openssh-portable/regress/sshfp-connect.sh

#	$OpenBSD: sshfp-connect.sh,v 1.3 2021/08/31 01:25:27 dtucker Exp $
#	Placed in the Public Domain.

# This test requires external setup and thus is skipped unless
# TEST_SSH_SSHFP_DOMAIN is set.  It requires:
# 1) A DNSSEC-enabled domain, which TEST_SSH_SSHFP_DOMAIN points to.
# 2) A DNSSEC-validating resolver such as unwind(8).
# 3) The following SSHFP records with fingerprints from rsa_openssh.pub
#    in that domain that are expected to succeed:
#      sshtest: valid sha1 and sha256 fingerprints.
#      sshtest-sha{1,256}, : valid fingerprints for that type only.
#    and the following records that are expected to fail:
#      sshtest-bad: invalid sha1 fingerprint and good sha256 fingerprint
#      sshtest-sha{1,256}-bad: invalid fingerprints for that type only.
#
# sshtest IN SSHFP 1 1 99C79CC09F5F81069CC017CDF9552CFC94B3B929
# sshtest IN SSHFP 1 2 E30D6B9EB7A4DE495324E4D5870B8220577993EA6AF417E8E4A4F1C5 BF01A9B6
# sshtest-sha1 IN SSHFP 1 1 99C79CC09F5F81069CC017CDF9552CFC94B3B929
# sshtest-sha256 IN SSHFP 1 2 E30D6B9EB7A4DE495324E4D5870B8220577993EA6AF417E8E4A4F1C5 BF01A9B6
# sshtest-bad IN SSHFP 1 2 E30D6B9EB7A4DE495324E4D5870B8220577993EA6AF417E8E4A4F1C5 BF01A9B6
# sshtest-bad IN SSHFP 1 1 99C79CC09F5F81069CC017CDF9552CFC94B3B928
# sshtest-sha1-bad IN SSHFP 1 1 99D79CC09F5F81069CC017CDF9552CFC94B3B929
# sshtest-sha256-bad IN SSHFP 1 2 E30D6B9EB7A4DE495324E4D5870B8220577993EA6AF417E8E4A4F1C5 BF01A9B5

tid="sshfp connect"

if ! $SSH -Q key-plain | grep ssh-rsa >/dev/null; then
	echo SKIPPED: RSA keys not supported.
elif [ -z "${TEST_SSH_SSHFP_DOMAIN}" ]; then
	echo SKIPPED: TEST_SSH_SSHFP_DOMAIN not set.
else
	# Set RSA host key to match fingerprints above.
	mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
	$SUDO cp $SRC/rsa_openssh.prv $OBJ/host.ssh-rsa
	$SUDO chmod 600 $OBJ/host.ssh-rsa
	sed -e "s|$OBJ/ssh-rsa|$OBJ/host.ssh-rsa|" \
	    $OBJ/sshd_proxy.orig > $OBJ/sshd_proxy

	# Zero out known hosts and key aliases to force use of SSHFP records.
	> $OBJ/known_hosts
	mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig
	sed -e "/HostKeyAlias.*localhost-with-alias/d" \
	    -e "/Hostname.*127.0.0.1/d" \
	    $OBJ/ssh_proxy.orig > $OBJ/ssh_proxy

	for n in sshtest sshtest-sha1 sshtest-sha256; do
		trace "sshfp connect $n good fingerprint"
		host="${n}.dtucker.net"
		opts="-F $OBJ/ssh_proxy -o VerifyHostKeyDNS=yes "
		opts="$opts -o HostKeyAlgorithms=rsa-sha2-512,rsa-sha2-256"
		host="${n}.${TEST_SSH_SSHFP_DOMAIN}"
		SSH_CONNECTION=`${SSH} $opts $host 'echo $SSH_CONNECTION'`
		if [ $? -ne 0 ]; then
			fail "ssh sshfp connect failed"
		fi
		if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
			fail "bad SSH_CONNECTION: $SSH_CONNECTION"
		fi

		trace "sshfp connect $n bad fingerprint"
		host="${n}-bad.${TEST_SSH_SSHFP_DOMAIN}"
		if ${SSH} $opts ${host} true; then
			fail "sshfp-connect succeeded with bad SSHFP record"
		fi
	done
fi
upstream: Specify hostkeyalgorithms in SSHFP test. Specify host key algorithms in sshd's default set for the SSHFP test, from djm@. Make the reason for when the test is skipped a bit clearer. OpenBSD-Regress-ID: 4f923dfc761480d5411de17ea6f0b30de3e32cea 2021-08-31 03:25:27 +02:00			`# $OpenBSD: sshfp-connect.sh,v 1.3 2021/08/31 01:25:27 dtucker Exp $`
Add sshfp-connect.sh file missed in previous. 2021-07-19 05:47:51 +02:00			`# Placed in the Public Domain.`

			`# This test requires external setup and thus is skipped unless`
			`# TEST_SSH_SSHFP_DOMAIN is set. It requires:`
			`# 1) A DNSSEC-enabled domain, which TEST_SSH_SSHFP_DOMAIN points to.`
			`# 2) A DNSSEC-validating resolver such as unwind(8).`
			`# 3) The following SSHFP records with fingerprints from rsa_openssh.pub`
			`# in that domain that are expected to succeed:`
			`# sshtest: valid sha1 and sha256 fingerprints.`
			`# sshtest-sha{1,256}, : valid fingerprints for that type only.`
			`# and the following records that are expected to fail:`
			`# sshtest-bad: invalid sha1 fingerprint and good sha256 fingerprint`
			`# sshtest-sha{1,256}-bad: invalid fingerprints for that type only.`
			`#`
			`# sshtest IN SSHFP 1 1 99C79CC09F5F81069CC017CDF9552CFC94B3B929`
			`# sshtest IN SSHFP 1 2 E30D6B9EB7A4DE495324E4D5870B8220577993EA6AF417E8E4A4F1C5 BF01A9B6`
			`# sshtest-sha1 IN SSHFP 1 1 99C79CC09F5F81069CC017CDF9552CFC94B3B929`
			`# sshtest-sha256 IN SSHFP 1 2 E30D6B9EB7A4DE495324E4D5870B8220577993EA6AF417E8E4A4F1C5 BF01A9B6`
			`# sshtest-bad IN SSHFP 1 2 E30D6B9EB7A4DE495324E4D5870B8220577993EA6AF417E8E4A4F1C5 BF01A9B6`
			`# sshtest-bad IN SSHFP 1 1 99C79CC09F5F81069CC017CDF9552CFC94B3B928`
			`# sshtest-sha1-bad IN SSHFP 1 1 99D79CC09F5F81069CC017CDF9552CFC94B3B929`
			`# sshtest-sha256-bad IN SSHFP 1 2 E30D6B9EB7A4DE495324E4D5870B8220577993EA6AF417E8E4A4F1C5 BF01A9B5`

			`tid="sshfp connect"`

upstream: Specify hostkeyalgorithms in SSHFP test. Specify host key algorithms in sshd's default set for the SSHFP test, from djm@. Make the reason for when the test is skipped a bit clearer. OpenBSD-Regress-ID: 4f923dfc761480d5411de17ea6f0b30de3e32cea 2021-08-31 03:25:27 +02:00			`if ! $SSH -Q key-plain \| grep ssh-rsa >/dev/null; then`
			`echo SKIPPED: RSA keys not supported.`
			`elif [ -z "${TEST_SSH_SSHFP_DOMAIN}" ]; then`
			`echo SKIPPED: TEST_SSH_SSHFP_DOMAIN not set.`
			`else`
Add sshfp-connect.sh file missed in previous. 2021-07-19 05:47:51 +02:00			`# Set RSA host key to match fingerprints above.`
			`mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig`
upstream: Use SUDO when setting up hostkey. OpenBSD-Regress-ID: 990cf4481cab8dad62e90818a9b4b36c533851a7 2021-07-19 10:48:33 +02:00			`$SUDO cp $SRC/rsa_openssh.prv $OBJ/host.ssh-rsa`
			`$SUDO chmod 600 $OBJ/host.ssh-rsa`
Add sshfp-connect.sh file missed in previous. 2021-07-19 05:47:51 +02:00			`sed -e "s\|$OBJ/ssh-rsa\|$OBJ/host.ssh-rsa\|" \`
			`$OBJ/sshd_proxy.orig > $OBJ/sshd_proxy`

			`# Zero out known hosts and key aliases to force use of SSHFP records.`
			`> $OBJ/known_hosts`
			`mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig`
			`sed -e "/HostKeyAlias.*localhost-with-alias/d" \`
			`-e "/Hostname.*127.0.0.1/d" \`
			`$OBJ/ssh_proxy.orig > $OBJ/ssh_proxy`

			`for n in sshtest sshtest-sha1 sshtest-sha256; do`
			`trace "sshfp connect $n good fingerprint"`
			`host="${n}.dtucker.net"`
			`opts="-F $OBJ/ssh_proxy -o VerifyHostKeyDNS=yes "`
upstream: Specify hostkeyalgorithms in SSHFP test. Specify host key algorithms in sshd's default set for the SSHFP test, from djm@. Make the reason for when the test is skipped a bit clearer. OpenBSD-Regress-ID: 4f923dfc761480d5411de17ea6f0b30de3e32cea 2021-08-31 03:25:27 +02:00			`opts="$opts -o HostKeyAlgorithms=rsa-sha2-512,rsa-sha2-256"`
Add sshfp-connect.sh file missed in previous. 2021-07-19 05:47:51 +02:00			`host="${n}.${TEST_SSH_SSHFP_DOMAIN}"`
			SSH_CONNECTION=`${SSH} $opts $host 'echo $SSH_CONNECTION'`
			`if [ $? -ne 0 ]; then`
			`fail "ssh sshfp connect failed"`
			`fi`
			`if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then`
			`fail "bad SSH_CONNECTION: $SSH_CONNECTION"`
			`fi`

			`trace "sshfp connect $n bad fingerprint"`
			`host="${n}-bad.${TEST_SSH_SSHFP_DOMAIN}"`
			`if ${SSH} $opts ${host} true; then`
			`fail "sshfp-connect succeeded with bad SSHFP record"`
			`fi`
			`done`
			`fi`