tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- djm@cvs.openbsd.org 2010/03/04 10:38:23 

[regress/cert-hostkey.sh regress/cert-userkey.sh]
     additional regression tests for revoked keys and TrustedUserCAKeys
This commit is contained in:
Damien Miller 2010-03-04 21:58:01 +11:00
parent 017d1e777e
commit 700dcfa3e0
3 changed files with 185 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog
View File

@ -39,6 +39,9 @@
[regress/cert-hostkey.sh regress/cert-userkey.sh] [regress/cert-hostkey.sh regress/cert-userkey.sh]
add an extra test to ensure that authentication with the wrong add an extra test to ensure that authentication with the wrong
certificate fails as it should (and it does) certificate fails as it should (and it does)
- djm@cvs.openbsd.org 2010/03/04 10:38:23
[regress/cert-hostkey.sh regress/cert-userkey.sh]
additional regression tests for revoked keys and TrustedUserCAKeys
20100303 20100303
- (djm) [PROTOCOL.certkeys] Add RCS Ident - (djm) [PROTOCOL.certkeys] Add RCS Ident

64
regress/cert-hostkey.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: cert-hostkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $ # $OpenBSD: cert-hostkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
# Placed in the Public Domain. # Placed in the Public Domain.
tid="certified host keys" tid="certified host keys"
@ -50,6 +50,68 @@ for privsep in yes no ; do
done done
done done
# Revoked certificates with key present
(
echon '@cert-authority '
echon "$HOSTS "
cat $OBJ/host_ca_key.pub
echon '@revoked '
echon "* "
cat $OBJ/cert_host_key_rsa.pub
echon '@revoked '
echon "* "
cat $OBJ/cert_host_key_dsa.pub
) > $OBJ/known_hosts-cert
for privsep in yes no ; do
for ktype in rsa dsa ; do
verbose "$tid: host ${ktype} revoked cert privsep $privsep"
(
cat $OBJ/sshd_proxy_bak
echo HostKey $OBJ/cert_host_key_${ktype}
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
echo UsePrivilegeSeparation $privsep
) > $OBJ/sshd_proxy
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
fi
done
done
# Revoked CA
(
echon '@cert-authority '
echon "$HOSTS "
cat $OBJ/host_ca_key.pub
echon '@revoked '
echon "* "
cat $OBJ/host_ca_key.pub
) > $OBJ/known_hosts-cert
for ktype in rsa dsa ; do
verbose "$tid: host ${ktype} revoked cert"
(
cat $OBJ/sshd_proxy_bak
echo HostKey $OBJ/cert_host_key_${ktype}
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
) > $OBJ/sshd_proxy
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
fi
done
# Create a CA key and add it to known hosts
(
echon '@cert-authority '
echon "$HOSTS "
cat $OBJ/host_ca_key.pub
) > $OBJ/known_hosts-cert
test_one() { test_one() {
ident=$1 ident=$1
result=$2 result=$2

123
regress/cert-userkey.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: cert-userkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $ # $OpenBSD: cert-userkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
# Placed in the Public Domain. # Placed in the Public Domain.
tid="certified user keys" tid="certified user keys"
@ -6,13 +6,9 @@ tid="certified user keys"
rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
# Create a CA key and add it to authorized_keys # Create a CA key
${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\
fail "ssh-keygen of user_ca_key failed" fail "ssh-keygen of user_ca_key failed"
(
echon 'cert-authority '
cat $OBJ/user_ca_key.pub
) > $OBJ/authorized_keys_$USER
# Generate and sign user keys # Generate and sign user keys
for ktype in rsa dsa ; do for ktype in rsa dsa ; do
@ -26,37 +22,109 @@ for ktype in rsa dsa ; do
fail "couldn't sign cert_user_key_${ktype}" fail "couldn't sign cert_user_key_${ktype}"
done done
# Basic connect tests basic_tests() {
for privsep in yes no ; do auth=$1
if test "x$auth" = "xauthorized_keys" ; then
# Add CA to authorized_keys
(
echon 'cert-authority '
cat $OBJ/user_ca_key.pub
) > $OBJ/authorized_keys_$USER
else
echo > $OBJ/authorized_keys_$USER
extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
fi
for ktype in rsa dsa ; do for ktype in rsa dsa ; do
verbose "$tid: user ${ktype} cert connect privsep $privsep" for privsep in yes no ; do
_prefix="${ktype} privsep $privsep $auth"
# Simple connect
verbose "$tid: ${_prefix} connect"
( (
cat $OBJ/sshd_proxy_bak cat $OBJ/sshd_proxy_bak
echo "UsePrivilegeSeparation $privsep" echo "UsePrivilegeSeparation $privsep"
echo "$extra_sshd"
) > $OBJ/sshd_proxy ) > $OBJ/sshd_proxy
${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ ${SSH} -2i $OBJ/cert_user_key_${ktype} \
somehost true -F $OBJ/ssh_proxy somehost true
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
fail "ssh cert connect failed" fail "ssh cert connect failed"
fi fi
done
# Revoked keys
verbose "$tid: ${_prefix} revoked key"
(
cat $OBJ/sshd_proxy_bak
echo "UsePrivilegeSeparation $privsep"
echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub"
echo "$extra_sshd"
) > $OBJ/sshd_proxy
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpecedly"
fi
done done
# Revoked CA
verbose "$tid: ${ktype} $auth revoked CA key"
(
cat $OBJ/sshd_proxy_bak
echo "RevokedKeys $OBJ/user_ca_key.pub"
echo "$extra_sshd"
) > $OBJ/sshd_proxy
${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpecedly"
fi
done
verbose "$tid: $auth CA does not authenticate"
(
cat $OBJ/sshd_proxy_bak
echo "$extra_sshd"
) > $OBJ/sshd_proxy
verbose "$tid: ensure CA key does not authenticate user" verbose "$tid: ensure CA key does not authenticate user"
${SSH} -2i $OBJ/user_ca_key -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 ${SSH} -2i $OBJ/user_ca_key \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
fail "ssh cert connect with CA key succeeded unexpectedly" fail "ssh cert connect with CA key succeeded unexpectedly"
fi fi
}
basic_tests authorized_keys
basic_tests TrustedUserCAKeys
test_one() { test_one() {
ident=$1 ident=$1
result=$2 result=$2
sign_opts=$3 sign_opts=$3
auth_choice=$4
verbose "$tid: test user cert connect $ident expect $result" if test "x$auth_choice" = "x" ; then
auth_choice="authorized_keys TrustedUserCAKeys"
fi
${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ for auth in $auth_choice ; do
cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
if test "x$auth" = "xauthorized_keys" ; then
# Add CA to authorized_keys
(
echon 'cert-authority '
cat $OBJ/user_ca_key.pub
) > $OBJ/authorized_keys_$USER
else
echo > $OBJ/authorized_keys_$USER
echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" >> \
$OBJ/sshd_proxy
fi
verbose "$tid: $ident auth $auth expect $result"
${SSHKEYGEN} -q -s $OBJ/user_ca_key \
-I "regress user key for $USER" \
$sign_opts \ $sign_opts \
$OBJ/cert_user_key_rsa || $OBJ/cert_user_key_rsa ||
fail "couldn't sign cert_user_key_rsa" fail "couldn't sign cert_user_key_rsa"
@ -66,24 +134,28 @@ test_one() {
rc=$? rc=$?
if [ "x$result" = "xsuccess" ] ; then if [ "x$result" = "xsuccess" ] ; then
if [ $rc -ne 0 ]; then if [ $rc -ne 0 ]; then
fail "ssh cert connect $ident failed unexpectedly" fail "$ident failed unexpectedly"
fi fi
else else
if [ $rc -eq 0 ]; then if [ $rc -eq 0 ]; then
fail "ssh cert connect $ident succeeded unexpectedly" fail "$ident succeeded unexpectedly"
fi fi
fi fi
cleanup done
} }
test_one "host-certificate" failure "-h" test_one "correct principal" success "-n ${USER}"
test_one "empty principals" success "" test_one "host-certificate" failure "-n ${USER} -h"
test_one "wrong principals" failure "-n foo" test_one "wrong principals" failure "-n foo"
test_one "cert not yet valid" failure "-V20200101:20300101" test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101"
test_one "cert expired" failure "-V19800101:19900101" test_one "cert expired" failure "-n ${USER} -V19800101:19900101"
test_one "cert valid interval" success "-V-1w:+2w" test_one "cert valid interval" success "-n ${USER} -V-1w:+2w"
test_one "wrong source-address" failure "-Osource-address=10.0.0.0/8" test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8"
test_one "force-command" failure "-Oforce-command=false" test_one "force-command" failure "-n ${USER} -Oforce-command=false"
# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals
test_one "empty principals" success "" authorized_keys
test_one "empty principals" failure "" TrustedUserCAKeys
# Wrong certificate # Wrong certificate
for ktype in rsa dsa ; do for ktype in rsa dsa ; do
@ -101,3 +173,4 @@ for ktype in rsa dsa ; do
done done
rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*