[openssh-commits] [openssh] 01/02: upstream: test security key host keys in addition to user keys

git+noreply at mindrot.org git+noreply at mindrot.org
Sat Dec 21 13:37:00 AEDT 2019


This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit e5b7cf8edca7e843adc125621e1dab14507f430a
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Dec 16 02:39:05 2019 +0000

    upstream: test security key host keys in addition to user keys
    
    OpenBSD-Regress-ID: 9fb45326106669a27e4bf150575c321806e275b1
---
 regress/cert-hostkey.sh       |  6 +++---
 regress/hostkey-agent.sh      |  6 +++---
 regress/keygen-change.sh      |  6 ++----
 regress/keyscan.sh            |  7 +++----
 regress/keytype.sh            |  8 ++------
 regress/krl.sh                |  4 ++--
 regress/limit-keytype.sh      |  4 ++--
 regress/principals-command.sh |  4 ++--
 regress/test-exec.sh          | 12 +++++-------
 9 files changed, 24 insertions(+), 33 deletions(-)

diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 67a9795d..95d7c176 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: cert-hostkey.sh,v 1.21 2019/12/11 18:47:14 djm Exp $
+#	$OpenBSD: cert-hostkey.sh,v 1.22 2019/12/16 02:39:05 djm Exp $
 #	Placed in the Public Domain.
 
 tid="certified host keys"
@@ -9,7 +9,7 @@ rm -f $OBJ/cert_host_key* $OBJ/host_krl_*
 # Allow all hostkey/pubkey types, prefer certs for the client
 rsa=0
 types=""
-for i in `$SSH -Q key | filter_sk`; do
+for i in `$SSH -Q key | maybe_filter_sk`; do
 	if [ -z "$types" ]; then
 		types="$i"
 		continue
@@ -70,7 +70,7 @@ touch $OBJ/host_revoked_plain
 touch $OBJ/host_revoked_cert
 cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca
 
-PLAIN_TYPES=`$SSH -Q key-plain  | filter_sk | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
+PLAIN_TYPES=`echo "$SSH_KEYTYPES" | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
 
 if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
 	PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
diff --git a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh
index 7f490e01..d6736e24 100644
--- a/regress/hostkey-agent.sh
+++ b/regress/hostkey-agent.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: hostkey-agent.sh,v 1.10 2019/12/11 18:47:14 djm Exp $
+#	$OpenBSD: hostkey-agent.sh,v 1.11 2019/12/16 02:39:05 djm Exp $
 #	Placed in the Public Domain.
 
 tid="hostkey agent"
@@ -14,7 +14,7 @@ grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig
 echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig
 
 trace "load hostkeys"
-for k in `${SSH} -Q key-plain | filter_sk` ; do
+for k in $SSH_KEYTYPES ; do
 	${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k"
 	(
 		printf 'localhost-with-alias,127.0.0.1,::1 '
@@ -31,7 +31,7 @@ cp $OBJ/known_hosts.orig $OBJ/known_hosts
 unset SSH_AUTH_SOCK
 
 for ps in yes; do
-	for k in `${SSH} -Q key-plain | filter_sk` ; do
+	for k in $SSH_KEYTYPES ; do
 		verbose "key type $k privsep=$ps"
 		cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
 		echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
diff --git a/regress/keygen-change.sh b/regress/keygen-change.sh
index dd1bfda8..3863e33b 100644
--- a/regress/keygen-change.sh
+++ b/regress/keygen-change.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: keygen-change.sh,v 1.8 2019/11/26 23:43:10 djm Exp $
+#	$OpenBSD: keygen-change.sh,v 1.9 2019/12/16 02:39:05 djm Exp $
 #	Placed in the Public Domain.
 
 tid="change passphrase for key"
@@ -6,9 +6,7 @@ tid="change passphrase for key"
 S1="secret1"
 S2="2secret"
 
-KEYTYPES=`${SSH} -Q key-plain | maybe_filter_sk`
-
-for t in $KEYTYPES; do
+for t in $SSH_KEYTYPES; do
 	trace "generating $t key"
 	rm -f $OBJ/$t-key
 	${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key
diff --git a/regress/keyscan.sh b/regress/keyscan.sh
index 0ce0c741..b8593fed 100644
--- a/regress/keyscan.sh
+++ b/regress/keyscan.sh
@@ -1,10 +1,9 @@
-#	$OpenBSD: keyscan.sh,v 1.11 2019/11/26 23:43:10 djm Exp $
+#	$OpenBSD: keyscan.sh,v 1.12 2019/12/16 02:39:05 djm Exp $
 #	Placed in the Public Domain.
 
 tid="keyscan"
 
-KEYTYPES=`${SSH} -Q key-plain | filter_sk`
-for i in $KEYTYPES; do
+for i in $SSH_KEYTYPES; do
 	if [ -z "$algs" ]; then
 		algs="$i"
 	else
@@ -15,7 +14,7 @@ echo "HostKeyAlgorithms $algs" >> $OBJ/sshd_config
 
 start_sshd
 
-for t in $KEYTYPES; do
+for t in $SSH_KEYTYPES; do
 	trace "keyscan type $t"
 	${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \
 		> /dev/null 2>&1
diff --git a/regress/keytype.sh b/regress/keytype.sh
index 91c5aca1..20a8ceaf 100644
--- a/regress/keytype.sh
+++ b/regress/keytype.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: keytype.sh,v 1.9 2019/11/26 23:43:10 djm Exp $
+#	$OpenBSD: keytype.sh,v 1.10 2019/12/16 02:39:05 djm Exp $
 #	Placed in the Public Domain.
 
 tid="login with different key types"
@@ -50,11 +50,7 @@ kname_to_ktype() {
 tries="1 2 3"
 for ut in $ktypes; do
 	user_type=`kname_to_ktype "$ut"`
-	# SK keys are not supported for hostkeys.
-	case "$ut" in
-	*sk)	htypes=ed25519-512;;
-	*)	htypes="$ut";;
-	esac
+	htypes="$ut"
 	#htypes=$ktypes
 	for ht in $htypes; do
 		host_type=`kname_to_ktype "$ht"`
diff --git a/regress/krl.sh b/regress/krl.sh
index 1efd80bf..c381225e 100644
--- a/regress/krl.sh
+++ b/regress/krl.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: krl.sh,v 1.10 2019/11/26 23:43:10 djm Exp $
+#	$OpenBSD: krl.sh,v 1.11 2019/12/16 02:39:05 djm Exp $
 #	Placed in the Public Domain.
 
 tid="key revocation lists"
@@ -7,7 +7,7 @@ tid="key revocation lists"
 # w/out OpenSSL.  Populate ktype[2-4] with the other types if supported.
 ktype1=ed25519; ktype2=ed25519; ktype3=ed25519;
 ktype4=ed25519; ktype5=ed25519; ktype6=ed25519;
-for t in `${SSH} -Q key-plain | maybe_filter_sk`; do
+for t in $SSH_KEYTYPES; do
 	case "$t" in
 		ecdsa*)		ktype2=ecdsa ;;
 		ssh-rsa)	ktype3=rsa ;;
diff --git a/regress/limit-keytype.sh b/regress/limit-keytype.sh
index abac05c0..010a88cd 100644
--- a/regress/limit-keytype.sh
+++ b/regress/limit-keytype.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: limit-keytype.sh,v 1.8 2019/11/26 23:43:10 djm Exp $
+#	$OpenBSD: limit-keytype.sh,v 1.9 2019/12/16 02:39:05 djm Exp $
 #	Placed in the Public Domain.
 
 tid="restrict pubkey type"
@@ -13,7 +13,7 @@ mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig
 
 ktype1=ed25519; ktype2=ed25519; ktype3=ed25519;
 ktype4=ed25519; ktype5=ed25519; ktype6=ed25519;
-for t in `${SSH} -Q key-plain | maybe_filter_sk`; do
+for t in $SSH_KEYTYPES ; do 
 	case "$t" in
 		ssh-rsa)	ktype2=rsa ;;
 		ecdsa*)		ktype3=ecdsa ;;  # unused
diff --git a/regress/principals-command.sh b/regress/principals-command.sh
index 9e85e8e7..5e535c13 100644
--- a/regress/principals-command.sh
+++ b/regress/principals-command.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: principals-command.sh,v 1.10 2019/12/11 18:47:14 djm Exp $
+#	$OpenBSD: principals-command.sh,v 1.11 2019/12/16 02:39:05 djm Exp $
 #	Placed in the Public Domain.
 
 tid="authorized principals command"
@@ -12,7 +12,7 @@ if [ -z "$SUDO" -a ! -w /var/run ]; then
 	exit 0
 fi
 
-case "`${SSH} -Q key-plain`" in
+case "$SSH_KEYTYPES" in
 	*ssh-rsa*)	userkeytype=rsa ;;
 	*)		userkeytype=ed25519 ;;
 esac
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 4bf4059f..03dab203 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: test-exec.sh,v 1.68 2019/11/26 23:43:10 djm Exp $
+#	$OpenBSD: test-exec.sh,v 1.69 2019/12/16 02:39:05 djm Exp $
 #	Placed in the Public Domain.
 
 #SUDO=sudo
@@ -493,23 +493,21 @@ export SSH_SK_PROVIDER
 if ! test -z "$SSH_SK_PROVIDER"; then
 	EXTRA_AGENT_ARGS='-P/*' # XXX want realpath(1)...
 	echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/ssh_config
+	echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_config
+	echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_proxy
 fi
 export EXTRA_AGENT_ARGS
 
-filter_sk() {
-	grep -v ^sk
-}
-
 maybe_filter_sk() {
 	if test -z "$SSH_SK_PROVIDER" ; then
-		filter_sk
+		grep -v ^sk
 	else
 		cat
 	fi
 }
 
 SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk`
-SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | filter_sk`
+SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | maybe_filter_sk`
  
 for t in ${SSH_KEYTYPES}; do
 	# generate user key

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list