upstream: exlicitly include RSA/SHA-2 keytypes in
PubkeyAcceptedKeyTypes here OpenBSD-Regress-ID: 954d19e0032a74e31697fb1dc7e7d3d1b2d65fe9
This commit is contained in:
parent
037fdc1dc2
commit
3a43297ce2
|
@ -1,4 +1,4 @@
|
||||||
# $OpenBSD: limit-keytype.sh,v 1.4 2015/10/29 08:05:17 djm Exp $
|
# $OpenBSD: limit-keytype.sh,v 1.5 2018/03/12 00:52:57 djm Exp $
|
||||||
# Placed in the Public Domain.
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
tid="restrict pubkey type"
|
tid="restrict pubkey type"
|
||||||
|
@ -60,7 +60,8 @@ ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed"
|
||||||
|
|
||||||
# Allow plain Ed25519 and RSA. The certificate should fail.
|
# Allow plain Ed25519 and RSA. The certificate should fail.
|
||||||
verbose "allow rsa,ed25519"
|
verbose "allow rsa,ed25519"
|
||||||
prepare_config "PubkeyAcceptedKeyTypes ssh-rsa,ssh-ed25519"
|
prepare_config \
|
||||||
|
"PubkeyAcceptedKeyTypes rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-ed25519"
|
||||||
${SSH} $certopts proxy true && fatal "cert succeeded"
|
${SSH} $certopts proxy true && fatal "cert succeeded"
|
||||||
${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
|
${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
|
||||||
${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed"
|
${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed"
|
||||||
|
@ -74,14 +75,14 @@ ${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded"
|
||||||
|
|
||||||
# Allow all certs. Plain keys should fail.
|
# Allow all certs. Plain keys should fail.
|
||||||
verbose "allow cert only"
|
verbose "allow cert only"
|
||||||
prepare_config "PubkeyAcceptedKeyTypes ssh-*-cert-v01@openssh.com"
|
prepare_config "PubkeyAcceptedKeyTypes *-cert-v01@openssh.com"
|
||||||
${SSH} $certopts proxy true || fatal "cert failed"
|
${SSH} $certopts proxy true || fatal "cert failed"
|
||||||
${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded"
|
${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded"
|
||||||
${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded"
|
${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded"
|
||||||
|
|
||||||
# Allow RSA in main config, Ed25519 for non-existent user.
|
# Allow RSA in main config, Ed25519 for non-existent user.
|
||||||
verbose "match w/ no match"
|
verbose "match w/ no match"
|
||||||
prepare_config "PubkeyAcceptedKeyTypes ssh-rsa" \
|
prepare_config "PubkeyAcceptedKeyTypes rsa-sha2-256,rsa-sha2-512,ssh-rsa" \
|
||||||
"Match user x$USER" "PubkeyAcceptedKeyTypes +ssh-ed25519"
|
"Match user x$USER" "PubkeyAcceptedKeyTypes +ssh-ed25519"
|
||||||
${SSH} $certopts proxy true && fatal "cert succeeded"
|
${SSH} $certopts proxy true && fatal "cert succeeded"
|
||||||
${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded"
|
${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded"
|
||||||
|
|
Loading…
Reference in New Issue