[openssh-commits] [openssh] 02/02: upstream: typos and extra debug trace calls

git+noreply at mindrot.org git+noreply at mindrot.org
Thu Oct 12 14:52:55 AEDT 2023


This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit c616e64688b2a0c1b4daad69b056099be998d121
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Thu Oct 12 03:51:08 2023 +0000

    upstream: typos and extra debug trace calls
    
    OpenBSD-Regress-ID: 98a2a6b9333743274359e3c0f0e65cf919a591d1
---
 regress/sshsig.sh | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 68 insertions(+), 4 deletions(-)

diff --git a/regress/sshsig.sh b/regress/sshsig.sh
index d4daa5c9..dae03706 100644
--- a/regress/sshsig.sh
+++ b/regress/sshsig.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: sshsig.sh,v 1.14 2022/02/01 23:37:15 djm Exp $
+#	$OpenBSD: sshsig.sh,v 1.15 2023/10/12 03:51:08 djm Exp $
 #	Placed in the Public Domain.
 
 tid="sshsig"
@@ -51,6 +51,7 @@ for t in $SIGNKEYS; do
 	cert=${OBJ}/${keybase}-cert.pub
 	sigfile_cert=${OBJ}/sshsig-${keybase}-cert.sig
 
+	trace "$tid: key type $t check bad hashlg"
 	${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \
 	    -Ohashalg=sha1 < $DATA > $sigfile 2>/dev/null && \
 		fail "sign using $t with bad hash algorithm succeeded"
@@ -60,16 +61,19 @@ for t in $SIGNKEYS; do
 		default) hashalg_arg="" ;;
 		*) hashalg_arg="-Ohashalg=$h" ;;
 		esac
+		trace "$tid: key type $t sign with hash $h"
 		${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \
 		    $hashalg_arg < $DATA > $sigfile 2>/dev/null || \
 			fail "sign using $t / $h failed"
 		(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
+		trace "$tid: key type $t verify with hash $h"
 		${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
 		    -I $sig_principal -f $OBJ/allowed_signers \
 		    < $DATA >/dev/null 2>&1 || \
 			fail "failed signature for $t / $h key"
 	done
 
+	trace "$tid: key type $t verify with limited namespace"
 	(printf "$sig_principal namespaces=\"$sig_namespace,whatever\" ";
 	 cat $pubkey) > $OBJ/allowed_signers
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
@@ -77,6 +81,7 @@ for t in $SIGNKEYS; do
 		< $DATA >/dev/null 2>&1 || \
 		fail "failed signature for $t key w/ limited namespace"
 
+	trace "$tid: key type $t print-pubkey"
 	(printf "$sig_principal namespaces=\"$sig_namespace,whatever\" ";
 	 cat $pubkey) > $OBJ/allowed_signers
 	${SSHKEYGEN} -q -Y verify -s $sigfile -n $sig_namespace \
@@ -89,6 +94,7 @@ for t in $SIGNKEYS; do
 		fail "print-pubkey differs from signature key"
 
 	# Invalid option
+	trace "$tid: key type $t verify with bad signers"
 	(printf "$sig_principal octopus " ; cat $pubkey) > $OBJ/allowed_signers
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
 		-I $sig_principal -f $OBJ/allowed_signers \
@@ -96,6 +102,7 @@ for t in $SIGNKEYS; do
 		fail "accepted signature for $t key with bad signers option"
 
 	# Wrong key trusted.
+	trace "$tid: key type $t verify with wrong key"
 	(printf "$sig_principal " ; cat $WRONG) > $OBJ/allowed_signers
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
 		-I $sig_principal -f $OBJ/allowed_signers \
@@ -103,6 +110,7 @@ for t in $SIGNKEYS; do
 		fail "accepted signature for $t key with wrong key trusted"
 
 	# incorrect data
+	trace "$tid: key type $t verify with wrong data"
 	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
 		-I $sig_principal -f $OBJ/allowed_signers \
@@ -110,6 +118,7 @@ for t in $SIGNKEYS; do
 		fail "passed signature for wrong data with $t key"
 
 	# wrong principal in signers
+	trace "$tid: key type $t verify with wrong principal"
 	(printf "josef.k at example.com " ; cat $pubkey) > $OBJ/allowed_signers
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
 		-I $sig_principal -f $OBJ/allowed_signers \
@@ -117,6 +126,7 @@ for t in $SIGNKEYS; do
 		fail "accepted signature for $t key with wrong principal"
 
 	# wrong namespace
+	trace "$tid: key type $t verify with wrong namespace"
 	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n COWS_COWS_COWS \
 		-I $sig_principal -f $OBJ/allowed_signers \
@@ -124,6 +134,7 @@ for t in $SIGNKEYS; do
 		fail "accepted signature for $t key with wrong namespace"
 
 	# namespace excluded by option
+	trace "$tid: key type $t verify with excluded namespace"
 	(printf "$sig_principal namespaces=\"whatever\" " ;
 	 cat $pubkey) > $OBJ/allowed_signers
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
@@ -136,50 +147,59 @@ for t in $SIGNKEYS; do
 	  cat $pubkey) > $OBJ/allowed_signers
 
 	# key lifespan valid
+	trace "$tid: key type $t verify with valid lifespan"
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
 		-I $sig_principal -f $OBJ/allowed_signers \
 		-Overify-time=19850101 \
 		< $DATA >/dev/null 2>&1 || \
 		fail "failed signature for $t key with valid expiry interval"
 	# key not yet valid
+	trace "$tid: key type $t verify with not-yet-valid lifespan"
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
 		-I $sig_principal -f $OBJ/allowed_signers \
 		-Overify-time=19790101 \
 		< $DATA >/dev/null 2>&1 && \
 		fail "failed signature for $t not-yet-valid key"
 	# key expired
+	trace "$tid: key type $t verify with expired lifespan"
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
 		-I $sig_principal -f $OBJ/allowed_signers \
 		-Overify-time=19910101 \
 		< $DATA >/dev/null 2>&1 && \
 		fail "failed signature for $t with expired key"
 	# NB. assumes we're not running this test in the 1980s
+	trace "$tid: key type $t verify with expired lifespan (now)"
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
 		-I $sig_principal -f $OBJ/allowed_signers \
 		< $DATA >/dev/null 2>&1 && \
 		fail "failed signature for $t with expired key"
 
 	# key lifespan valid
+	trace "$tid: key type $t find-principals with valid lifespan"
 	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
 		-Overify-time="19850101" \
 		-f $OBJ/allowed_signers >/dev/null 2>&1 || \
 		fail "failed find-principals for $t key with valid expiry interval"
 	# key not yet valid
+	trace "$tid: key type $t find principals with not-yet-valid lifespan"
 	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
 		-Overify-time="19790101" \
 		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
 		fail "failed find-principals for $t not-yet-valid key"
 	# key expired
+	trace "$tid: key type $t find-principals with expired lifespan"
 	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
 		-Overify-time="19990101" \
 		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
 		fail "failed find-principals for $t with expired key"
 	# NB. assumes we're not running this test in the 1980s
+	trace "$tid: key type $t find-principals with expired lifespan (now)"
 	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
 		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
 		fail "failed find-principals for $t with expired key"
 
 	# public key in revoked keys file
+	trace "$tid: key type $t verify with revoked key"
 	cat $pubkey > $OBJ/revoked_keys
 	(printf "$sig_principal namespaces=\"whatever\" " ;
 	 cat $pubkey) > $OBJ/allowed_signers
@@ -190,6 +210,7 @@ for t in $SIGNKEYS; do
 		fail "accepted signature for $t key, but key is in revoked_keys"
 
 	# public key not revoked, but others are present in revoked_keysfile
+	trace "$tid: key type $t verify with unrevoked key"
 	cat $WRONG > $OBJ/revoked_keys
 	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
@@ -199,26 +220,31 @@ for t in $SIGNKEYS; do
 		fail "couldn't verify signature for $t key, but key not in revoked_keys"
 
 	# check-novalidate with valid data
+	trace "$tid: key type $t check-novalidate with valid data"
 	${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
 		< $DATA >/dev/null 2>&1 || \
 		fail "failed to check valid signature for $t key"
 
 	# check-novalidate with invalid data
+	trace "$tid: key type $t check-novalidate with invalid data"
 	${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
 		< $DATA2 >/dev/null 2>&1 && \
 		fail "succeeded checking signature for $t key with invalid data"
 
 	# find-principals with valid public key
+	trace "$tid: key type $t find-principals with valid key"
 	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
 	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile -f $OBJ/allowed_signers >/dev/null 2>&1 || \
 		fail "failed to find valid principals in allowed_signers"
 
 	# find-principals with wrong key not in allowed_signers
+	trace "$tid: key type $t find-principals with wrong key"
 	(printf "$sig_principal " ; cat $WRONG) > $OBJ/allowed_signers
 	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile -f $OBJ/allowed_signers >/dev/null 2>&1 && \
 		fail "succeeded finding principal with invalid signers file"
 
 	# find-principals with a configured namespace but none on command-line
+	trace "$tid: key type $t find-principals with missing namespace"
 	(printf "$sig_principal " ;
 	 printf "namespaces=\"test1,test2\" ";
 	 cat $pubkey) > $OBJ/allowed_signers
@@ -227,18 +253,27 @@ for t in $SIGNKEYS; do
 		fail "failed finding principal when namespaces are configured"
 
 	# Check signing keys using ssh-agent.
+	trace "$tid: key type $t prepare agent"
 	${SSHADD} -D >/dev/null 2>&1 # Remove all previously-loaded keys.
 	${SSHADD} ${privkey} > /dev/null 2>&1 || fail "ssh-add failed"
 
 	# Move private key to ensure agent key is used
 	mv ${privkey} ${privkey}.tmp
 
+	trace "$tid: key type $t sign with agent"
 	${SSHKEYGEN} -vvv -Y sign -f $pubkey -n $sig_namespace \
 		< $DATA > $sigfile_agent 2>/dev/null || \
 		fail "ssh-agent based sign using $pubkey failed"
+	trace "$tid: key type $t check signature w/ agent"
 	${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile_agent \
 		-n $sig_namespace < $DATA >/dev/null 2>&1 || \
 		fail "failed to check valid signature for $t key"
+	(printf "$sig_principal namespaces=\"$sig_namespace,whatever\" ";
+	 cat $pubkey) > $OBJ/allowed_signers
+	${SSHKEYGEN} -vvv -Y verify -s $sigfile_agent -n $sig_namespace \
+		-I $sig_principal -f $OBJ/allowed_signers \
+		< $DATA >/dev/null 2>&1 || \
+		fail "failed signature for $t key w/ limited namespace"
 
 	# Move private key back
 	mv ${privkey}.tmp ${privkey}
@@ -252,45 +287,53 @@ for t in $SIGNKEYS; do
 	  cat $pubkey) > $OBJ/allowed_signers
 
 	# find-principals outside of any validity lifespan
+	trace "$tid: key type $t find principals outside multiple validities"
 	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
 		-Overify-time="20100101" \
 		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
 		fail "succeeded find-principals for $t verify-time outside of validity"
 	# find-principals matching only the first lifespan
+	trace "$tid: key type $t find principals matching one validity (1st)"
 	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
 		-Overify-time="19830101" \
 		-f $OBJ/allowed_signers >/dev/null 2>&1 || \
 		fail "failed find-principals for $t verify-time within first span"
 	# find-principals matching both lifespans
+	trace "$tid: key type $t find principals matching two validities"
 	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
 		-Overify-time="19880101" \
 		-f $OBJ/allowed_signers >/dev/null 2>&1 || \
 		fail "failed find-principals for $t verify-time within both spans"
 	# find-principals matching only the second lifespan
+	trace "$tid: key type $t find principals matching one validity (2nd)"
 	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
 		-Overify-time="19950101" \
 		-f $OBJ/allowed_signers >/dev/null 2>&1 || \
 		fail "failed find-principals for $t verify-time within second span"
 
 	# verify outside of any validity lifespan
+	trace "$tid: key type $t verify outside multiple validities"
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
 		-Overify-time="20100101" -I $sig_principal \
 		-r $OBJ/revoked_keys -f $OBJ/allowed_signers \
 		< $DATA >/dev/null 2>&1 && \
 		fail "succeeded verify for $t verify-time outside of validity"
 	# verify matching only the first lifespan
+	trace "$tid: key type $t verify matching one validity (1st)"
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
 		-Overify-time="19830101" -I $sig_principal \
 		-r $OBJ/revoked_keys -f $OBJ/allowed_signers \
 		< $DATA >/dev/null 2>&1 || \
 		fail "failed verify for $t verify-time within first span"
 	# verify matching both lifespans
+	trace "$tid: key type $t verify matching two validities"
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
 		-Overify-time="19880101" -I $sig_principal \
 		-r $OBJ/revoked_keys -f $OBJ/allowed_signers \
 		< $DATA >/dev/null 2>&1 || \
 		fail "failed verify for $t verify-time within both spans"
 	# verify matching only the second lifespan
+	trace "$tid: key type $t verify matching one validity (2nd)"
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
 		-Overify-time="19950101" -I $sig_principal \
 		-r $OBJ/revoked_keys -f $OBJ/allowed_signers \
@@ -308,26 +351,31 @@ for t in $SIGNKEYS; do
 	  printf "cert-authority,valid-after=\"19800101\",valid-before=\"19900101\" ";
 	  cat $CA_PUB) > $OBJ/allowed_signers
 	# key lifespan valid
+	trace "$tid: key type $t find-principals cert lifetime valid"
 	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
 		-Overify-time="19850101" \
 		-f $OBJ/allowed_signers >/dev/null 2>&1 || \
 		fail "failed find-principals for $t key with valid expiry interval"
 	# key not yet valid
+	trace "$tid: key type $t find-principals cert lifetime not-yet-valid"
 	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
 		-Overify-time="19790101" \
 		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
 		fail "failed find-principals for $t not-yet-valid key"
 	# key expired
+	trace "$tid: key type $t find-principals cert lifetime expired"
 	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
 		-Overify-time="19990101" \
 		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
 		fail "failed find-principals for $t with expired key"
 	# NB. assumes we're not running this test in the 1980s
+	trace "$tid: key type $t find-principals cert lifetime expired (now)"
 	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
 		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
 		fail "failed find-principals for $t with expired key"
 
 	# correct CA key
+	trace "$tid: key type $t verify cert good CA"
 	(printf "$sig_principal cert-authority " ;
 	 cat $CA_PUB) > $OBJ/allowed_signers
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
@@ -337,12 +385,14 @@ for t in $SIGNKEYS; do
 		fail "failed signature for $t cert"
 
 	# find-principals
+	trace "$tid: key type $t find-principals cert good CA"
 	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
 		-Overify-time=19850101 \
 		-f $OBJ/allowed_signers >/dev/null 2>&1 || \
 		fail "failed find-principals for $t with ca key"
 
 	# CA with wildcard principal
+	trace "$tid: key type $t find-principals cert good wildcard CA"
 	(printf "*@example.com cert-authority " ;
 	 cat $CA_PUB) > $OBJ/allowed_signers
 	# find-principals CA with wildcard principal
@@ -353,6 +403,7 @@ for t in $SIGNKEYS; do
 		fail "failed find-principals for $t with ca key using wildcard principal"
 
 	# verify CA with wildcard principal
+	trace "$tid: key type $t verify cert good wildcard CA"
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
 		-I $sig_principal -f $OBJ/allowed_signers \
 		-Overify-time=19850101 \
@@ -360,6 +411,7 @@ for t in $SIGNKEYS; do
 		fail "failed signature for $t cert using wildcard principal"
 
 	# signing key listed as cert-authority
+	trace "$tid: key type $t verify signing key listed as CA"
 	(printf "$sig_principal cert-authority " ;
 	 cat $pubkey) > $OBJ/allowed_signers
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
@@ -368,6 +420,7 @@ for t in $SIGNKEYS; do
 		fail "accepted signature with $t key listed as CA"
 
 	# CA key not flagged cert-authority
+	trace "$tid: key type $t verify key not marked as CA"
 	(printf "$sig_principal " ; cat $CA_PUB) > $OBJ/allowed_signers
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
 		-I $sig_principal -f $OBJ/allowed_signers \
@@ -375,6 +428,7 @@ for t in $SIGNKEYS; do
 		fail "accepted signature for $t cert with CA not marked"
 
 	# mismatch between cert principal and file
+	trace "$tid: key type $t verify cert with wrong principal"
 	(printf "josef.k at example.com cert-authority " ;
 	 cat $CA_PUB) > $OBJ/allowed_signers
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
@@ -383,6 +437,7 @@ for t in $SIGNKEYS; do
 		fail "accepted signature for $t cert with wrong principal"
 
 	# Cert valid but CA revoked
+	trace "$tid: key type $t verify cert with revoked CA"
 	cat $CA_PUB > $OBJ/revoked_keys
 	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
@@ -397,42 +452,49 @@ for t in $SIGNKEYS; do
 	  cat $CA_PUB) > $OBJ/allowed_signers
 
 	# CA key lifespan valid
+	trace "$tid: key type $t verify cert valid CA lifespan"
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
 		-I $sig_principal -f $OBJ/allowed_signers \
 		-Overify-time=19850101 \
 		< $DATA >/dev/null 2>&1 >/dev/null 2>&1 || \
 		fail "failed signature for $t key with valid CA expiry interval"
 	# CA lifespan is valid but user key not yet valid
+	trace "$tid: key type $t verify cert valid CA lifespan, not-yet-valid cert"
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
 		-I $sig_principal -f $OBJ/allowed_signers \
 		-Overify-time=19810101 \
 		< $DATA >/dev/null 2>&1 && \
 		fail "accepted signature for $t key with valid CA expiry interval but not yet valid cert"
 	# CA lifespan is valid but user key expired
+	trace "$tid: key type $t verify cert valid CA lifespan, expired cert"
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
 		-I $sig_principal -f $OBJ/allowed_signers \
 		-Overify-time=19890101 \
 		< $DATA >/dev/null 2>&1 && \
 		fail "accepted signature for $t key with valid CA expiry interval but expired cert"
 	# CA key not yet valid
+	trace "$tid: key type $t verify cert CA not-yet-valid"
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
 		-I $sig_principal -f $OBJ/allowed_signers \
 		-Overify-time=19790101 \
 		< $DATA >/dev/null 2>&1 && \
 		fail "accepted signature for $t not-yet-valid CA key"
 	# CA key expired
+	trace "$tid: key type $t verify cert CA expired"
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
 		-I $sig_principal -f $OBJ/allowed_signers \
 		-Overify-time=19910101 \
 		< $DATA >/dev/null 2>&1 && \
 		fail "accepted signature for $t with expired CA key"
 	# NB. assumes we're not running this test in the 1980s
+	trace "$tid: key type $t verify cert CA expired (now)"
 	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
 		-I $sig_principal -f $OBJ/allowed_signers \
 		< $DATA >/dev/null 2>&1 && \
 		fail "accepted signature for $t with expired CA key"
 
 	# Set lifespan of CA outside of the cert validity
+	trace "$tid: key type $t verify CA/cert lifespan mismatch"
 	( printf "$sig_principal " ;
 	  printf "cert-authority,valid-after=\"19800101\",valid-before=\"19820101\" " ;
 	  cat $CA_PUB) > $OBJ/allowed_signers
@@ -455,15 +517,17 @@ done
 verbose "$tid: match principals"
 ${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers -I "unique" | \
     fgrep "unique" >/dev/null || \
-	fail "faild to match static principal"
+	fail "failed to match static principal"
 
+trace "$tid: match principals wildcard"
 ${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers -I "princip" | \
     fgrep "princi*" >/dev/null || \
-	fail "faild to match wildcard principal"
+	fail "failed to match wildcard principal"
 
+trace "$tid: match principals static/wildcard"
 ${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers -I "principal1" | \
     fgrep -e "principal1" -e "princi*" >/dev/null || \
-	fail "faild to match static and wildcard principal"
+	fail "failed to match static and wildcard principal"
 verbose "$tid: nomatch principals"
 for x in princ prince unknown ; do
 	${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers \

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list