tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-30 01:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

upstream: s/PubkeyAcceptedKeyTypes/PubkeyAcceptedAlgorithms/

Browse Source 
OpenBSD-Regress-ID: 3dbc005fa29f69dc23d97e433b6dffed6fe7cb69
This commit is contained in:
djm@openbsd.org 2021-02-25 03:27:34 +00:00 committed by Damien Miller
parent 2dd9870c16
commit 9beeab8a37
5 changed files with 29 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
regress/agent.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: agent.sh,v 1.19 2020/07/15 04:55:47 dtucker Exp $ # $OpenBSD: agent.sh,v 1.20 2021/02/25 03:27:34 djm Exp $
# Placed in the Public Domain. # Placed in the Public Domain.
tid="simple agent test" tid="simple agent test"
@ -87,8 +87,8 @@ fi
for t in ${SSH_KEYTYPES}; do for t in ${SSH_KEYTYPES}; do
trace "connect via agent using $t key" trace "connect via agent using $t key"
if [ "$t" = "ssh-dss" ]; then if [ "$t" = "ssh-dss" ]; then
echo "PubkeyAcceptedKeyTypes +ssh-dss" >> $OBJ/ssh_proxy echo "PubkeyAcceptedAlgorithms +ssh-dss" >> $OBJ/ssh_proxy
echo "PubkeyAcceptedKeyTypes +ssh-dss" >> $OBJ/sshd_proxy echo "PubkeyAcceptedAlgorithms +ssh-dss" >> $OBJ/sshd_proxy
fi fi
${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub -oIdentitiesOnly=yes \ ${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub -oIdentitiesOnly=yes \
somehost exit 52 somehost exit 52

6
regress/cert-hostkey.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: cert-hostkey.sh,v 1.23 2020/01/03 03:02:26 djm Exp $ # $OpenBSD: cert-hostkey.sh,v 1.24 2021/02/25 03:27:34 djm Exp $
# Placed in the Public Domain. # Placed in the Public Domain.
tid="certified host keys" tid="certified host keys"
@ -29,12 +29,12 @@ for i in `$SSH -Q key | maybe_filter_sk`; do
done done
( (
echo "HostKeyAlgorithms ${types}" echo "HostKeyAlgorithms ${types}"
echo "PubkeyAcceptedKeyTypes *" echo "PubkeyAcceptedAlgorithms *"
) >> $OBJ/ssh_proxy ) >> $OBJ/ssh_proxy
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
( (
echo "HostKeyAlgorithms *" echo "HostKeyAlgorithms *"
echo "PubkeyAcceptedKeyTypes *" echo "PubkeyAcceptedAlgorithms *"
) >> $OBJ/sshd_proxy_bak ) >> $OBJ/sshd_proxy_bak
HOSTS='localhost-with-alias,127.0.0.1,::1' HOSTS='localhost-with-alias,127.0.0.1,::1'

22
regress/cert-userkey.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: cert-userkey.sh,v 1.25 2020/01/03 03:02:26 djm Exp $ # $OpenBSD: cert-userkey.sh,v 1.26 2021/02/25 03:27:34 djm Exp $
# Placed in the Public Domain. # Placed in the Public Domain.
tid="certified user keys" tid="certified user keys"
@ -71,11 +71,11 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
echo "AuthorizedPrincipalsFile " \ echo "AuthorizedPrincipalsFile " \
"$OBJ/authorized_principals_%u" "$OBJ/authorized_principals_%u"
echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
echo "PubkeyAcceptedKeyTypes ${t}" echo "PubkeyAcceptedAlgorithms ${t}"
) > $OBJ/sshd_proxy ) > $OBJ/sshd_proxy
( (
cat $OBJ/ssh_proxy_bak cat $OBJ/ssh_proxy_bak
echo "PubkeyAcceptedKeyTypes ${t}" echo "PubkeyAcceptedAlgorithms ${t}"
) > $OBJ/ssh_proxy ) > $OBJ/ssh_proxy
# Missing authorized_principals # Missing authorized_principals
@ -149,11 +149,11 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
( (
cat $OBJ/sshd_proxy_bak cat $OBJ/sshd_proxy_bak
echo "UsePrivilegeSeparation $privsep" echo "UsePrivilegeSeparation $privsep"
echo "PubkeyAcceptedKeyTypes ${t}" echo "PubkeyAcceptedAlgorithms ${t}"
) > $OBJ/sshd_proxy ) > $OBJ/sshd_proxy
( (
cat $OBJ/ssh_proxy_bak cat $OBJ/ssh_proxy_bak
echo "PubkeyAcceptedKeyTypes ${t}" echo "PubkeyAcceptedAlgorithms ${t}"
) > $OBJ/ssh_proxy ) > $OBJ/ssh_proxy
# Wrong principals list # Wrong principals list
@ -204,12 +204,12 @@ basic_tests() {
( (
cat $OBJ/sshd_proxy_bak cat $OBJ/sshd_proxy_bak
echo "UsePrivilegeSeparation $privsep" echo "UsePrivilegeSeparation $privsep"
echo "PubkeyAcceptedKeyTypes ${t}" echo "PubkeyAcceptedAlgorithms ${t}"
echo "$extra_sshd" echo "$extra_sshd"
) > $OBJ/sshd_proxy ) > $OBJ/sshd_proxy
( (
cat $OBJ/ssh_proxy_bak cat $OBJ/ssh_proxy_bak
echo "PubkeyAcceptedKeyTypes ${t}" echo "PubkeyAcceptedAlgorithms ${t}"
) > $OBJ/ssh_proxy ) > $OBJ/ssh_proxy
${SSH} -i $OBJ/cert_user_key_${ktype} \ ${SSH} -i $OBJ/cert_user_key_${ktype} \
@ -224,7 +224,7 @@ basic_tests() {
cat $OBJ/sshd_proxy_bak cat $OBJ/sshd_proxy_bak
echo "UsePrivilegeSeparation $privsep" echo "UsePrivilegeSeparation $privsep"
echo "RevokedKeys $OBJ/cert_user_key_revoked" echo "RevokedKeys $OBJ/cert_user_key_revoked"
echo "PubkeyAcceptedKeyTypes ${t}" echo "PubkeyAcceptedAlgorithms ${t}"
echo "$extra_sshd" echo "$extra_sshd"
) > $OBJ/sshd_proxy ) > $OBJ/sshd_proxy
cp $OBJ/cert_user_key_${ktype}.pub \ cp $OBJ/cert_user_key_${ktype}.pub \
@ -257,7 +257,7 @@ basic_tests() {
( (
cat $OBJ/sshd_proxy_bak cat $OBJ/sshd_proxy_bak
echo "RevokedKeys $OBJ/user_ca_key.pub" echo "RevokedKeys $OBJ/user_ca_key.pub"
echo "PubkeyAcceptedKeyTypes ${t}" echo "PubkeyAcceptedAlgorithms ${t}"
echo "$extra_sshd" echo "$extra_sshd"
) > $OBJ/sshd_proxy ) > $OBJ/sshd_proxy
${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ ${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
@ -270,7 +270,7 @@ basic_tests() {
verbose "$tid: $auth CA does not authenticate" verbose "$tid: $auth CA does not authenticate"
( (
cat $OBJ/sshd_proxy_bak cat $OBJ/sshd_proxy_bak
echo "PubkeyAcceptedKeyTypes ${t}" echo "PubkeyAcceptedAlgorithms ${t}"
echo "$extra_sshd" echo "$extra_sshd"
) > $OBJ/sshd_proxy ) > $OBJ/sshd_proxy
verbose "$tid: ensure CA key does not authenticate user" verbose "$tid: ensure CA key does not authenticate user"
@ -308,7 +308,7 @@ test_one() {
echo > $OBJ/authorized_keys_$USER echo > $OBJ/authorized_keys_$USER
echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \ echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
>> $OBJ/sshd_proxy >> $OBJ/sshd_proxy
echo "PubkeyAcceptedKeyTypes ${t}*" \ echo "PubkeyAcceptedAlgorithms ${t}*" \
>> $OBJ/sshd_proxy >> $OBJ/sshd_proxy
if test "x$auth_opt" != "x" ; then if test "x$auth_opt" != "x" ; then
echo $auth_opt >> $OBJ/sshd_proxy echo $auth_opt >> $OBJ/sshd_proxy

6
regress/keytype.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: keytype.sh,v 1.10 2019/12/16 02:39:05 djm Exp $ # $OpenBSD: keytype.sh,v 1.11 2021/02/25 03:27:34 djm Exp $
# Placed in the Public Domain. # Placed in the Public Domain.
tid="login with different key types" tid="login with different key types"
@ -58,13 +58,13 @@ for ut in $ktypes; do
( (
grep -v HostKey $OBJ/sshd_proxy_bak grep -v HostKey $OBJ/sshd_proxy_bak
echo HostKey $OBJ/key.$ht echo HostKey $OBJ/key.$ht
echo PubkeyAcceptedKeyTypes $user_type echo PubkeyAcceptedAlgorithms $user_type
echo HostKeyAlgorithms $host_type echo HostKeyAlgorithms $host_type
) > $OBJ/sshd_proxy ) > $OBJ/sshd_proxy
( (
grep -v IdentityFile $OBJ/ssh_proxy_bak grep -v IdentityFile $OBJ/ssh_proxy_bak
echo IdentityFile $OBJ/key.$ut echo IdentityFile $OBJ/key.$ut
echo PubkeyAcceptedKeyTypes $user_type echo PubkeyAcceptedAlgorithms $user_type
echo HostKeyAlgorithms $host_type echo HostKeyAlgorithms $host_type
) > $OBJ/ssh_proxy ) > $OBJ/ssh_proxy
( (

18
regress/limit-keytype.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: limit-keytype.sh,v 1.9 2019/12/16 02:39:05 djm Exp $ # $OpenBSD: limit-keytype.sh,v 1.10 2021/02/25 03:27:34 djm Exp $
# Placed in the Public Domain. # Placed in the Public Domain.
tid="restrict pubkey type" tid="restrict pubkey type"
@ -69,7 +69,7 @@ prepare_config() {
) > $OBJ/sshd_proxy ) > $OBJ/sshd_proxy
} }
# Return the required parameter for PubkeyAcceptedKeyTypes corresponding to # Return the required parameter for PubkeyAcceptedAlgorithms corresponding to
# the supplied key type. # the supplied key type.
keytype() { keytype() {
case "$1" in case "$1" in
@ -92,14 +92,14 @@ ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed"
# Allow plain Ed25519 and RSA. The certificate should fail. # Allow plain Ed25519 and RSA. The certificate should fail.
verbose "allow $ktype2,$ktype1" verbose "allow $ktype2,$ktype1"
prepare_config \ prepare_config \
"PubkeyAcceptedKeyTypes `keytype $ktype2`,`keytype $ktype1`" "PubkeyAcceptedAlgorithms `keytype $ktype2`,`keytype $ktype1`"
${SSH} $certopts proxy true && fatal "cert succeeded" ${SSH} $certopts proxy true && fatal "cert succeeded"
${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed"
# Allow Ed25519 only. # Allow Ed25519 only.
verbose "allow $ktype1" verbose "allow $ktype1"
prepare_config "PubkeyAcceptedKeyTypes `keytype $ktype1`" prepare_config "PubkeyAcceptedAlgorithms `keytype $ktype1`"
${SSH} $certopts proxy true && fatal "cert succeeded" ${SSH} $certopts proxy true && fatal "cert succeeded"
${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
if [ "$ktype1" != "$ktype2" ]; then if [ "$ktype1" != "$ktype2" ]; then
@ -108,15 +108,15 @@ fi
# Allow all certs. Plain keys should fail. # Allow all certs. Plain keys should fail.
verbose "allow cert only" verbose "allow cert only"
prepare_config "PubkeyAcceptedKeyTypes *-cert-v01@openssh.com" prepare_config "PubkeyAcceptedAlgorithms *-cert-v01@openssh.com"
${SSH} $certopts proxy true || fatal "cert failed" ${SSH} $certopts proxy true || fatal "cert failed"
${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded" ${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded"
${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded" ${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded"
# Allow RSA in main config, Ed25519 for non-existent user. # Allow RSA in main config, Ed25519 for non-existent user.
verbose "match w/ no match" verbose "match w/ no match"
prepare_config "PubkeyAcceptedKeyTypes `keytype $ktype2`" \ prepare_config "PubkeyAcceptedAlgorithms `keytype $ktype2`" \
"Match user x$USER" "PubkeyAcceptedKeyTypes +`keytype $ktype1`" "Match user x$USER" "PubkeyAcceptedAlgorithms +`keytype $ktype1`"
${SSH} $certopts proxy true && fatal "cert succeeded" ${SSH} $certopts proxy true && fatal "cert succeeded"
if [ "$ktype1" != "$ktype2" ]; then if [ "$ktype1" != "$ktype2" ]; then
${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded" ${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded"
@ -125,8 +125,8 @@ ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed"
# Allow only DSA in main config, Ed25519 for user. # Allow only DSA in main config, Ed25519 for user.
verbose "match w/ matching" verbose "match w/ matching"
prepare_config "PubkeyAcceptedKeyTypes `keytype $ktype4`" \ prepare_config "PubkeyAcceptedAlgorithms `keytype $ktype4`" \
"Match user $USER" "PubkeyAcceptedKeyTypes +`keytype $ktype1`" "Match user $USER" "PubkeyAcceptedAlgorithms +`keytype $ktype1`"
${SSH} $certopts proxy true || fatal "cert failed" ${SSH} $certopts proxy true || fatal "cert failed"
${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
${SSH} $opts -i $OBJ/user_key4 proxy true && fatal "key4 succeeded" ${SSH} $opts -i $OBJ/user_key4 proxy true && fatal "key4 succeeded"