tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- djm@cvs.openbsd.org 2010/03/03 00:47:23 

[regress/cert-hostkey.sh regress/cert-userkey.sh]
     add an extra test to ensure that authentication with the wrong
     certificate fails as it should (and it does)
This commit is contained in:
Damien Miller 2010-03-04 21:57:21 +11:00
parent 1aed65eb27
commit 017d1e777e
3 changed files with 48 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog
View File

@ -35,6 +35,10 @@
authentication. authentication.
feedback and ok markus@ feedback and ok markus@
- djm@cvs.openbsd.org 2010/03/03 00:47:23
[regress/cert-hostkey.sh regress/cert-userkey.sh]
add an extra test to ensure that authentication with the wrong
certificate fails as it should (and it does)
20100303 20100303
- (djm) [PROTOCOL.certkeys] Add RCS Ident - (djm) [PROTOCOL.certkeys] Add RCS Ident

29
regress/cert-hostkey.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: cert-hostkey.sh,v 1.1 2010/02/26 20:33:21 djm Exp $ # $OpenBSD: cert-hostkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $
# Placed in the Public Domain. # Placed in the Public Domain.
tid="certified host keys" tid="certified host keys"
@ -119,4 +119,31 @@ for ktype in rsa dsa ; do
fi fi
done done
# Wrong certificate
(
echon '@cert-authority '
echon "$HOSTS "
cat $OBJ/host_ca_key.pub
) > $OBJ/known_hosts-cert
for ktype in rsa dsa ; do
# Self-sign key
${SSHKEYGEN} -h -q -s $OBJ/cert_host_key_${ktype} \
-I "regress host key for $USER" \
-n $HOSTS $OBJ/cert_host_key_${ktype} ||
fail "couldn't sign cert_host_key_${ktype}"
verbose "$tid: host ${ktype} connect wrong cert"
(
cat $OBJ/sshd_proxy_bak
echo HostKey $OBJ/cert_host_key_${ktype}
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
) > $OBJ/sshd_proxy
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect $ident succeeded unexpectedly"
fi
done
rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*

18
regress/cert-userkey.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: cert-userkey.sh,v 1.1 2010/02/26 20:33:21 djm Exp $ # $OpenBSD: cert-userkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $
# Placed in the Public Domain. # Placed in the Public Domain.
tid="certified user keys" tid="certified user keys"
@ -24,7 +24,6 @@ for ktype in rsa dsa ; do
"regress user key for $USER" \ "regress user key for $USER" \
-n $USER $OBJ/cert_user_key_${ktype} || -n $USER $OBJ/cert_user_key_${ktype} ||
fail "couldn't sign cert_user_key_${ktype}" fail "couldn't sign cert_user_key_${ktype}"
done done
# Basic connect tests # Basic connect tests
@ -86,4 +85,19 @@ test_one "cert valid interval" success "-V-1w:+2w"
test_one "wrong source-address" failure "-Osource-address=10.0.0.0/8" test_one "wrong source-address" failure "-Osource-address=10.0.0.0/8"
test_one "force-command" failure "-Oforce-command=false" test_one "force-command" failure "-Oforce-command=false"
# Wrong certificate
for ktype in rsa dsa ; do
# Self-sign
${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
"regress user key for $USER" \
-n $USER $OBJ/cert_user_key_${ktype} ||
fail "couldn't sign cert_user_key_${ktype}"
verbose "$tid: user ${ktype} connect wrong cert"
${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect $ident succeeded unexpectedly"
fi
done
rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*