tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-27 15:54:22 +02:00
Code Issues Packages Projects Releases Wiki Activity

upstream: Use ed25519 for most hostkey rotation tests since it's

Browse Source 
supported even when built without OpenSSL.  Use RSA for the secondary type
test if supported, otherwise skip it.  Fixes this test for !OpenSSL builds.

OpenBSD-Regress-ID: 101cb34a84fd974c623bdb2e496f25a6e91be109
This commit is contained in:
dtucker@openbsd.org 2019-08-30 05:08:28 +00:00 committed by Darren Tucker
parent 5e4796c47d
commit e50f808712
1 changed files with 44 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
regress/hostkey-rotate.sh
View File

@ -1,10 +1,10 @@
# $OpenBSD: hostkey-rotate.sh,v 1.5 2015/09/04 04:23:10 djm Exp $ # $OpenBSD: hostkey-rotate.sh,v 1.6 2019/08/30 05:08:28 dtucker Exp $
# Placed in the Public Domain. # Placed in the Public Domain.
tid="hostkey rotate" tid="hostkey rotate"
# Need full names here since they are used in HostKeyAlgorithms # Need full names here since they are used in HostKeyAlgorithms
HOSTKEY_TYPES="ecdsa-sha2-nistp256 ssh-ed25519 ssh-rsa ssh-dss" HOSTKEY_TYPES="`${SSH} -Q key-plain`"
rm -f $OBJ/hkr.* $OBJ/ssh_proxy.orig rm -f $OBJ/hkr.* $OBJ/ssh_proxy.orig
@ -12,15 +12,23 @@ grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig
echo "UpdateHostkeys=yes" >> $OBJ/ssh_proxy echo "UpdateHostkeys=yes" >> $OBJ/ssh_proxy
rm $OBJ/known_hosts rm $OBJ/known_hosts
# The "primary" key type is ed25519 since it's supported even when built
# without OpenSSL. The secondary is RSA if it's supported.
primary="ssh-ed25519"
secondary="$primary"
trace "prepare hostkeys" trace "prepare hostkeys"
nkeys=0 nkeys=0
all_algs="" all_algs=""
for k in `${SSH} -Q key-plain` ; do for k in $HOSTKEY_TYPES; do
${SSHKEYGEN} -qt $k -f $OBJ/hkr.$k -N '' || fatal "ssh-keygen $k" ${SSHKEYGEN} -qt $k -f $OBJ/hkr.$k -N '' || fatal "ssh-keygen $k"
echo "Hostkey $OBJ/hkr.${k}" >> $OBJ/sshd_proxy.orig echo "Hostkey $OBJ/hkr.${k}" >> $OBJ/sshd_proxy.orig
nkeys=`expr $nkeys + 1` nkeys=`expr $nkeys + 1`
test "x$all_algs" = "x" || all_algs="${all_algs}," test "x$all_algs" = "x" || all_algs="${all_algs},"
all_algs="${all_algs}$k" all_algs="${all_algs}$k"
case "$k" in
ssh-rsa) secondary="ssh-rsa" ;;
esac
done done
dossh() { dossh() {
@ -49,62 +57,68 @@ cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
# Connect to sshd with StrictHostkeyChecking=no # Connect to sshd with StrictHostkeyChecking=no
verbose "learn hostkey with StrictHostKeyChecking=no" verbose "learn hostkey with StrictHostKeyChecking=no"
>$OBJ/known_hosts >$OBJ/known_hosts
dossh -oHostKeyAlgorithms=ssh-ed25519 -oStrictHostKeyChecking=no dossh -oHostKeyAlgorithms=$primary -oStrictHostKeyChecking=no
# Verify no additional keys learned # Verify no additional keys learned
expect_nkeys 1 "unstrict connect keys" expect_nkeys 1 "unstrict connect keys"
check_key_present ssh-ed25519 || fail "unstrict didn't learn key" check_key_present $primary || fail "unstrict didn't learn key"
# Connect to sshd as usual # Connect to sshd as usual
verbose "learn additional hostkeys" verbose "learn additional hostkeys"
dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs
# Check that other keys learned # Check that other keys learned
expect_nkeys $nkeys "learn hostkeys" expect_nkeys $nkeys "learn hostkeys"
check_key_present ssh-rsa || fail "didn't learn keys" for k in $HOSTKEY_TYPES; do
check_key_present $k || fail "didn't learn keytype $k"
done
# Check each key type # Check each key type
for k in `${SSH} -Q key-plain` ; do for k in $HOSTKEY_TYPES; do
verbose "learn additional hostkeys, type=$k" verbose "learn additional hostkeys, type=$k"
dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$k,$all_algs dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$k,$all_algs
expect_nkeys $nkeys "learn hostkeys $k" expect_nkeys $nkeys "learn hostkeys $k"
check_key_present $k || fail "didn't learn $k" check_key_present $k || fail "didn't learn $k correctly"
done done
# Change one hostkey (non primary) and relearn # Change one hostkey (non primary) and relearn
verbose "learn changed non-primary hostkey" if [ "$primary" != "$secondary" ]; then
mv $OBJ/hkr.ssh-rsa.pub $OBJ/hkr.ssh-rsa.pub.old verbose "learn changed non-primary hostkey type=${secondary}"
rm -f $OBJ/hkr.ssh-rsa mv $OBJ/hkr.${secondary}.pub $OBJ/hkr.${secondary}.pub.old
${SSHKEYGEN} -qt ssh-rsa -f $OBJ/hkr.ssh-rsa -N '' || fatal "ssh-keygen $k" rm -f $OBJ/hkr.${secondary}
${SSHKEYGEN} -qt ${secondary} -f $OBJ/hkr.${secondary} -N '' || \
fatal "ssh-keygen $secondary"
dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs
# Check that the key was replaced # Check that the key was replaced
expect_nkeys $nkeys "learn hostkeys" expect_nkeys $nkeys "learn hostkeys"
check_key_present ssh-rsa $OBJ/hkr.ssh-rsa.pub.old && fail "old key present" check_key_present ${secondary} $OBJ/hkr.${secondary}.pub.old && \
check_key_present ssh-rsa || fail "didn't learn changed key" fail "old key present"
check_key_present ${secondary} || fail "didn't learn changed key"
fi
# Add new hostkey (primary type) to sshd and connect # Add new hostkey (primary type) to sshd and connect
verbose "learn new primary hostkey" verbose "learn new primary hostkey"
${SSHKEYGEN} -qt ssh-rsa -f $OBJ/hkr.ssh-rsa-new -N '' || fatal "ssh-keygen $k" ${SSHKEYGEN} -qt ${primary} -f $OBJ/hkr.${primary}-new -N '' || fatal "ssh-keygen ed25519"
( cat $OBJ/sshd_proxy.orig ; echo HostKey $OBJ/hkr.ssh-rsa-new ) \ ( cat $OBJ/sshd_proxy.orig ; echo HostKey $OBJ/hkr.${primary}-new ) \
> $OBJ/sshd_proxy > $OBJ/sshd_proxy
# Check new hostkey added # Check new hostkey added
dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa,$all_algs dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=${primary},$all_algs
expect_nkeys `expr $nkeys + 1` "learn hostkeys" expect_nkeys `expr $nkeys + 1` "learn hostkeys"
check_key_present ssh-rsa || fail "current key missing" check_key_present ${primary} || fail "current key missing"
check_key_present ssh-rsa $OBJ/hkr.ssh-rsa-new.pub || fail "new key missing" check_key_present ${primary} $OBJ/hkr.${primary}-new.pub || fail "new key missing"
# Remove old hostkey (primary type) from sshd # Remove old hostkey (primary type) from sshd
verbose "rotate primary hostkey" verbose "rotate primary hostkey"
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
mv $OBJ/hkr.ssh-rsa.pub $OBJ/hkr.ssh-rsa.pub.old mv $OBJ/hkr.${primary}.pub $OBJ/hkr.${primary}.pub.old
mv $OBJ/hkr.ssh-rsa-new.pub $OBJ/hkr.ssh-rsa.pub mv $OBJ/hkr.${primary}-new.pub $OBJ/hkr.${primary}.pub
mv $OBJ/hkr.ssh-rsa-new $OBJ/hkr.ssh-rsa mv $OBJ/hkr.${primary}-new $OBJ/hkr.${primary}
# Check old hostkey removed # Check old hostkey removed
dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa,$all_algs dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=${primary},$all_algs
expect_nkeys $nkeys "learn hostkeys" expect_nkeys $nkeys "learn hostkeys"
check_key_present ssh-rsa $OBJ/hkr.ssh-rsa.pub.old && fail "old key present" check_key_present ${primary} $OBJ/hkr.${primary}.pub.old && fail "old key present"
check_key_present ssh-rsa || fail "didn't learn changed key" check_key_present ${primary} || fail "didn't learn changed key"
# Connect again, forcing rotated key # Connect again, forcing rotated key
verbose "check rotate primary hostkey" verbose "check rotate primary hostkey"
dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=${primary}
expect_nkeys 1 "learn hostkeys" expect_nkeys 1 "learn hostkeys"
check_key_present ssh-rsa || fail "didn't learn changed key" check_key_present ${primary} || fail "didn't learn changed key"