 if [ $? -ne 0 ]; then fail "ssh cert connect failed" diff --git a/regress/usr.bin/ssh/proto-mismatch.sh b/regress/usr.bin/ssh/proto-mismatch.sh index 9e8024beb0f..6ab28c9a7ad 100644 --- a/regress/usr.bin/ssh/proto-mismatch.sh +++ b/regress/usr.bin/ssh/proto-mismatch.sh @@ -1,21 +1,17 @@ -# $OpenBSD: proto-mismatch.sh,v 1.4 2015/03/03 22:35:19 markus Exp $ +# $OpenBSD: proto-mismatch.sh,v 1.5 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="protocol version mismatch" mismatch () { - server=$1 client=$2 - banner=`echo ${client} | ${SSHD} -o "Protocol=${server}" -i -f ${OBJ}/sshd_proxy` + banner=`echo ${client} | ${SSHD} -i -f ${OBJ}/sshd_proxy` r=$? trace "sshd prints ${banner}" if [ $r -ne 255 ]; then - fail "sshd prints ${banner} and accepts connect with version ${client}" + fail "sshd prints ${banner} but accepts version ${client}" fi } -mismatch 2 SSH-1.5-HALLO -if ssh_version 1; then - mismatch 1 SSH-2.0-HALLO -fi +mismatch SSH-1.5-HALLO diff --git a/regress/usr.bin/ssh/proto-version.sh b/regress/usr.bin/ssh/proto-version.sh index cf494611548..5faeb758cfa 100644 --- a/regress/usr.bin/ssh/proto-version.sh +++ b/regress/usr.bin/ssh/proto-version.sh @@ -1,4 +1,4 @@ -# $OpenBSD: proto-version.sh,v 1.5 2015/03/03 22:35:19 markus Exp $ +# $OpenBSD: proto-version.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="sshd version with different protocol combinations" @@ -6,9 +6,8 @@ tid="sshd version with different protocol combinations" # we just start sshd in inetd mode and check the banner check_version () { - version=$1 expect=$2 - banner=`printf '' | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy` + banner=`printf '' | ${SSHD} -i -f ${OBJ}/sshd_proxy` case ${banner} in SSH-1.99-*) proto=199 @@ -24,13 +23,8 @@ check_version () ;; esac if [ ${expect} -ne ${proto} ]; then - fail "wrong protocol version ${banner} for ${version}" + fail "wrong protocol version ${banner}" fi } -check_version 2 20 -if ssh_version 1; then - check_version 2,1 199 - check_version 1,2 199 - check_version 1 15 -fi +check_version 20 diff --git a/regress/usr.bin/ssh/proxy-connect.sh b/regress/usr.bin/ssh/proxy-connect.sh index b7a43fabe78..f1b9d9f76bd 100644 --- a/regress/usr.bin/ssh/proxy-connect.sh +++ b/regress/usr.bin/ssh/proxy-connect.sh @@ -1,4 +1,4 @@ -# $OpenBSD: proxy-connect.sh,v 1.9 2016/02/17 02:24:17 djm Exp $ +# $OpenBSD: proxy-connect.sh,v 1.10 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="proxy connect" @@ -6,27 +6,22 @@ tid="proxy connect" mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig for ps in no yes; do - cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy - echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy - - for p in ${SSH_PROTOCOLS}; do - for c in no yes; do - verbose "plain username protocol $p privsep=$ps comp=$c" - opts="-$p -oCompression=$c -F $OBJ/ssh_proxy" - SSH_CONNECTION=`${SSH} $opts 999.999.999.999 'echo $SSH_CONNECTION'` - if [ $? -ne 0 ]; then - fail "ssh proxyconnect protocol $p privsep=$ps comp=$c failed" - fi - if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then - fail "bad SSH_CONNECTION protocol $p privsep=$ps comp=$c: " \ - "$SSH_CONNECTION" - fi - done - done + cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy + echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy + for c in no yes; do + verbose "plain username privsep=$ps comp=$c" + opts="-oCompression=$c -F $OBJ/ssh_proxy" + SSH_CONNECTION=`${SSH} $opts 999.999.999.999 'echo $SSH_CONNECTION'` + if [ $? -ne 0 ]; then + fail "ssh proxyconnect privsep=$ps comp=$c failed" + fi + if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then + fail "bad SSH_CONNECTION privsep=$ps comp=$c: " \ + "$SSH_CONNECTION" + fi + done done -for p in ${SSH_PROTOCOLS}; do - verbose "username with style protocol $p" - ${SSH} -$p -F $OBJ/ssh_proxy ${USER}:style@999.999.999.999 true || \ - fail "ssh proxyconnect protocol $p failed" -done +verbose "username with style" +${SSH} -F $OBJ/ssh_proxy ${USER}:style@999.999.999.999 true || \ + fail "ssh proxyconnect failed" diff --git a/regress/usr.bin/ssh/putty-transfer.sh b/regress/usr.bin/ssh/putty-transfer.sh index 23881d3a37e..308580fbc94 100644 --- a/regress/usr.bin/ssh/putty-transfer.sh +++ b/regress/usr.bin/ssh/putty-transfer.sh @@ -1,4 +1,4 @@ -# $OpenBSD: putty-transfer.sh,v 1.4 2016/11/25 03:02:01 dtucker Exp $ +# $OpenBSD: putty-transfer.sh,v 1.5 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="putty transfer data" @@ -7,33 +7,30 @@ if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then fatal "putty interop tests not enabled" fi -# XXX support protocol 1 too -for p in 2; do - for c in 0 1 ; do - verbose "$tid: proto $p compression $c" +for c in 0 1 ; do + verbose "$tid: compression $c" + rm -f ${COPY} + cp ${OBJ}/.putty/sessions/localhost_proxy \ + ${OBJ}/.putty/sessions/compression_$c + echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k + env HOME=$PWD ${PLINK} -load compression_$c -batch \ + -i putty.rsa cat ${DATA} > ${COPY} + if [ $? -ne 0 ]; then + fail "ssh cat $DATA failed" + fi + cmp ${DATA} ${COPY} || fail "corrupted copy" + + for s in 10 100 1k 32k 64k 128k 256k; do + trace "compression $c dd-size ${s}" rm -f ${COPY} - cp ${OBJ}/.putty/sessions/localhost_proxy \ - ${OBJ}/.putty/sessions/compression_$c - echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k - env HOME=$PWD ${PLINK} -load compression_$c -batch \ - -i putty.rsa$p cat ${DATA} > ${COPY} + dd if=$DATA obs=${s} 2> /dev/null | \ + env HOME=$PWD ${PLINK} -load compression_$c \ + -batch -i putty.rsa \ + "cat > ${COPY}" if [ $? -ne 0 ]; then fail "ssh cat $DATA failed" fi - cmp ${DATA} ${COPY} || fail "corrupted copy" - - for s in 10 100 1k 32k 64k 128k 256k; do - trace "proto $p compression $c dd-size ${s}" - rm -f ${COPY} - dd if=$DATA obs=${s} 2> /dev/null | \ - env HOME=$PWD ${PLINK} -load compression_$c \ - -batch -i putty.rsa$p \ - "cat > ${COPY}" - if [ $? -ne 0 ]; then - fail "ssh cat $DATA failed" - fi - cmp $DATA ${COPY} || fail "corrupted copy" - done + cmp $DATA ${COPY} || fail "corrupted copy" done done rm -f ${COPY} diff --git a/regress/usr.bin/ssh/reconfigure.sh b/regress/usr.bin/ssh/reconfigure.sh index 77956e6e0b9..b954d93b3d5 100644 --- a/regress/usr.bin/ssh/reconfigure.sh +++ b/regress/usr.bin/ssh/reconfigure.sh @@ -1,4 +1,4 @@ -# $OpenBSD: reconfigure.sh,v 1.5 2015/03/03 22:35:19 markus Exp $ +# $OpenBSD: reconfigure.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="simple connect after reconfigure" @@ -7,12 +7,10 @@ tid="simple connect after reconfigure" start_sshd trace "connect before restart" -for p in ${SSH_PROTOCOLS} ; do - ${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true - if [ $? -ne 0 ]; then - fail "ssh connect with protocol $p failed before reconfigure" - fi -done +${SSH} -F $OBJ/ssh_config somehost true +if [ $? -ne 0 ]; then + fail "ssh connect with failed before reconfigure" +fi $SUDO kill -HUP `cat $PIDFILE` sleep 1 @@ -27,9 +25,7 @@ done test -f $PIDFILE || fatal "sshd did not restart" trace "connect after restart" -for p in ${SSH_PROTOCOLS} ; do - ${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true - if [ $? -ne 0 ]; then - fail "ssh connect with protocol $p failed after reconfigure" - fi -done +${SSH} -F $OBJ/ssh_config somehost true +if [ $? -ne 0 ]; then + fail "ssh connect with failed after reconfigure" +fi diff --git a/regress/usr.bin/ssh/reexec.sh b/regress/usr.bin/ssh/reexec.sh index dcb02bc0ee9..7fbe24c9add 100644 --- a/regress/usr.bin/ssh/reexec.sh +++ b/regress/usr.bin/ssh/reexec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: reexec.sh,v 1.10 2016/12/16 01:06:27 dtucker Exp $ +# $OpenBSD: reexec.sh,v 1.11 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="reexec tests" @@ -19,16 +19,13 @@ start_sshd_copy () copy_tests () { rm -f ${COPY} - for p in ${SSH_PROTOCOLS} ; do - verbose "$tid: proto $p" - ${SSH} -nqo "Protocol=$p" -F $OBJ/ssh_config somehost \ - cat ${DATA} > ${COPY} - if [ $? -ne 0 ]; then - fail "ssh cat $DATA failed" - fi - cmp ${DATA} ${COPY} || fail "corrupted copy" - rm -f ${COPY} - done + ${SSH} -nq -F $OBJ/ssh_config somehost \ + cat ${DATA} > ${COPY} + if [ $? -ne 0 ]; then + fail "ssh cat $DATA failed" + fi + cmp ${DATA} ${COPY} || fail "corrupted copy" + rm -f ${COPY} } verbose "test config passing" @@ -64,4 +61,3 @@ copy_tests stop_sshd - diff --git a/regress/usr.bin/ssh/stderr-after-eof.sh b/regress/usr.bin/ssh/stderr-after-eof.sh index 218ac6b68e1..9065245e84f 100644 --- a/regress/usr.bin/ssh/stderr-after-eof.sh +++ b/regress/usr.bin/ssh/stderr-after-eof.sh @@ -1,4 +1,4 @@ -# $OpenBSD: stderr-after-eof.sh,v 1.2 2013/05/17 04:29:14 dtucker Exp $ +# $OpenBSD: stderr-after-eof.sh,v 1.3 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="stderr data after eof" @@ -10,7 +10,7 @@ for i in 1 2 3 4 5 6; do (date;echo $i) | md5 >> ${DATA} done -${SSH} -2 -F $OBJ/ssh_proxy otherhost \ +${SSH} -F $OBJ/ssh_proxy otherhost \ exec sh -c \'"exec > /dev/null; sleep 2; cat ${DATA} 1>&2 $s"\' \ 2> ${COPY} r=$? diff --git a/regress/usr.bin/ssh/stderr-data.sh b/regress/usr.bin/ssh/stderr-data.sh index 8c8149a732b..0ceb72b3a29 100644 --- a/regress/usr.bin/ssh/stderr-data.sh +++ b/regress/usr.bin/ssh/stderr-data.sh @@ -1,13 +1,12 @@ -# $OpenBSD: stderr-data.sh,v 1.4 2015/03/03 22:35:19 markus Exp $ +# $OpenBSD: stderr-data.sh,v 1.5 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="stderr data transfer" for n in '' -n; do -for p in ${SSH_PROTOCOLS}; do - verbose "test $tid: proto $p ($n)" - ${SSH} $n -$p -F $OBJ/ssh_proxy otherhost \ - exec sh -c \'"exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \ + verbose "test $tid: ($n)" + ${SSH} $n -F $OBJ/ssh_proxy otherhost exec \ + sh -c \'"exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \ 2> ${COPY} r=$? if [ $r -ne 0 ]; then @@ -16,8 +15,8 @@ for p in ${SSH_PROTOCOLS}; do cmp ${DATA} ${COPY} || fail "stderr corrupt" rm -f ${COPY} - ${SSH} $n -$p -F $OBJ/ssh_proxy otherhost \ - exec sh -c \'"echo a; exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \ + ${SSH} $n -F $OBJ/ssh_proxy otherhost exec \ + sh -c \'"echo a; exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \ > /dev/null 2> ${COPY} r=$? if [ $r -ne 0 ]; then @@ -26,4 +25,3 @@ for p in ${SSH_PROTOCOLS}; do cmp ${DATA} ${COPY} || fail "stderr corrupt" rm -f ${COPY} done -done diff --git a/regress/usr.bin/ssh/test-exec.sh b/regress/usr.bin/ssh/test-exec.sh index 6c9e3e6d527..66e536bef54 100644 --- a/regress/usr.bin/ssh/test-exec.sh +++ b/regress/usr.bin/ssh/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.59 2017/02/07 23:03:11 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.60 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. USER=`id -un` @@ -91,12 +91,6 @@ if [ "x$TEST_SSH_CONCH" != "x" ]; then CONCH="${TEST_SSH_CONCH}" fi -SSH_PROTOCOLS=2 -#SSH_PROTOCOLS=`$SSH -Q protocol-version` -if [ "x$TEST_SSH_PROTOCOLS" != "x" ]; then - SSH_PROTOCOLS="${TEST_SSH_PROTOCOLS}" -fi - # Path to sshd must be absolute for rexec case "$SSHD" in /*) ;; @@ -246,22 +240,11 @@ fatal () exit $RESULT } -ssh_version () -{ - echo ${SSH_PROTOCOLS} | grep -q "$1" -} - RESULT=0 PIDFILE=$OBJ/pidfile trap fatal 3 2 -if ssh_version 1; then - PROTO="2,1" -else - PROTO="2" -fi - # create server config cat << EOF > $OBJ/sshd_config Port $PORT @@ -319,11 +302,8 @@ fi rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER -if ssh_version 1; then - SSH_KEYTYPES="rsa rsa1" -else - SSH_KEYTYPES="rsa ed25519" -fi +SSH_KEYTYPES="rsa ed25519" + trace "generate keys" for t in ${SSH_KEYTYPES}; do # generate user key diff --git a/regress/usr.bin/ssh/transfer.sh b/regress/usr.bin/ssh/transfer.sh index 36c14634ab9..cf174a00678 100644 --- a/regress/usr.bin/ssh/transfer.sh +++ b/regress/usr.bin/ssh/transfer.sh @@ -1,26 +1,23 @@ -# $OpenBSD: transfer.sh,v 1.3 2015/03/03 22:35:19 markus Exp $ +# $OpenBSD: transfer.sh,v 1.4 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="transfer data" -for p in ${SSH_PROTOCOLS}; do - verbose "$tid: proto $p" +rm -f ${COPY} +${SSH} -n -q -F $OBJ/ssh_proxy somehost cat ${DATA} > ${COPY} +if [ $? -ne 0 ]; then + fail "ssh cat $DATA failed" +fi +cmp ${DATA} ${COPY} || fail "corrupted copy" + +for s in 10 100 1k 32k 64k 128k 256k; do + trace "dd-size ${s}" rm -f ${COPY} - ${SSH} -n -q -$p -F $OBJ/ssh_proxy somehost cat ${DATA} > ${COPY} + dd if=$DATA obs=${s} 2> /dev/null | \ + ${SSH} -q -F $OBJ/ssh_proxy somehost "cat > ${COPY}" if [ $? -ne 0 ]; then fail "ssh cat $DATA failed" fi - cmp ${DATA} ${COPY} || fail "corrupted copy" - - for s in 10 100 1k 32k 64k 128k 256k; do - trace "proto $p dd-size ${s}" - rm -f ${COPY} - dd if=$DATA obs=${s} 2> /dev/null | \ - ${SSH} -q -$p -F $OBJ/ssh_proxy somehost "cat > ${COPY}" - if [ $? -ne 0 ]; then - fail "ssh cat $DATA failed" - fi - cmp $DATA ${COPY} || fail "corrupted copy" - done + cmp $DATA ${COPY} || fail "corrupted copy" done rm -f ${COPY} diff --git a/regress/usr.bin/ssh/try-ciphers.sh b/regress/usr.bin/ssh/try-ciphers.sh index 889a735d27d..e04268ba35b 100644 --- a/regress/usr.bin/ssh/try-ciphers.sh +++ b/regress/usr.bin/ssh/try-ciphers.sh @@ -1,4 +1,4 @@ -# $OpenBSD: try-ciphers.sh,v 1.25 2015/03/24 20:22:17 markus Exp $ +# $OpenBSD: try-ciphers.sh,v 1.26 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="try ciphers" @@ -8,14 +8,14 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak for c in `${SSH} -Q cipher`; do n=0 for m in `${SSH} -Q mac`; do - trace "proto 2 cipher $c mac $m" - verbose "test $tid: proto 2 cipher $c mac $m" + trace "cipher $c mac $m" + verbose "test $tid: cipher $c mac $m" cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy echo "Ciphers=$c" >> $OBJ/sshd_proxy echo "MACs=$m" >> $OBJ/sshd_proxy - ${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true + ${SSH} -F $OBJ/ssh_proxy -m $m -c $c somehost true if [ $? -ne 0 ]; then - fail "ssh -2 failed with mac $m cipher $c" + fail "ssh failed with mac $m cipher $c" fi # No point trying all MACs for AEAD ciphers since they # are ignored. @@ -26,17 +26,3 @@ for c in `${SSH} -Q cipher`; do done done -if ssh_version 1; then - ciphers="3des blowfish" -else - ciphers="" -fi -for c in $ciphers; do - trace "proto 1 cipher $c" - verbose "test $tid: proto 1 cipher $c" - ${SSH} -F $OBJ/ssh_proxy -1 -c $c somehost true - if [ $? -ne 0 ]; then - fail "ssh -1 failed with cipher $c" - fi -done - diff --git a/regress/usr.bin/ssh/yes-head.sh b/regress/usr.bin/ssh/yes-head.sh index 527e6fd3020..e0515e3cf0f 100644 --- a/regress/usr.bin/ssh/yes-head.sh +++ b/regress/usr.bin/ssh/yes-head.sh @@ -1,15 +1,13 @@ -# $OpenBSD: yes-head.sh,v 1.5 2015/03/03 22:35:19 markus Exp $ +# $OpenBSD: yes-head.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="yes pipe head" -for p in ${SSH_PROTOCOLS}; do - lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'yes | head -2000' | (sleep 3 ; wc -l)` - if [ $? -ne 0 ]; then - fail "yes|head test failed" - lines = 0; - fi - if [ $lines -ne 2000 ]; then - fail "yes|head returns $lines lines instead of 2000" - fi -done +lines=`${SSH} -F $OBJ/ssh_proxy thishost 'yes | head -2000' | (sleep 3 ; wc -l)` +if [ $? -ne 0 ]; then + fail "yes|head test failed" + lines = 0; +fi +if [ $lines -ne 2000 ]; then + fail "yes|head returns $lines lines instead of 2000" +fi -- 2.20.1