upstream commit

explicitly test all key types and their certificate counterparts refactor a little OpenBSD-Regress-ID: e9ecd5580821b9ef8b7106919c6980d8e45ca8c4
2017-12-19 00:49:30 +00:00 · 2017-12-19 00:49:30 +00:00 · c5a6cbdb79
parent f689adb7a3
commit c5a6cbdb79
1 changed files with 93 additions and 53 deletions
--- a/regress/agent.sh
+++ b/regress/agent.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: agent.sh,v 1.12 2017/04/30 23:34:55 djm Exp $
+#	$OpenBSD: agent.sh,v 1.13 2017/12/19 00:49:30 djm Exp $
 #	Placed in the Public Domain.

 tid="simple agent test"
@ -12,66 +12,106 @@ trace "start agent"
 eval `${SSHAGENT} -s` > /dev/null
 r=$?
 if [ $r -ne 0 ]; then
-	fail "could not start ssh-agent: exit code $r"
-else
-	${SSHADD} -l > /dev/null 2>&1
-	if [ $? -ne 1 ]; then
-		fail "ssh-add -l did not fail with exit code 1"
-	fi
-	trace "overwrite authorized keys"
-	printf '' > $OBJ/authorized_keys_$USER
-	for t in ${SSH_KEYTYPES}; do
-		# generate user key for agent
-		rm -f $OBJ/$t-agent
-		${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\
-			 fail "ssh-keygen for $t-agent failed"
-		# add to authorized keys
-		cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER
-		# add privat key to agent
-		${SSHADD} $OBJ/$t-agent > /dev/null 2>&1
-		if [ $? -ne 0 ]; then
-			fail "ssh-add did succeed exit code 0"
-		fi
-	done
-	${SSHADD} -l > /dev/null 2>&1
-	r=$?
-	if [ $r -ne 0 ]; then
-		fail "ssh-add -l failed: exit code $r"
-	fi
-	# the same for full pubkey output
-	${SSHADD} -L > /dev/null 2>&1
-	r=$?
-	if [ $r -ne 0 ]; then
-		fail "ssh-add -L failed: exit code $r"
-	fi
+	fatal "could not start ssh-agent: exit code $r"
+fi

-	trace "simple connect via agent"
-	${SSH} -F $OBJ/ssh_proxy somehost exit 52
+${SSHADD} -l > /dev/null 2>&1
+if [ $? -ne 1 ]; then
+	fail "ssh-add -l did not fail with exit code 1"
+fi
+
+rm -f $OBJ/user_ca_key $OBJ/user_ca_key.pub
+${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key \
+	|| fatal "ssh-keygen failed"
+
+trace "overwrite authorized keys"
+printf '' > $OBJ/authorized_keys_$USER
+
+for t in ${SSH_KEYTYPES}; do
+	# generate user key for agent
+	rm -f $OBJ/$t-agent $OBJ/$t-agent.pub*
+	${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\
+		 fatal "ssh-keygen for $t-agent failed"
+	# Make a certificate for each too.
+	${SSHKEYGEN} -qs $OBJ/user_ca_key -I "$t cert" \
+		-n estragon $OBJ/$t-agent.pub || fatal "ca sign failed"
+
+	# add to authorized keys
+	cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER
+	# add privat key to agent
+	${SSHADD} $OBJ/$t-agent > /dev/null 2>&1
+	if [ $? -ne 0 ]; then
+		fail "ssh-add did succeed exit code 0"
+	fi
+	# Remove private key to ensure that we aren't accidentally using it.
+	rm -f $OBJ/$t-agent
+done
+
+# Remove explicit identity directives from ssh_proxy
+mv $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
+grep -vi identityfile $OBJ/ssh_proxy_bak > $OBJ/ssh_proxy
+
+${SSHADD} -l > /dev/null 2>&1
+r=$?
+if [ $r -ne 0 ]; then
+	fail "ssh-add -l failed: exit code $r"
+fi
+# the same for full pubkey output
+${SSHADD} -L > /dev/null 2>&1
+r=$?
+if [ $r -ne 0 ]; then
+	fail "ssh-add -L failed: exit code $r"
+fi
+
+trace "simple connect via agent"
+${SSH} -F $OBJ/ssh_proxy somehost exit 52
+r=$?
+if [ $r -ne 52 ]; then
+	fail "ssh connect with failed (exit code $r)"
+fi
+
+for t in ${SSH_KEYTYPES}; do
+	trace "connect via agent using $t key"
+	${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub -oIdentitiesOnly=yes \
+		somehost exit 52
 	r=$?
 	if [ $r -ne 52 ]; then
 		fail "ssh connect with failed (exit code $r)"
 	fi
+done

-	trace "agent forwarding"
-	${SSH} -A -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
-	r=$?
-	if [ $r -ne 0 ]; then
-		fail "ssh-add -l via agent fwd failed (exit code $r)"
-	fi
-	${SSH} -A -F $OBJ/ssh_proxy somehost \
-		"${SSH} -F $OBJ/ssh_proxy somehost exit 52"
+trace "agent forwarding"
+${SSH} -A -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
+r=$?
+if [ $r -ne 0 ]; then
+	fail "ssh-add -l via agent fwd failed (exit code $r)"
+fi
+${SSH} -A -F $OBJ/ssh_proxy somehost \
+	"${SSH} -F $OBJ/ssh_proxy somehost exit 52"
+r=$?
+if [ $r -ne 52 ]; then
+	fail "agent fwd failed (exit code $r)"
+fi
+
+(printf 'cert-authority,principals="estragon" '; cat $OBJ/user_ca_key.pub) \
+	> $OBJ/authorized_keys_$USER
+for t in ${SSH_KEYTYPES}; do
+	trace "connect via agent using $t key"
+	${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub \
+		-oCertificateFile=$OBJ/$t-agent-cert.pub \
+		-oIdentitiesOnly=yes somehost exit 52
 	r=$?
 	if [ $r -ne 52 ]; then
-		fail "agent fwd failed (exit code $r)"
+		fail "ssh connect with failed (exit code $r)"
 	fi
+done

-	trace "delete all agent keys"
-	${SSHADD} -D > /dev/null 2>&1
-	r=$?
-	if [ $r -ne 0 ]; then
-		fail "ssh-add -D failed: exit code $r"
-	fi
-
-	trace "kill agent"
-	${SSHAGENT} -k > /dev/null
+trace "delete all agent keys"
+${SSHADD} -D > /dev/null 2>&1
+r=$?
+if [ $r -ne 0 ]; then
+	fail "ssh-add -D failed: exit code $r"
 fi
+
+trace "kill agent"
+${SSHAGENT} -k > /dev/null