[openssh-commits] [openssh] 01/02: upstream: test security key host keys in addition to user keys
git+noreply at mindrot.org
git+noreply at mindrot.org
Sat Dec 21 13:37:00 AEDT 2019
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit e5b7cf8edca7e843adc125621e1dab14507f430a
Author: djm at openbsd.org <djm at openbsd.org>
Date: Mon Dec 16 02:39:05 2019 +0000
upstream: test security key host keys in addition to user keys
OpenBSD-Regress-ID: 9fb45326106669a27e4bf150575c321806e275b1
---
regress/cert-hostkey.sh | 6 +++---
regress/hostkey-agent.sh | 6 +++---
regress/keygen-change.sh | 6 ++----
regress/keyscan.sh | 7 +++----
regress/keytype.sh | 8 ++------
regress/krl.sh | 4 ++--
regress/limit-keytype.sh | 4 ++--
regress/principals-command.sh | 4 ++--
regress/test-exec.sh | 12 +++++-------
9 files changed, 24 insertions(+), 33 deletions(-)
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 67a9795d..95d7c176 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: cert-hostkey.sh,v 1.21 2019/12/11 18:47:14 djm Exp $
+# $OpenBSD: cert-hostkey.sh,v 1.22 2019/12/16 02:39:05 djm Exp $
# Placed in the Public Domain.
tid="certified host keys"
@@ -9,7 +9,7 @@ rm -f $OBJ/cert_host_key* $OBJ/host_krl_*
# Allow all hostkey/pubkey types, prefer certs for the client
rsa=0
types=""
-for i in `$SSH -Q key | filter_sk`; do
+for i in `$SSH -Q key | maybe_filter_sk`; do
if [ -z "$types" ]; then
types="$i"
continue
@@ -70,7 +70,7 @@ touch $OBJ/host_revoked_plain
touch $OBJ/host_revoked_cert
cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca
-PLAIN_TYPES=`$SSH -Q key-plain | filter_sk | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
+PLAIN_TYPES=`echo "$SSH_KEYTYPES" | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
diff --git a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh
index 7f490e01..d6736e24 100644
--- a/regress/hostkey-agent.sh
+++ b/regress/hostkey-agent.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: hostkey-agent.sh,v 1.10 2019/12/11 18:47:14 djm Exp $
+# $OpenBSD: hostkey-agent.sh,v 1.11 2019/12/16 02:39:05 djm Exp $
# Placed in the Public Domain.
tid="hostkey agent"
@@ -14,7 +14,7 @@ grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig
echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig
trace "load hostkeys"
-for k in `${SSH} -Q key-plain | filter_sk` ; do
+for k in $SSH_KEYTYPES ; do
${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k"
(
printf 'localhost-with-alias,127.0.0.1,::1 '
@@ -31,7 +31,7 @@ cp $OBJ/known_hosts.orig $OBJ/known_hosts
unset SSH_AUTH_SOCK
for ps in yes; do
- for k in `${SSH} -Q key-plain | filter_sk` ; do
+ for k in $SSH_KEYTYPES ; do
verbose "key type $k privsep=$ps"
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
diff --git a/regress/keygen-change.sh b/regress/keygen-change.sh
index dd1bfda8..3863e33b 100644
--- a/regress/keygen-change.sh
+++ b/regress/keygen-change.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: keygen-change.sh,v 1.8 2019/11/26 23:43:10 djm Exp $
+# $OpenBSD: keygen-change.sh,v 1.9 2019/12/16 02:39:05 djm Exp $
# Placed in the Public Domain.
tid="change passphrase for key"
@@ -6,9 +6,7 @@ tid="change passphrase for key"
S1="secret1"
S2="2secret"
-KEYTYPES=`${SSH} -Q key-plain | maybe_filter_sk`
-
-for t in $KEYTYPES; do
+for t in $SSH_KEYTYPES; do
trace "generating $t key"
rm -f $OBJ/$t-key
${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key
diff --git a/regress/keyscan.sh b/regress/keyscan.sh
index 0ce0c741..b8593fed 100644
--- a/regress/keyscan.sh
+++ b/regress/keyscan.sh
@@ -1,10 +1,9 @@
-# $OpenBSD: keyscan.sh,v 1.11 2019/11/26 23:43:10 djm Exp $
+# $OpenBSD: keyscan.sh,v 1.12 2019/12/16 02:39:05 djm Exp $
# Placed in the Public Domain.
tid="keyscan"
-KEYTYPES=`${SSH} -Q key-plain | filter_sk`
-for i in $KEYTYPES; do
+for i in $SSH_KEYTYPES; do
if [ -z "$algs" ]; then
algs="$i"
else
@@ -15,7 +14,7 @@ echo "HostKeyAlgorithms $algs" >> $OBJ/sshd_config
start_sshd
-for t in $KEYTYPES; do
+for t in $SSH_KEYTYPES; do
trace "keyscan type $t"
${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \
> /dev/null 2>&1
diff --git a/regress/keytype.sh b/regress/keytype.sh
index 91c5aca1..20a8ceaf 100644
--- a/regress/keytype.sh
+++ b/regress/keytype.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: keytype.sh,v 1.9 2019/11/26 23:43:10 djm Exp $
+# $OpenBSD: keytype.sh,v 1.10 2019/12/16 02:39:05 djm Exp $
# Placed in the Public Domain.
tid="login with different key types"
@@ -50,11 +50,7 @@ kname_to_ktype() {
tries="1 2 3"
for ut in $ktypes; do
user_type=`kname_to_ktype "$ut"`
- # SK keys are not supported for hostkeys.
- case "$ut" in
- *sk) htypes=ed25519-512;;
- *) htypes="$ut";;
- esac
+ htypes="$ut"
#htypes=$ktypes
for ht in $htypes; do
host_type=`kname_to_ktype "$ht"`
diff --git a/regress/krl.sh b/regress/krl.sh
index 1efd80bf..c381225e 100644
--- a/regress/krl.sh
+++ b/regress/krl.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: krl.sh,v 1.10 2019/11/26 23:43:10 djm Exp $
+# $OpenBSD: krl.sh,v 1.11 2019/12/16 02:39:05 djm Exp $
# Placed in the Public Domain.
tid="key revocation lists"
@@ -7,7 +7,7 @@ tid="key revocation lists"
# w/out OpenSSL. Populate ktype[2-4] with the other types if supported.
ktype1=ed25519; ktype2=ed25519; ktype3=ed25519;
ktype4=ed25519; ktype5=ed25519; ktype6=ed25519;
-for t in `${SSH} -Q key-plain | maybe_filter_sk`; do
+for t in $SSH_KEYTYPES; do
case "$t" in
ecdsa*) ktype2=ecdsa ;;
ssh-rsa) ktype3=rsa ;;
diff --git a/regress/limit-keytype.sh b/regress/limit-keytype.sh
index abac05c0..010a88cd 100644
--- a/regress/limit-keytype.sh
+++ b/regress/limit-keytype.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: limit-keytype.sh,v 1.8 2019/11/26 23:43:10 djm Exp $
+# $OpenBSD: limit-keytype.sh,v 1.9 2019/12/16 02:39:05 djm Exp $
# Placed in the Public Domain.
tid="restrict pubkey type"
@@ -13,7 +13,7 @@ mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig
ktype1=ed25519; ktype2=ed25519; ktype3=ed25519;
ktype4=ed25519; ktype5=ed25519; ktype6=ed25519;
-for t in `${SSH} -Q key-plain | maybe_filter_sk`; do
+for t in $SSH_KEYTYPES ; do
case "$t" in
ssh-rsa) ktype2=rsa ;;
ecdsa*) ktype3=ecdsa ;; # unused
diff --git a/regress/principals-command.sh b/regress/principals-command.sh
index 9e85e8e7..5e535c13 100644
--- a/regress/principals-command.sh
+++ b/regress/principals-command.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: principals-command.sh,v 1.10 2019/12/11 18:47:14 djm Exp $
+# $OpenBSD: principals-command.sh,v 1.11 2019/12/16 02:39:05 djm Exp $
# Placed in the Public Domain.
tid="authorized principals command"
@@ -12,7 +12,7 @@ if [ -z "$SUDO" -a ! -w /var/run ]; then
exit 0
fi
-case "`${SSH} -Q key-plain`" in
+case "$SSH_KEYTYPES" in
*ssh-rsa*) userkeytype=rsa ;;
*) userkeytype=ed25519 ;;
esac
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 4bf4059f..03dab203 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: test-exec.sh,v 1.68 2019/11/26 23:43:10 djm Exp $
+# $OpenBSD: test-exec.sh,v 1.69 2019/12/16 02:39:05 djm Exp $
# Placed in the Public Domain.
#SUDO=sudo
@@ -493,23 +493,21 @@ export SSH_SK_PROVIDER
if ! test -z "$SSH_SK_PROVIDER"; then
EXTRA_AGENT_ARGS='-P/*' # XXX want realpath(1)...
echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/ssh_config
+ echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_config
+ echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_proxy
fi
export EXTRA_AGENT_ARGS
-filter_sk() {
- grep -v ^sk
-}
-
maybe_filter_sk() {
if test -z "$SSH_SK_PROVIDER" ; then
- filter_sk
+ grep -v ^sk
else
cat
fi
}
SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk`
-SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | filter_sk`
+SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | maybe_filter_sk`
for t in ${SSH_KEYTYPES}; do
# generate user key
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list