[openssh-commits] [openssh] 04/04: upstream: test FIDO2/U2F key types; ok markus@
git+noreply at mindrot.org
git+noreply at mindrot.org
Wed Nov 27 11:03:21 AEDT 2019
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit ad44ca81bea83657d558aaef5a1d789a9032bac3
Author: djm at openbsd.org <djm at openbsd.org>
Date: Tue Nov 26 23:43:10 2019 +0000
upstream: test FIDO2/U2F key types; ok markus@
OpenBSD-Regress-ID: 367e06d5a260407619b4b113ea0bd7004a435474
---
regress/agent-getpeereid.sh | 4 ++--
regress/agent-pkcs11.sh | 4 ++--
regress/agent-ptrace.sh | 2 +-
regress/agent-timeout.sh | 4 ++--
regress/agent.sh | 10 ++++-----
regress/cert-file.sh | 4 ++--
regress/cert-hostkey.sh | 6 ++---
regress/cert-userkey.sh | 10 +++++----
regress/hostkey-agent.sh | 8 +++----
regress/hostkey-rotate.sh | 11 ++++------
regress/keygen-change.sh | 5 ++---
regress/keyscan.sh | 4 ++--
regress/keytype.sh | 51 ++++++++++++++++++++++++++++---------------
regress/krl.sh | 22 ++++++++++++-------
regress/limit-keytype.sh | 17 ++++++++++++---
regress/principals-command.sh | 2 +-
regress/sshsig.sh | 4 ++--
regress/test-exec.sh | 48 +++++++++++++++++++++++++++++++++++-----
18 files changed, 142 insertions(+), 74 deletions(-)
diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh
index 769c29e8..52434081 100644
--- a/regress/agent-getpeereid.sh
+++ b/regress/agent-getpeereid.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: agent-getpeereid.sh,v 1.10 2018/02/09 03:40:22 dtucker Exp $
+# $OpenBSD: agent-getpeereid.sh,v 1.11 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="disallow agent attach from other uid"
@@ -26,7 +26,7 @@ case "x$SUDO" in
esac
trace "start agent"
-eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null
+eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s -a ${ASOCK}` > /dev/null
r=$?
if [ $r -ne 0 ]; then
fail "could not start ssh-agent: exit code $r"
diff --git a/regress/agent-pkcs11.sh b/regress/agent-pkcs11.sh
index 5205d906..fbbaea51 100644
--- a/regress/agent-pkcs11.sh
+++ b/regress/agent-pkcs11.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: agent-pkcs11.sh,v 1.6 2019/01/21 09:13:41 djm Exp $
+# $OpenBSD: agent-pkcs11.sh,v 1.7 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="pkcs11 agent test"
@@ -75,7 +75,7 @@ openssl pkcs8 -nocrypt -in $EC |\
softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" --import /dev/stdin
trace "start agent"
-eval `${SSHAGENT} -s` > /dev/null
+eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
r=$?
if [ $r -ne 0 ]; then
fail "could not start ssh-agent: exit code $r"
diff --git a/regress/agent-ptrace.sh b/regress/agent-ptrace.sh
index 2d795ee3..9cd68d7e 100644
--- a/regress/agent-ptrace.sh
+++ b/regress/agent-ptrace.sh
@@ -41,7 +41,7 @@ else
fi
trace "start agent"
-eval `${SSHAGENT} -s` > /dev/null
+eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
r=$?
if [ $r -ne 0 ]; then
fail "could not start ssh-agent: exit code $r"
diff --git a/regress/agent-timeout.sh b/regress/agent-timeout.sh
index 311c7bcb..6dec0928 100644
--- a/regress/agent-timeout.sh
+++ b/regress/agent-timeout.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: agent-timeout.sh,v 1.5 2019/09/03 08:37:06 djm Exp $
+# $OpenBSD: agent-timeout.sh,v 1.6 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="agent timeout test"
@@ -6,7 +6,7 @@ tid="agent timeout test"
SSHAGENT_TIMEOUT=10
trace "start agent"
-eval `${SSHAGENT} -s` > /dev/null
+eval `${SSHAGENT} -s ${EXTRA_AGENT_ARGS}` > /dev/null
r=$?
if [ $r -ne 0 ]; then
fail "could not start ssh-agent: exit code $r"
diff --git a/regress/agent.sh b/regress/agent.sh
index 48fa12b0..922d8436 100644
--- a/regress/agent.sh
+++ b/regress/agent.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: agent.sh,v 1.15 2019/07/23 07:39:43 dtucker Exp $
+# $OpenBSD: agent.sh,v 1.16 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="simple agent test"
@@ -8,8 +8,8 @@ if [ $? -ne 2 ]; then
fail "ssh-add -l did not fail with exit code 2"
fi
-trace "start agent"
-eval `${SSHAGENT} -s` > /dev/null
+trace "start agent, args ${EXTRA_AGENT_ARGS} -s"
+eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
r=$?
if [ $r -ne 0 ]; then
fatal "could not start ssh-agent: exit code $r"
@@ -39,9 +39,9 @@ for t in ${SSH_KEYTYPES}; do
# add to authorized keys
cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER
# add privat key to agent
- ${SSHADD} $OBJ/$t-agent > /dev/null 2>&1
+ ${SSHADD} $OBJ/$t-agent #> /dev/null 2>&1
if [ $? -ne 0 ]; then
- fail "ssh-add did succeed exit code 0"
+ fail "ssh-add failed exit code $?"
fi
# Remove private key to ensure that we aren't accidentally using it.
rm -f $OBJ/$t-agent
diff --git a/regress/cert-file.sh b/regress/cert-file.sh
index 1157a358..94e672a9 100644
--- a/regress/cert-file.sh
+++ b/regress/cert-file.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: cert-file.sh,v 1.7 2018/04/10 00:14:10 djm Exp $
+# $OpenBSD: cert-file.sh,v 1.8 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="ssh with certificates"
@@ -120,7 +120,7 @@ if [ $? -ne 2 ]; then
fi
trace "start agent"
-eval `${SSHAGENT} -s` > /dev/null
+eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
r=$?
if [ $r -ne 0 ]; then
fatal "could not start ssh-agent: exit code $r"
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 82195b11..dc40b782 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: cert-hostkey.sh,v 1.19 2019/11/01 01:55:41 djm Exp $
+# $OpenBSD: cert-hostkey.sh,v 1.20 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="certified host keys"
@@ -9,7 +9,7 @@ rm -f $OBJ/cert_host_key* $OBJ/host_krl_*
# Allow all hostkey/pubkey types, prefer certs for the client
rsa=0
types=""
-for i in `$SSH -Q key | grep -v ^sk-`; do
+for i in `$SSH -Q key | filter_sk`; do
if [ -z "$types" ]; then
types="$i"
continue
@@ -70,7 +70,7 @@ touch $OBJ/host_revoked_plain
touch $OBJ/host_revoked_cert
cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca
-PLAIN_TYPES=`$SSH -Q key-plain | grep -v ^sk- | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
+PLAIN_TYPES=`$SSH -Q key-plain | filter_sk | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 51ac8dcb..d6e293d5 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: cert-userkey.sh,v 1.22 2019/11/01 01:55:41 djm Exp $
+# $OpenBSD: cert-userkey.sh,v 1.23 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="certified user keys"
@@ -7,7 +7,7 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
-PLAIN_TYPES=`$SSH -Q key-plain | grep -v ^sk- | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
+PLAIN_TYPES=`$SSH -Q key-plain | maybe_filter_sk | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
EXTRA_TYPES=""
rsa=""
@@ -17,8 +17,10 @@ if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
fi
kname() {
- case $ktype in
- rsa-sha2-*) n="$ktype" ;;
+ case $1 in
+ rsa-sha2-*) n="$1" ;;
+ sk-ecdsa-*) n="sk-ecdsa" ;;
+ sk-ssh-ed25519*) n="sk-ssh-ed25519" ;;
# subshell because some seds will add a newline
*) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;;
esac
diff --git a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh
index c581c7bf..af2ed780 100644
--- a/regress/hostkey-agent.sh
+++ b/regress/hostkey-agent.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: hostkey-agent.sh,v 1.8 2019/11/01 01:55:41 djm Exp $
+# $OpenBSD: hostkey-agent.sh,v 1.9 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="hostkey agent"
@@ -6,7 +6,7 @@ tid="hostkey agent"
rm -f $OBJ/agent-key.* $OBJ/ssh_proxy.orig $OBJ/known_hosts.orig
trace "start agent"
-eval `${SSHAGENT} -s` > /dev/null
+eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
r=$?
[ $r -ne 0 ] && fatal "could not start ssh-agent: exit code $r"
@@ -14,7 +14,7 @@ grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig
echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig
trace "load hostkeys"
-for k in `${SSH} -Q key-plain | grep -v ^sk-` ; do
+for k in `${SSH} -Q key-plain | filter_sk` ; do
${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k"
(
printf 'localhost-with-alias,127.0.0.1,::1 '
@@ -31,7 +31,7 @@ cp $OBJ/known_hosts.orig $OBJ/known_hosts
unset SSH_AUTH_SOCK
for ps in no yes; do
- for k in `${SSH} -Q key-plain | grep -v ^sk-` ; do
+ for k in `${SSH} -Q key-plain | filter_sk` ; do
verbose "key type $k privsep=$ps"
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
diff --git a/regress/hostkey-rotate.sh b/regress/hostkey-rotate.sh
index 707e3290..c3e100c3 100644
--- a/regress/hostkey-rotate.sh
+++ b/regress/hostkey-rotate.sh
@@ -1,11 +1,8 @@
-# $OpenBSD: hostkey-rotate.sh,v 1.7 2019/11/01 01:55:41 djm Exp $
+# $OpenBSD: hostkey-rotate.sh,v 1.8 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="hostkey rotate"
-# Need full names here since they are used in HostKeyAlgorithms
-HOSTKEY_TYPES="`${SSH} -Q key-plain | grep -v ^sk-`"
-
rm -f $OBJ/hkr.* $OBJ/ssh_proxy.orig
grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig
@@ -20,7 +17,7 @@ secondary="$primary"
trace "prepare hostkeys"
nkeys=0
all_algs=""
-for k in $HOSTKEY_TYPES; do
+for k in $SSH_HOSTKEY_TYPES; do
${SSHKEYGEN} -qt $k -f $OBJ/hkr.$k -N '' || fatal "ssh-keygen $k"
echo "Hostkey $OBJ/hkr.${k}" >> $OBJ/sshd_proxy.orig
nkeys=`expr $nkeys + 1`
@@ -67,12 +64,12 @@ verbose "learn additional hostkeys"
dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs
# Check that other keys learned
expect_nkeys $nkeys "learn hostkeys"
-for k in $HOSTKEY_TYPES; do
+for k in $SSH_HOSTKEY_TYPES; do
check_key_present $k || fail "didn't learn keytype $k"
done
# Check each key type
-for k in $HOSTKEY_TYPES; do
+for k in $SSH_HOSTKEY_TYPES; do
verbose "learn additional hostkeys, type=$k"
dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$k,$all_algs
expect_nkeys $nkeys "learn hostkeys $k"
diff --git a/regress/keygen-change.sh b/regress/keygen-change.sh
index c62f2c17..dd1bfda8 100644
--- a/regress/keygen-change.sh
+++ b/regress/keygen-change.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: keygen-change.sh,v 1.7 2019/11/01 01:55:41 djm Exp $
+# $OpenBSD: keygen-change.sh,v 1.8 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="change passphrase for key"
@@ -6,10 +6,9 @@ tid="change passphrase for key"
S1="secret1"
S2="2secret"
-KEYTYPES=`${SSH} -Q key-plain | grep -v ^sk-`
+KEYTYPES=`${SSH} -Q key-plain | maybe_filter_sk`
for t in $KEYTYPES; do
- # generate user key for agent
trace "generating $t key"
rm -f $OBJ/$t-key
${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key
diff --git a/regress/keyscan.sh b/regress/keyscan.sh
index 4e16ecd8..0ce0c741 100644
--- a/regress/keyscan.sh
+++ b/regress/keyscan.sh
@@ -1,9 +1,9 @@
-# $OpenBSD: keyscan.sh,v 1.10 2019/11/01 01:55:41 djm Exp $
+# $OpenBSD: keyscan.sh,v 1.11 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="keyscan"
-KEYTYPES=`${SSH} -Q key-plain | grep -v ^sk-`
+KEYTYPES=`${SSH} -Q key-plain | filter_sk`
for i in $KEYTYPES; do
if [ -z "$algs" ]; then
algs="$i"
diff --git a/regress/keytype.sh b/regress/keytype.sh
index 13095088..91c5aca1 100644
--- a/regress/keytype.sh
+++ b/regress/keytype.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: keytype.sh,v 1.8 2019/07/23 13:49:14 dtucker Exp $
+# $OpenBSD: keytype.sh,v 1.9 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="login with different key types"
@@ -16,43 +16,60 @@ for i in ${SSH_KEYTYPES}; do
ecdsa-sha2-nistp256) ktypes="$ktypes ecdsa-256" ;;
ecdsa-sha2-nistp384) ktypes="$ktypes ecdsa-384" ;;
ecdsa-sha2-nistp521) ktypes="$ktypes ecdsa-521" ;;
+ sk-ssh-ed25519*) ktypes="$ktypes ed25519-sk" ;;
+ sk-ecdsa-sha2-nistp256*) ktypes="$ktypes ecdsa-sk" ;;
esac
done
for kt in $ktypes; do
rm -f $OBJ/key.$kt
- bits=`echo ${kt} | awk -F- '{print $2}'`
- type=`echo ${kt} | awk -F- '{print $1}'`
+ xbits=`echo ${kt} | awk -F- '{print $2}'`
+ xtype=`echo ${kt} | awk -F- '{print $1}'`
+ case "$kt" in
+ *sk) type="$kt"; bits="n/a"; bits_arg="";;
+ *) type=$xtype; bits=$xbits; bits_arg="-b $bits";;
+ esac
verbose "keygen $type, $bits bits"
- ${SSHKEYGEN} -b $bits -q -N '' -t $type -f $OBJ/key.$kt ||\
+ ${SSHKEYGEN} $bits_arg -q -N '' -t $type -f $OBJ/key.$kt || \
fail "ssh-keygen for type $type, $bits bits failed"
done
+kname_to_ktype() {
+ case $1 in
+ dsa-1024) echo ssh-dss;;
+ ecdsa-256) echo ecdsa-sha2-nistp256;;
+ ecdsa-384) echo ecdsa-sha2-nistp384;;
+ ecdsa-521) echo ecdsa-sha2-nistp521;;
+ ed25519-512) echo ssh-ed25519;;
+ rsa-*) echo rsa-sha2-512,rsa-sha2-256,ssh-rsa;;
+ ed25519-sk) echo sk-ssh-ed25519 at openssh.com;;
+ ecdsa-sk) echo sk-ecdsa-sha2-nistp256 at openssh.com;;
+ esac
+}
+
tries="1 2 3"
for ut in $ktypes; do
- htypes=$ut
+ user_type=`kname_to_ktype "$ut"`
+ # SK keys are not supported for hostkeys.
+ case "$ut" in
+ *sk) htypes=ed25519-512;;
+ *) htypes="$ut";;
+ esac
#htypes=$ktypes
for ht in $htypes; do
- case $ht in
- dsa-1024) t=ssh-dss;;
- ecdsa-256) t=ecdsa-sha2-nistp256;;
- ecdsa-384) t=ecdsa-sha2-nistp384;;
- ecdsa-521) t=ecdsa-sha2-nistp521;;
- ed25519-512) t=ssh-ed25519;;
- rsa-*) t=rsa-sha2-512,rsa-sha2-256,ssh-rsa;;
- esac
+ host_type=`kname_to_ktype "$ht"`
trace "ssh connect, userkey $ut, hostkey $ht"
(
grep -v HostKey $OBJ/sshd_proxy_bak
echo HostKey $OBJ/key.$ht
- echo PubkeyAcceptedKeyTypes $t
- echo HostKeyAlgorithms $t
+ echo PubkeyAcceptedKeyTypes $user_type
+ echo HostKeyAlgorithms $host_type
) > $OBJ/sshd_proxy
(
grep -v IdentityFile $OBJ/ssh_proxy_bak
echo IdentityFile $OBJ/key.$ut
- echo PubkeyAcceptedKeyTypes $t
- echo HostKeyAlgorithms $t
+ echo PubkeyAcceptedKeyTypes $user_type
+ echo HostKeyAlgorithms $host_type
) > $OBJ/ssh_proxy
(
printf 'localhost-with-alias,127.0.0.1,::1 '
diff --git a/regress/krl.sh b/regress/krl.sh
index c9b2e67e..1efd80bf 100644
--- a/regress/krl.sh
+++ b/regress/krl.sh
@@ -1,16 +1,19 @@
-# $OpenBSD: krl.sh,v 1.9 2019/11/01 01:55:41 djm Exp $
+# $OpenBSD: krl.sh,v 1.10 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="key revocation lists"
# Use ed25519 by default since it's fast and it's supported when building
# w/out OpenSSL. Populate ktype[2-4] with the other types if supported.
-ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; ktype4=ed25519
-for t in `${SSH} -Q key-plain | grep -v ^sk-`; do
+ktype1=ed25519; ktype2=ed25519; ktype3=ed25519;
+ktype4=ed25519; ktype5=ed25519; ktype6=ed25519;
+for t in `${SSH} -Q key-plain | maybe_filter_sk`; do
case "$t" in
ecdsa*) ktype2=ecdsa ;;
ssh-rsa) ktype3=rsa ;;
ssh-dss) ktype4=dsa ;;
+ sk-ssh-ed25519 at openssh.com) ktype5=ed25519-sk ;;
+ sk-ecdsa-sha2-nistp256 at openssh.com) ktype6=ecdsa-sk ;;
esac
done
@@ -34,6 +37,7 @@ serial: 10
serial: 15
serial: 30
serial: 50
+serial: 90
serial: 999
# The following sum to 500-799
serial: 500
@@ -51,7 +55,7 @@ EOF
# A specification that revokes some certificated by key ID.
touch $OBJ/revoked-keyid
-for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do
+for n in 1 2 3 4 10 15 30 50 90 `jot 500 300` 999 1000 1001 1002; do
test "x$n" = "x499" && continue
# Fill in by-ID revocation spec.
echo "id: revoked $n" >> $OBJ/revoked-keyid
@@ -64,9 +68,11 @@ keygen() {
# supported.
keytype=$ktype1
case $N in
- 2 | 10 | 510 | 1001) keytype=$ktype2 ;;
- 4 | 30 | 520 | 1002) keytype=$ktype3 ;;
- 8 | 50 | 530 | 1003) keytype=$ktype4 ;;
+ 2 | 10 | 510 | 1001) keytype=$ktype2 ;;
+ 4 | 30 | 520 | 1002) keytype=$ktype3 ;;
+ 8 | 50 | 530 | 1003) keytype=$ktype4 ;;
+ 16 | 70 | 540 | 1004) keytype=$ktype5 ;;
+ 32 | 90 | 550 | 1005) keytype=$ktype6 ;;
esac
$SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
|| fatal "$SSHKEYGEN failed"
@@ -78,7 +84,7 @@ keygen() {
# Generate some keys.
verbose "$tid: generating test keys"
-REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"
+REVOKED_SERIALS="1 4 10 50 90 500 510 520 550 799 999"
for n in $REVOKED_SERIALS ; do
f=`keygen $n`
RKEYS="$RKEYS ${f}.pub"
diff --git a/regress/limit-keytype.sh b/regress/limit-keytype.sh
index 6eb255c2..abac05c0 100644
--- a/regress/limit-keytype.sh
+++ b/regress/limit-keytype.sh
@@ -1,20 +1,25 @@
-# $OpenBSD: limit-keytype.sh,v 1.7 2019/11/01 01:55:41 djm Exp $
+# $OpenBSD: limit-keytype.sh,v 1.8 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="restrict pubkey type"
+# XXX sk-* keys aren't actually tested ATM.
+
rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/user_key*
rm -f $OBJ/authorized_principals_$USER $OBJ/cert_user_key*
mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig
-ktype1=ed25519; ktype2=$ktype1; ktype3=$ktype1; ktype4=$ktype1
-for t in `${SSH} -Q key-plain | grep -v ^sk-`; do
+ktype1=ed25519; ktype2=ed25519; ktype3=ed25519;
+ktype4=ed25519; ktype5=ed25519; ktype6=ed25519;
+for t in `${SSH} -Q key-plain | maybe_filter_sk`; do
case "$t" in
ssh-rsa) ktype2=rsa ;;
ecdsa*) ktype3=ecdsa ;; # unused
ssh-dss) ktype4=dsa ;;
+ sk-ssh-ed25519 at openssh.com) ktype5=ed25519-sk ;;
+ sk-ecdsa-sha2-nistp256 at openssh.com) ktype6=ecdsa-sk ;;
esac
done
@@ -31,6 +36,10 @@ ${SSHKEYGEN} -q -N '' -t $ktype2 -f $OBJ/user_key3 || \
fatal "ssh-keygen failed"
${SSHKEYGEN} -q -N '' -t $ktype4 -f $OBJ/user_key4 || \
fatal "ssh-keygen failed"
+${SSHKEYGEN} -q -N '' -t $ktype5 -f $OBJ/user_key5 || \
+ fatal "ssh-keygen failed"
+${SSHKEYGEN} -q -N '' -t $ktype6 -f $OBJ/user_key6 || \
+ fatal "ssh-keygen failed"
${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
-z $$ -n ${USER},mekmitasdigoat $OBJ/user_key3 ||
fatal "couldn't sign user_key1"
@@ -68,6 +77,8 @@ keytype() {
ed25519) printf "ssh-ed25519" ;;
dsa) printf "ssh-dss" ;;
rsa) printf "rsa-sha2-256,rsa-sha2-512,ssh-rsa" ;;
+ sk-ecdsa) printf "sk-ecdsa-*" ;;
+ sk-ssh-ed25519) printf "sk-ssh-ed25519-*" ;;
esac
}
diff --git a/regress/principals-command.sh b/regress/principals-command.sh
index 005c6b7d..a91858cb 100644
--- a/regress/principals-command.sh
+++ b/regress/principals-command.sh
@@ -12,7 +12,7 @@ if [ -z "$SUDO" -a ! -w /var/run ]; then
exit 0
fi
-case "`${SSH} -Q key-plain | grep -v ^sk-`" in
+case "`${SSH} -Q key-plain`" in
*ssh-rsa*) userkeytype=rsa ;;
*) userkeytype=ed25519 ;;
esac
diff --git a/regress/sshsig.sh b/regress/sshsig.sh
index eb99486a..da362c17 100644
--- a/regress/sshsig.sh
+++ b/regress/sshsig.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: sshsig.sh,v 1.2 2019/10/04 03:39:19 djm Exp $
+# $OpenBSD: sshsig.sh,v 1.3 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="sshsig"
@@ -23,7 +23,7 @@ CA_PRIV=$OBJ/sigca-key
CA_PUB=$OBJ/sigca-key.pub
trace "start agent"
-eval `${SSHAGENT} -s` > /dev/null
+eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
r=$?
if [ $r -ne 0 ]; then
fatal "could not start ssh-agent: exit code $r"
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 3f1685bb..4bf4059f 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: test-exec.sh,v 1.67 2019/11/01 01:55:41 djm Exp $
+# $OpenBSD: test-exec.sh,v 1.68 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
#SUDO=sudo
@@ -128,6 +128,12 @@ if [ "x$TEST_SSH_CONCH" != "x" ]; then
*) CONCH=`which ${TEST_SSH_CONCH} 2>/dev/null` ;;
esac
fi
+if [ "x$TEST_SSH_PKCS11_HELPER" != "x" ]; then
+ SSH_PKCS11_HELPER="${TEST_SSH_PKCS11_HELPER}"
+fi
+if [ "x$TEST_SSH_SK_HELPER" != "x" ]; then
+ SSH_SK_HELPER="${TEST_SSH_SK_HELPER}"
+fi
# Path to sshd must be absolute for rexec
case "$SSHD" in
@@ -252,6 +258,7 @@ increase_datafile_size()
# these should be used in tests
export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP
+export SSH_PKCS11_HELPER SSH_SK_HELPER
#echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP
# Portable specific functions
@@ -475,8 +482,35 @@ fi
rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER
-SSH_KEYTYPES=`$SSH -Q key-plain | grep -v ^sk`
+SSH_SK_PROVIDER=
+if [ -f "${SRC}/misc/sk-dummy/obj/sk-dummy.so" ] ; then
+ SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/obj/sk-dummy.so"
+elif [ -f "${SRC}/misc/sk-dummy/sk-dummy.so" ] ; then
+ SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/sk-dummy.so"
+fi
+export SSH_SK_PROVIDER
+if ! test -z "$SSH_SK_PROVIDER"; then
+ EXTRA_AGENT_ARGS='-P/*' # XXX want realpath(1)...
+ echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/ssh_config
+fi
+export EXTRA_AGENT_ARGS
+
+filter_sk() {
+ grep -v ^sk
+}
+
+maybe_filter_sk() {
+ if test -z "$SSH_SK_PROVIDER" ; then
+ filter_sk
+ else
+ cat
+ fi
+}
+
+SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk`
+SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | filter_sk`
+
for t in ${SSH_KEYTYPES}; do
# generate user key
trace "generating key type $t"
@@ -486,16 +520,18 @@ for t in ${SSH_KEYTYPES}; do
fail "ssh-keygen for $t failed"
fi
+ # setup authorized keys
+ cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
+ echo IdentityFile $OBJ/$t >> $OBJ/ssh_config
+done
+
+for t in ${SSH_HOSTKEY_TYPES}; do
# known hosts file for client
(
printf 'localhost-with-alias,127.0.0.1,::1 '
cat $OBJ/$t.pub
) >> $OBJ/known_hosts
- # setup authorized keys
- cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
- echo IdentityFile $OBJ/$t >> $OBJ/ssh_config
-
# use key as host key, too
$SUDO cp $OBJ/$t $OBJ/host.$t
echo HostKey $OBJ/host.$t >> $OBJ/sshd_config
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list