[openssh-commits] [openssh] 02/03: upstream: Remove references to privsep.
git+noreply at mindrot.org
git+noreply at mindrot.org
Fri Oct 1 14:55:48 AEST 2021
This is an automated email from the git hooks/post-receive script.
dtucker pushed a commit to branch master
in repository openssh.
commit ddcb53b7a7b29be65d57562302b2d5f41733e8dd
Author: dtucker at openbsd.org <dtucker at openbsd.org>
Date: Thu Sep 30 05:20:08 2021 +0000
upstream: Remove references to privsep.
This removes several do..while loops but does not change the
indentation of the now-shallower loops, which will be done in a separate
whitespace-only commit to keep changes of style and substance separate.
OpenBSD-Regress-ID: 4bed1a0249df7b4a87c965066ce689e79472a8f7
---
regress/cert-hostkey.sh | 12 +--
regress/cert-userkey.sh | 14 +--
regress/hostkey-agent.sh | 6 +-
regress/login-timeout.sh | 4 +-
regress/principals-command.sh | 216 +++++++++++++++++++++---------------------
5 files changed, 117 insertions(+), 135 deletions(-)
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index de8652b0..904dd693 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: cert-hostkey.sh,v 1.25 2021/06/08 22:30:27 djm Exp $
+# $OpenBSD: cert-hostkey.sh,v 1.26 2021/09/30 05:20:08 dtucker Exp $
# Placed in the Public Domain.
tid="certified host keys"
@@ -131,14 +131,12 @@ attempt_connect() {
}
# Basic connect and revocation tests.
-for privsep in yes ; do
for ktype in $PLAIN_TYPES ; do
- verbose "$tid: host ${ktype} cert connect privsep $privsep"
+ verbose "$tid: host ${ktype} cert connect"
(
cat $OBJ/sshd_proxy_bak
echo HostKey $OBJ/cert_host_key_${ktype}
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
- echo UsePrivilegeSeparation $privsep
) > $OBJ/sshd_proxy
# test name expect success
@@ -160,7 +158,6 @@ for privsep in yes ; do
attempt_connect "$ktype CA plaintext revocation" "no" \
-oRevokedHostKeys=$OBJ/host_revoked_ca
done
-done
# Revoked certificates with key present
kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
@@ -169,14 +166,12 @@ for ktype in $PLAIN_TYPES ; do
kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig
done
cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-for privsep in yes ; do
for ktype in $PLAIN_TYPES ; do
- verbose "$tid: host ${ktype} revoked cert privsep $privsep"
+ verbose "$tid: host ${ktype} revoked cert"
(
cat $OBJ/sshd_proxy_bak
echo HostKey $OBJ/cert_host_key_${ktype}
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
- echo UsePrivilegeSeparation $privsep
) > $OBJ/sshd_proxy
cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
@@ -187,7 +182,6 @@ for privsep in yes ; do
fail "ssh cert connect succeeded unexpectedly"
fi
done
-done
# Revoked CA
kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index baa6903e..53d1951d 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: cert-userkey.sh,v 1.26 2021/02/25 03:27:34 djm Exp $
+# $OpenBSD: cert-userkey.sh,v 1.27 2021/09/30 05:20:08 dtucker Exp $
# Placed in the Public Domain.
tid="certified user keys"
@@ -60,14 +60,12 @@ done
# Test explicitly-specified principals
for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
t=$(kname $ktype)
- for privsep in yes ; do
- _prefix="${ktype} privsep $privsep"
+ _prefix="${ktype}"
# Setup for AuthorizedPrincipalsFile
rm -f $OBJ/authorized_keys_$USER
(
cat $OBJ/sshd_proxy_bak
- echo "UsePrivilegeSeparation $privsep"
echo "AuthorizedPrincipalsFile " \
"$OBJ/authorized_principals_%u"
echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
@@ -148,7 +146,6 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
rm -f $OBJ/authorized_principals_$USER
(
cat $OBJ/sshd_proxy_bak
- echo "UsePrivilegeSeparation $privsep"
echo "PubkeyAcceptedAlgorithms ${t}"
) > $OBJ/sshd_proxy
(
@@ -179,7 +176,6 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
fi
- done
done
basic_tests() {
@@ -197,13 +193,11 @@ basic_tests() {
for ktype in $PLAIN_TYPES ; do
t=$(kname $ktype)
- for privsep in yes ; do
- _prefix="${ktype} privsep $privsep $auth"
+ _prefix="${ktype} $auth"
# Simple connect
verbose "$tid: ${_prefix} connect"
(
cat $OBJ/sshd_proxy_bak
- echo "UsePrivilegeSeparation $privsep"
echo "PubkeyAcceptedAlgorithms ${t}"
echo "$extra_sshd"
) > $OBJ/sshd_proxy
@@ -222,7 +216,6 @@ basic_tests() {
verbose "$tid: ${_prefix} revoked key"
(
cat $OBJ/sshd_proxy_bak
- echo "UsePrivilegeSeparation $privsep"
echo "RevokedKeys $OBJ/cert_user_key_revoked"
echo "PubkeyAcceptedAlgorithms ${t}"
echo "$extra_sshd"
@@ -265,7 +258,6 @@ basic_tests() {
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpecedly"
fi
- done
verbose "$tid: $auth CA does not authenticate"
(
diff --git a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh
index 9549b33a..222d424b 100644
--- a/regress/hostkey-agent.sh
+++ b/regress/hostkey-agent.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: hostkey-agent.sh,v 1.12 2021/09/29 01:32:21 djm Exp $
+# $OpenBSD: hostkey-agent.sh,v 1.13 2021/09/30 05:20:08 dtucker Exp $
# Placed in the Public Domain.
tid="hostkey agent"
@@ -45,7 +45,7 @@ for k in $SSH_KEYTYPES ; do
fail "keytype $k failed"
fi
if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
- fail "bad SSH_CONNECTION key type $k privsep=$ps"
+ fail "bad SSH_CONNECTION key type $k"
fi
done
@@ -78,7 +78,7 @@ for k in $SSH_CERTTYPES ; do
fail "cert type $k failed"
fi
if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
- fail "bad SSH_CONNECTION key type $k privsep=$ps"
+ fail "bad SSH_CONNECTION key type $k"
fi
done
diff --git a/regress/login-timeout.sh b/regress/login-timeout.sh
index 4c2d07dc..1577da15 100644
--- a/regress/login-timeout.sh
+++ b/regress/login-timeout.sh
@@ -1,9 +1,9 @@
-# $OpenBSD: login-timeout.sh,v 1.9 2017/08/07 00:53:51 dtucker Exp $
+# $OpenBSD: login-timeout.sh,v 1.10 2021/09/30 05:20:08 dtucker Exp $
# Placed in the Public Domain.
tid="connect after login grace timeout"
-trace "test login grace with privsep"
+trace "test login grace time"
cp $OBJ/sshd_config $OBJ/sshd_config.orig
grep -vi LoginGraceTime $OBJ/sshd_config.orig > $OBJ/sshd_config
echo "LoginGraceTime 10s" >> $OBJ/sshd_config
diff --git a/regress/principals-command.sh b/regress/principals-command.sh
index a808f9c3..74da09a9 100644
--- a/regress/principals-command.sh
+++ b/regress/principals-command.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: principals-command.sh,v 1.12 2021/09/30 04:22:50 dtucker Exp $
+# $OpenBSD: principals-command.sh,v 1.13 2021/09/30 05:20:08 dtucker Exp $
# Placed in the Public Domain.
tid="authorized principals command"
@@ -59,114 +59,110 @@ if ! $OBJ/check-perm -m keys-command $PRINCIPALS_COMMAND ; then
exit 0
fi
-if [ -x $PRINCIPALS_COMMAND ]; then
- # Test explicitly-specified principals
- for privsep in yes ; do
- _prefix="privsep $privsep"
-
- # Setup for AuthorizedPrincipalsCommand
- rm -f $OBJ/authorized_keys_$USER
- (
- cat $OBJ/sshd_proxy_bak
- echo "UsePrivilegeSeparation $privsep"
- echo "AuthorizedKeysFile none"
- echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
- "%u %t %T %i %s %F %f %k %K"
- echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
- echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
- ) > $OBJ/sshd_proxy
-
- # XXX test missing command
- # XXX test failing command
-
- # Empty authorized_principals
- verbose "$tid: ${_prefix} empty authorized_principals"
- echo > $OBJ/authorized_principals_$USER
- ${SSH} -i $OBJ/cert_user_key \
- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- fail "ssh cert connect succeeded unexpectedly"
- fi
-
- # Wrong authorized_principals
- verbose "$tid: ${_prefix} wrong authorized_principals"
- echo gregorsamsa > $OBJ/authorized_principals_$USER
- ${SSH} -i $OBJ/cert_user_key \
- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- fail "ssh cert connect succeeded unexpectedly"
- fi
-
- # Correct authorized_principals
- verbose "$tid: ${_prefix} correct authorized_principals"
- echo mekmitasdigoat > $OBJ/authorized_principals_$USER
- ${SSH} -i $OBJ/cert_user_key \
- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
- if [ $? -ne 0 ]; then
- fail "ssh cert connect failed"
- fi
-
- # authorized_principals with bad key option
- verbose "$tid: ${_prefix} authorized_principals bad key opt"
- echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
- ${SSH} -i $OBJ/cert_user_key \
- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- fail "ssh cert connect succeeded unexpectedly"
- fi
-
- # authorized_principals with command=false
- verbose "$tid: ${_prefix} authorized_principals command=false"
- echo 'command="false" mekmitasdigoat' > \
- $OBJ/authorized_principals_$USER
- ${SSH} -i $OBJ/cert_user_key \
- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- fail "ssh cert connect succeeded unexpectedly"
- fi
-
- # authorized_principals with command=true
- verbose "$tid: ${_prefix} authorized_principals command=true"
- echo 'command="true" mekmitasdigoat' > \
- $OBJ/authorized_principals_$USER
- ${SSH} -i $OBJ/cert_user_key \
- -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
- if [ $? -ne 0 ]; then
- fail "ssh cert connect failed"
- fi
-
- # Setup for principals= key option
- rm -f $OBJ/authorized_principals_$USER
- (
- cat $OBJ/sshd_proxy_bak
- echo "UsePrivilegeSeparation $privsep"
- ) > $OBJ/sshd_proxy
-
- # Wrong principals list
- verbose "$tid: ${_prefix} wrong principals key option"
- (
- printf 'cert-authority,principals="gregorsamsa" '
- cat $OBJ/user_ca_key.pub
- ) > $OBJ/authorized_keys_$USER
- ${SSH} -i $OBJ/cert_user_key \
- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- fail "ssh cert connect succeeded unexpectedly"
- fi
-
- # Correct principals list
- verbose "$tid: ${_prefix} correct principals key option"
- (
- printf 'cert-authority,principals="mekmitasdigoat" '
- cat $OBJ/user_ca_key.pub
- ) > $OBJ/authorized_keys_$USER
- ${SSH} -i $OBJ/cert_user_key \
- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
- if [ $? -ne 0 ]; then
- fail "ssh cert connect failed"
- fi
- done
-else
- echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
+if [ ! -x $PRINCIPALS_COMMAND ]; then
+ skip "$PRINCIPALS_COMMAND not executable " \
"(/var/run mounted noexec?)"
fi
+
+#Test explicitly-specified principals
+ # Setup for AuthorizedPrincipalsCommand
+ rm -f $OBJ/authorized_keys_$USER
+ (
+ cat $OBJ/sshd_proxy_bak
+ echo "AuthorizedKeysFile none"
+ echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
+ "%u %t %T %i %s %F %f %k %K"
+ echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
+ echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+ ) > $OBJ/sshd_proxy
+
+ # XXX test missing command
+ # XXX test failing command
+
+ # Empty authorized_principals
+ verbose "$tid: empty authorized_principals"
+ echo > $OBJ/authorized_principals_$USER
+ ${SSH} -i $OBJ/cert_user_key \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpectedly"
+ fi
+
+ # Wrong authorized_principals
+ verbose "$tid: wrong authorized_principals"
+ echo gregorsamsa > $OBJ/authorized_principals_$USER
+ ${SSH} -i $OBJ/cert_user_key \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpectedly"
+ fi
+
+ # Correct authorized_principals
+ verbose "$tid: correct authorized_principals"
+ echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+ ${SSH} -i $OBJ/cert_user_key \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -ne 0 ]; then
+ fail "ssh cert connect failed"
+ fi
+
+ # authorized_principals with bad key option
+ verbose "$tid: authorized_principals bad key opt"
+ echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
+ ${SSH} -i $OBJ/cert_user_key \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpectedly"
+ fi
+
+ # authorized_principals with command=false
+ verbose "$tid: authorized_principals command=false"
+ echo 'command="false" mekmitasdigoat' > \
+ $OBJ/authorized_principals_$USER
+ ${SSH} -i $OBJ/cert_user_key \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpectedly"
+ fi
+
+
+ # authorized_principals with command=true
+ verbose "$tid: authorized_principals command=true"
+ echo 'command="true" mekmitasdigoat' > \
+ $OBJ/authorized_principals_$USER
+ ${SSH} -i $OBJ/cert_user_key \
+ -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
+ if [ $? -ne 0 ]; then
+ fail "ssh cert connect failed"
+ fi
+
+ # Setup for principals= key option
+ # TODO: remove?
+ rm -f $OBJ/authorized_principals_$USER
+ (
+ cat $OBJ/sshd_proxy_bak
+ ) > $OBJ/sshd_proxy
+
+ # Wrong principals list
+ verbose "$tid: wrong principals key option"
+ (
+ printf 'cert-authority,principals="gregorsamsa" '
+ cat $OBJ/user_ca_key.pub
+ ) > $OBJ/authorized_keys_$USER
+ ${SSH} -i $OBJ/cert_user_key \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpectedly"
+ fi
+
+ # Correct principals list
+ verbose "$tid: correct principals key option"
+ (
+ printf 'cert-authority,principals="mekmitasdigoat" '
+ cat $OBJ/user_ca_key.pub
+ ) > $OBJ/authorized_keys_$USER
+ ${SSH} -i $OBJ/cert_user_key \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -ne 0 ]; then
+ fail "ssh cert connect failed"
+ fi
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list