mirror of
https://github.com/PowerShell/openssh-portable.git
synced 2025-07-27 07:44:29 +02:00
upstream: Remove references to privsep.
This removes several do..while loops but does not change the indentation of the now-shallower loops, which will be done in a separate whitespace-only commit to keep changes of style and substance separate. OpenBSD-Regress-ID: 4bed1a0249df7b4a87c965066ce689e79472a8f7
This commit is contained in:
dtucker@openbsd.org
Darren Tucker
parent
ece2fbe486
commit
ddcb53b7a7
@ -1,4 +1,4 @@
|
|||||||
# $OpenBSD: cert-hostkey.sh,v 1.25 2021/06/08 22:30:27 djm Exp $
|
# $OpenBSD: cert-hostkey.sh,v 1.26 2021/09/30 05:20:08 dtucker Exp $
|
||||||
# Placed in the Public Domain.
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
tid="certified host keys"
|
tid="certified host keys"
|
||||||
@ -131,14 +131,12 @@ attempt_connect() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# Basic connect and revocation tests.
|
# Basic connect and revocation tests.
|
||||||
for privsep in yes ; do
|
|
||||||
for ktype in $PLAIN_TYPES ; do
|
for ktype in $PLAIN_TYPES ; do
|
||||||
verbose "$tid: host ${ktype} cert connect privsep $privsep"
|
verbose "$tid: host ${ktype} cert connect"
|
||||||
(
|
(
|
||||||
cat $OBJ/sshd_proxy_bak
|
cat $OBJ/sshd_proxy_bak
|
||||||
echo HostKey $OBJ/cert_host_key_${ktype}
|
echo HostKey $OBJ/cert_host_key_${ktype}
|
||||||
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
|
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
|
||||||
echo UsePrivilegeSeparation $privsep
|
|
||||||
) > $OBJ/sshd_proxy
|
) > $OBJ/sshd_proxy
|
||||||
|
|
||||||
# test name expect success
|
# test name expect success
|
||||||
@ -160,7 +158,6 @@ for privsep in yes ; do
|
|||||||
attempt_connect "$ktype CA plaintext revocation" "no" \
|
attempt_connect "$ktype CA plaintext revocation" "no" \
|
||||||
-oRevokedHostKeys=$OBJ/host_revoked_ca
|
-oRevokedHostKeys=$OBJ/host_revoked_ca
|
||||||
done
|
done
|
||||||
done
|
|
||||||
|
|
||||||
# Revoked certificates with key present
|
# Revoked certificates with key present
|
||||||
kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
|
kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
|
||||||
@ -169,14 +166,12 @@ for ktype in $PLAIN_TYPES ; do
|
|||||||
kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig
|
kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig
|
||||||
done
|
done
|
||||||
cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
|
cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
|
||||||
for privsep in yes ; do
|
|
||||||
for ktype in $PLAIN_TYPES ; do
|
for ktype in $PLAIN_TYPES ; do
|
||||||
verbose "$tid: host ${ktype} revoked cert privsep $privsep"
|
verbose "$tid: host ${ktype} revoked cert"
|
||||||
(
|
(
|
||||||
cat $OBJ/sshd_proxy_bak
|
cat $OBJ/sshd_proxy_bak
|
||||||
echo HostKey $OBJ/cert_host_key_${ktype}
|
echo HostKey $OBJ/cert_host_key_${ktype}
|
||||||
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
|
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
|
||||||
echo UsePrivilegeSeparation $privsep
|
|
||||||
) > $OBJ/sshd_proxy
|
) > $OBJ/sshd_proxy
|
||||||
|
|
||||||
cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
|
cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
|
||||||
@ -187,7 +182,6 @@ for privsep in yes ; do
|
|||||||
fail "ssh cert connect succeeded unexpectedly"
|
fail "ssh cert connect succeeded unexpectedly"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
done
|
|
||||||
|
|
||||||
# Revoked CA
|
# Revoked CA
|
||||||
kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
|
kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
# $OpenBSD: cert-userkey.sh,v 1.26 2021/02/25 03:27:34 djm Exp $
|
# $OpenBSD: cert-userkey.sh,v 1.27 2021/09/30 05:20:08 dtucker Exp $
|
||||||
# Placed in the Public Domain.
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
tid="certified user keys"
|
tid="certified user keys"
|
||||||
@ -60,14 +60,12 @@ done
|
|||||||
# Test explicitly-specified principals
|
# Test explicitly-specified principals
|
||||||
for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
|
for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
|
||||||
t=$(kname $ktype)
|
t=$(kname $ktype)
|
||||||
for privsep in yes ; do
|
_prefix="${ktype}"
|
||||||
_prefix="${ktype} privsep $privsep"
|
|
||||||
|
|
||||||
# Setup for AuthorizedPrincipalsFile
|
# Setup for AuthorizedPrincipalsFile
|
||||||
rm -f $OBJ/authorized_keys_$USER
|
rm -f $OBJ/authorized_keys_$USER
|
||||||
(
|
(
|
||||||
cat $OBJ/sshd_proxy_bak
|
cat $OBJ/sshd_proxy_bak
|
||||||
echo "UsePrivilegeSeparation $privsep"
|
|
||||||
echo "AuthorizedPrincipalsFile " \
|
echo "AuthorizedPrincipalsFile " \
|
||||||
"$OBJ/authorized_principals_%u"
|
"$OBJ/authorized_principals_%u"
|
||||||
echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
|
echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
|
||||||
@ -148,7 +146,6 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
|
|||||||
rm -f $OBJ/authorized_principals_$USER
|
rm -f $OBJ/authorized_principals_$USER
|
||||||
(
|
(
|
||||||
cat $OBJ/sshd_proxy_bak
|
cat $OBJ/sshd_proxy_bak
|
||||||
echo "UsePrivilegeSeparation $privsep"
|
|
||||||
echo "PubkeyAcceptedAlgorithms ${t}"
|
echo "PubkeyAcceptedAlgorithms ${t}"
|
||||||
) > $OBJ/sshd_proxy
|
) > $OBJ/sshd_proxy
|
||||||
(
|
(
|
||||||
@ -180,7 +177,6 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
|
|||||||
fail "ssh cert connect failed"
|
fail "ssh cert connect failed"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
done
|
|
||||||
|
|
||||||
basic_tests() {
|
basic_tests() {
|
||||||
auth=$1
|
auth=$1
|
||||||
@ -197,13 +193,11 @@ basic_tests() {
|
|||||||
|
|
||||||
for ktype in $PLAIN_TYPES ; do
|
for ktype in $PLAIN_TYPES ; do
|
||||||
t=$(kname $ktype)
|
t=$(kname $ktype)
|
||||||
for privsep in yes ; do
|
_prefix="${ktype} $auth"
|
||||||
_prefix="${ktype} privsep $privsep $auth"
|
|
||||||
# Simple connect
|
# Simple connect
|
||||||
verbose "$tid: ${_prefix} connect"
|
verbose "$tid: ${_prefix} connect"
|
||||||
(
|
(
|
||||||
cat $OBJ/sshd_proxy_bak
|
cat $OBJ/sshd_proxy_bak
|
||||||
echo "UsePrivilegeSeparation $privsep"
|
|
||||||
echo "PubkeyAcceptedAlgorithms ${t}"
|
echo "PubkeyAcceptedAlgorithms ${t}"
|
||||||
echo "$extra_sshd"
|
echo "$extra_sshd"
|
||||||
) > $OBJ/sshd_proxy
|
) > $OBJ/sshd_proxy
|
||||||
@ -222,7 +216,6 @@ basic_tests() {
|
|||||||
verbose "$tid: ${_prefix} revoked key"
|
verbose "$tid: ${_prefix} revoked key"
|
||||||
(
|
(
|
||||||
cat $OBJ/sshd_proxy_bak
|
cat $OBJ/sshd_proxy_bak
|
||||||
echo "UsePrivilegeSeparation $privsep"
|
|
||||||
echo "RevokedKeys $OBJ/cert_user_key_revoked"
|
echo "RevokedKeys $OBJ/cert_user_key_revoked"
|
||||||
echo "PubkeyAcceptedAlgorithms ${t}"
|
echo "PubkeyAcceptedAlgorithms ${t}"
|
||||||
echo "$extra_sshd"
|
echo "$extra_sshd"
|
||||||
@ -265,7 +258,6 @@ basic_tests() {
|
|||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
fail "ssh cert connect succeeded unexpecedly"
|
fail "ssh cert connect succeeded unexpecedly"
|
||||||
fi
|
fi
|
||||||
done
|
|
||||||
|
|
||||||
verbose "$tid: $auth CA does not authenticate"
|
verbose "$tid: $auth CA does not authenticate"
|
||||||
(
|
(
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
# $OpenBSD: hostkey-agent.sh,v 1.12 2021/09/29 01:32:21 djm Exp $
|
# $OpenBSD: hostkey-agent.sh,v 1.13 2021/09/30 05:20:08 dtucker Exp $
|
||||||
# Placed in the Public Domain.
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
tid="hostkey agent"
|
tid="hostkey agent"
|
||||||
@ -45,7 +45,7 @@ for k in $SSH_KEYTYPES ; do
|
|||||||
fail "keytype $k failed"
|
fail "keytype $k failed"
|
||||||
fi
|
fi
|
||||||
if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
|
if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
|
||||||
fail "bad SSH_CONNECTION key type $k privsep=$ps"
|
fail "bad SSH_CONNECTION key type $k"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
@ -78,7 +78,7 @@ for k in $SSH_CERTTYPES ; do
|
|||||||
fail "cert type $k failed"
|
fail "cert type $k failed"
|
||||||
fi
|
fi
|
||||||
if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
|
if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
|
||||||
fail "bad SSH_CONNECTION key type $k privsep=$ps"
|
fail "bad SSH_CONNECTION key type $k"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|||||||
@ -1,9 +1,9 @@
|
|||||||
# $OpenBSD: login-timeout.sh,v 1.9 2017/08/07 00:53:51 dtucker Exp $
|
# $OpenBSD: login-timeout.sh,v 1.10 2021/09/30 05:20:08 dtucker Exp $
|
||||||
# Placed in the Public Domain.
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
tid="connect after login grace timeout"
|
tid="connect after login grace timeout"
|
||||||
|
|
||||||
trace "test login grace with privsep"
|
trace "test login grace time"
|
||||||
cp $OBJ/sshd_config $OBJ/sshd_config.orig
|
cp $OBJ/sshd_config $OBJ/sshd_config.orig
|
||||||
grep -vi LoginGraceTime $OBJ/sshd_config.orig > $OBJ/sshd_config
|
grep -vi LoginGraceTime $OBJ/sshd_config.orig > $OBJ/sshd_config
|
||||||
echo "LoginGraceTime 10s" >> $OBJ/sshd_config
|
echo "LoginGraceTime 10s" >> $OBJ/sshd_config
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
# $OpenBSD: principals-command.sh,v 1.12 2021/09/30 04:22:50 dtucker Exp $
|
# $OpenBSD: principals-command.sh,v 1.13 2021/09/30 05:20:08 dtucker Exp $
|
||||||
# Placed in the Public Domain.
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
tid="authorized principals command"
|
tid="authorized principals command"
|
||||||
@ -59,16 +59,16 @@ if ! $OBJ/check-perm -m keys-command $PRINCIPALS_COMMAND ; then
|
|||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -x $PRINCIPALS_COMMAND ]; then
|
if [ ! -x $PRINCIPALS_COMMAND ]; then
|
||||||
# Test explicitly-specified principals
|
skip "$PRINCIPALS_COMMAND not executable " \
|
||||||
for privsep in yes ; do
|
"(/var/run mounted noexec?)"
|
||||||
_prefix="privsep $privsep"
|
fi
|
||||||
|
|
||||||
|
#Test explicitly-specified principals
|
||||||
# Setup for AuthorizedPrincipalsCommand
|
# Setup for AuthorizedPrincipalsCommand
|
||||||
rm -f $OBJ/authorized_keys_$USER
|
rm -f $OBJ/authorized_keys_$USER
|
||||||
(
|
(
|
||||||
cat $OBJ/sshd_proxy_bak
|
cat $OBJ/sshd_proxy_bak
|
||||||
echo "UsePrivilegeSeparation $privsep"
|
|
||||||
echo "AuthorizedKeysFile none"
|
echo "AuthorizedKeysFile none"
|
||||||
echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
|
echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
|
||||||
"%u %t %T %i %s %F %f %k %K"
|
"%u %t %T %i %s %F %f %k %K"
|
||||||
@ -80,7 +80,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
|
|||||||
# XXX test failing command
|
# XXX test failing command
|
||||||
|
|
||||||
# Empty authorized_principals
|
# Empty authorized_principals
|
||||||
verbose "$tid: ${_prefix} empty authorized_principals"
|
verbose "$tid: empty authorized_principals"
|
||||||
echo > $OBJ/authorized_principals_$USER
|
echo > $OBJ/authorized_principals_$USER
|
||||||
${SSH} -i $OBJ/cert_user_key \
|
${SSH} -i $OBJ/cert_user_key \
|
||||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||||
@ -89,7 +89,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Wrong authorized_principals
|
# Wrong authorized_principals
|
||||||
verbose "$tid: ${_prefix} wrong authorized_principals"
|
verbose "$tid: wrong authorized_principals"
|
||||||
echo gregorsamsa > $OBJ/authorized_principals_$USER
|
echo gregorsamsa > $OBJ/authorized_principals_$USER
|
||||||
${SSH} -i $OBJ/cert_user_key \
|
${SSH} -i $OBJ/cert_user_key \
|
||||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||||
@ -98,7 +98,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Correct authorized_principals
|
# Correct authorized_principals
|
||||||
verbose "$tid: ${_prefix} correct authorized_principals"
|
verbose "$tid: correct authorized_principals"
|
||||||
echo mekmitasdigoat > $OBJ/authorized_principals_$USER
|
echo mekmitasdigoat > $OBJ/authorized_principals_$USER
|
||||||
${SSH} -i $OBJ/cert_user_key \
|
${SSH} -i $OBJ/cert_user_key \
|
||||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||||
@ -107,7 +107,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# authorized_principals with bad key option
|
# authorized_principals with bad key option
|
||||||
verbose "$tid: ${_prefix} authorized_principals bad key opt"
|
verbose "$tid: authorized_principals bad key opt"
|
||||||
echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
|
echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
|
||||||
${SSH} -i $OBJ/cert_user_key \
|
${SSH} -i $OBJ/cert_user_key \
|
||||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||||
@ -116,7 +116,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# authorized_principals with command=false
|
# authorized_principals with command=false
|
||||||
verbose "$tid: ${_prefix} authorized_principals command=false"
|
verbose "$tid: authorized_principals command=false"
|
||||||
echo 'command="false" mekmitasdigoat' > \
|
echo 'command="false" mekmitasdigoat' > \
|
||||||
$OBJ/authorized_principals_$USER
|
$OBJ/authorized_principals_$USER
|
||||||
${SSH} -i $OBJ/cert_user_key \
|
${SSH} -i $OBJ/cert_user_key \
|
||||||
@ -125,8 +125,9 @@ if [ -x $PRINCIPALS_COMMAND ]; then
|
|||||||
fail "ssh cert connect succeeded unexpectedly"
|
fail "ssh cert connect succeeded unexpectedly"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
# authorized_principals with command=true
|
# authorized_principals with command=true
|
||||||
verbose "$tid: ${_prefix} authorized_principals command=true"
|
verbose "$tid: authorized_principals command=true"
|
||||||
echo 'command="true" mekmitasdigoat' > \
|
echo 'command="true" mekmitasdigoat' > \
|
||||||
$OBJ/authorized_principals_$USER
|
$OBJ/authorized_principals_$USER
|
||||||
${SSH} -i $OBJ/cert_user_key \
|
${SSH} -i $OBJ/cert_user_key \
|
||||||
@ -136,14 +137,14 @@ if [ -x $PRINCIPALS_COMMAND ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Setup for principals= key option
|
# Setup for principals= key option
|
||||||
|
# TODO: remove?
|
||||||
rm -f $OBJ/authorized_principals_$USER
|
rm -f $OBJ/authorized_principals_$USER
|
||||||
(
|
(
|
||||||
cat $OBJ/sshd_proxy_bak
|
cat $OBJ/sshd_proxy_bak
|
||||||
echo "UsePrivilegeSeparation $privsep"
|
|
||||||
) > $OBJ/sshd_proxy
|
) > $OBJ/sshd_proxy
|
||||||
|
|
||||||
# Wrong principals list
|
# Wrong principals list
|
||||||
verbose "$tid: ${_prefix} wrong principals key option"
|
verbose "$tid: wrong principals key option"
|
||||||
(
|
(
|
||||||
printf 'cert-authority,principals="gregorsamsa" '
|
printf 'cert-authority,principals="gregorsamsa" '
|
||||||
cat $OBJ/user_ca_key.pub
|
cat $OBJ/user_ca_key.pub
|
||||||
@ -155,7 +156,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Correct principals list
|
# Correct principals list
|
||||||
verbose "$tid: ${_prefix} correct principals key option"
|
verbose "$tid: correct principals key option"
|
||||||
(
|
(
|
||||||
printf 'cert-authority,principals="mekmitasdigoat" '
|
printf 'cert-authority,principals="mekmitasdigoat" '
|
||||||
cat $OBJ/user_ca_key.pub
|
cat $OBJ/user_ca_key.pub
|
||||||
@ -165,8 +166,3 @@ if [ -x $PRINCIPALS_COMMAND ]; then
|
|||||||
if [ $? -ne 0 ]; then
|
if [ $? -ne 0 ]; then
|
||||||
fail "ssh cert connect failed"
|
fail "ssh cert connect failed"
|
||||||
fi
|
fi
|
||||||
done
|
|
||||||
else
|
|
||||||
echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
|
|
||||||
"(/var/run mounted noexec?)"
|
|
||||||
fi
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user