upstream: test security key host keys in addition to user keys
OpenBSD-Regress-ID: 9fb45326106669a27e4bf150575c321806e275b1
This commit is contained in:
parent
40be78f503
commit
e5b7cf8edc
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: cert-hostkey.sh,v 1.21 2019/12/11 18:47:14 djm Exp $
|
||||
# $OpenBSD: cert-hostkey.sh,v 1.22 2019/12/16 02:39:05 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="certified host keys"
|
||||
|
@ -9,7 +9,7 @@ rm -f $OBJ/cert_host_key* $OBJ/host_krl_*
|
|||
# Allow all hostkey/pubkey types, prefer certs for the client
|
||||
rsa=0
|
||||
types=""
|
||||
for i in `$SSH -Q key | filter_sk`; do
|
||||
for i in `$SSH -Q key | maybe_filter_sk`; do
|
||||
if [ -z "$types" ]; then
|
||||
types="$i"
|
||||
continue
|
||||
|
@ -70,7 +70,7 @@ touch $OBJ/host_revoked_plain
|
|||
touch $OBJ/host_revoked_cert
|
||||
cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca
|
||||
|
||||
PLAIN_TYPES=`$SSH -Q key-plain | filter_sk | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
|
||||
PLAIN_TYPES=`echo "$SSH_KEYTYPES" | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
|
||||
|
||||
if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
|
||||
PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: hostkey-agent.sh,v 1.10 2019/12/11 18:47:14 djm Exp $
|
||||
# $OpenBSD: hostkey-agent.sh,v 1.11 2019/12/16 02:39:05 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="hostkey agent"
|
||||
|
@ -14,7 +14,7 @@ grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig
|
|||
echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig
|
||||
|
||||
trace "load hostkeys"
|
||||
for k in `${SSH} -Q key-plain | filter_sk` ; do
|
||||
for k in $SSH_KEYTYPES ; do
|
||||
${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k"
|
||||
(
|
||||
printf 'localhost-with-alias,127.0.0.1,::1 '
|
||||
|
@ -31,7 +31,7 @@ cp $OBJ/known_hosts.orig $OBJ/known_hosts
|
|||
unset SSH_AUTH_SOCK
|
||||
|
||||
for ps in yes; do
|
||||
for k in `${SSH} -Q key-plain | filter_sk` ; do
|
||||
for k in $SSH_KEYTYPES ; do
|
||||
verbose "key type $k privsep=$ps"
|
||||
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
|
||||
echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: keygen-change.sh,v 1.8 2019/11/26 23:43:10 djm Exp $
|
||||
# $OpenBSD: keygen-change.sh,v 1.9 2019/12/16 02:39:05 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="change passphrase for key"
|
||||
|
@ -6,9 +6,7 @@ tid="change passphrase for key"
|
|||
S1="secret1"
|
||||
S2="2secret"
|
||||
|
||||
KEYTYPES=`${SSH} -Q key-plain | maybe_filter_sk`
|
||||
|
||||
for t in $KEYTYPES; do
|
||||
for t in $SSH_KEYTYPES; do
|
||||
trace "generating $t key"
|
||||
rm -f $OBJ/$t-key
|
||||
${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key
|
||||
|
|
|
@ -1,10 +1,9 @@
|
|||
# $OpenBSD: keyscan.sh,v 1.11 2019/11/26 23:43:10 djm Exp $
|
||||
# $OpenBSD: keyscan.sh,v 1.12 2019/12/16 02:39:05 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="keyscan"
|
||||
|
||||
KEYTYPES=`${SSH} -Q key-plain | filter_sk`
|
||||
for i in $KEYTYPES; do
|
||||
for i in $SSH_KEYTYPES; do
|
||||
if [ -z "$algs" ]; then
|
||||
algs="$i"
|
||||
else
|
||||
|
@ -15,7 +14,7 @@ echo "HostKeyAlgorithms $algs" >> $OBJ/sshd_config
|
|||
|
||||
start_sshd
|
||||
|
||||
for t in $KEYTYPES; do
|
||||
for t in $SSH_KEYTYPES; do
|
||||
trace "keyscan type $t"
|
||||
${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \
|
||||
> /dev/null 2>&1
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: keytype.sh,v 1.9 2019/11/26 23:43:10 djm Exp $
|
||||
# $OpenBSD: keytype.sh,v 1.10 2019/12/16 02:39:05 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="login with different key types"
|
||||
|
@ -50,11 +50,7 @@ kname_to_ktype() {
|
|||
tries="1 2 3"
|
||||
for ut in $ktypes; do
|
||||
user_type=`kname_to_ktype "$ut"`
|
||||
# SK keys are not supported for hostkeys.
|
||||
case "$ut" in
|
||||
*sk) htypes=ed25519-512;;
|
||||
*) htypes="$ut";;
|
||||
esac
|
||||
htypes="$ut"
|
||||
#htypes=$ktypes
|
||||
for ht in $htypes; do
|
||||
host_type=`kname_to_ktype "$ht"`
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: krl.sh,v 1.10 2019/11/26 23:43:10 djm Exp $
|
||||
# $OpenBSD: krl.sh,v 1.11 2019/12/16 02:39:05 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="key revocation lists"
|
||||
|
@ -7,7 +7,7 @@ tid="key revocation lists"
|
|||
# w/out OpenSSL. Populate ktype[2-4] with the other types if supported.
|
||||
ktype1=ed25519; ktype2=ed25519; ktype3=ed25519;
|
||||
ktype4=ed25519; ktype5=ed25519; ktype6=ed25519;
|
||||
for t in `${SSH} -Q key-plain | maybe_filter_sk`; do
|
||||
for t in $SSH_KEYTYPES; do
|
||||
case "$t" in
|
||||
ecdsa*) ktype2=ecdsa ;;
|
||||
ssh-rsa) ktype3=rsa ;;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: limit-keytype.sh,v 1.8 2019/11/26 23:43:10 djm Exp $
|
||||
# $OpenBSD: limit-keytype.sh,v 1.9 2019/12/16 02:39:05 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="restrict pubkey type"
|
||||
|
@ -13,7 +13,7 @@ mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig
|
|||
|
||||
ktype1=ed25519; ktype2=ed25519; ktype3=ed25519;
|
||||
ktype4=ed25519; ktype5=ed25519; ktype6=ed25519;
|
||||
for t in `${SSH} -Q key-plain | maybe_filter_sk`; do
|
||||
for t in $SSH_KEYTYPES ; do
|
||||
case "$t" in
|
||||
ssh-rsa) ktype2=rsa ;;
|
||||
ecdsa*) ktype3=ecdsa ;; # unused
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: principals-command.sh,v 1.10 2019/12/11 18:47:14 djm Exp $
|
||||
# $OpenBSD: principals-command.sh,v 1.11 2019/12/16 02:39:05 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="authorized principals command"
|
||||
|
@ -12,7 +12,7 @@ if [ -z "$SUDO" -a ! -w /var/run ]; then
|
|||
exit 0
|
||||
fi
|
||||
|
||||
case "`${SSH} -Q key-plain`" in
|
||||
case "$SSH_KEYTYPES" in
|
||||
*ssh-rsa*) userkeytype=rsa ;;
|
||||
*) userkeytype=ed25519 ;;
|
||||
esac
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: test-exec.sh,v 1.68 2019/11/26 23:43:10 djm Exp $
|
||||
# $OpenBSD: test-exec.sh,v 1.69 2019/12/16 02:39:05 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
#SUDO=sudo
|
||||
|
@ -493,23 +493,21 @@ export SSH_SK_PROVIDER
|
|||
if ! test -z "$SSH_SK_PROVIDER"; then
|
||||
EXTRA_AGENT_ARGS='-P/*' # XXX want realpath(1)...
|
||||
echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/ssh_config
|
||||
echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_config
|
||||
echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_proxy
|
||||
fi
|
||||
export EXTRA_AGENT_ARGS
|
||||
|
||||
filter_sk() {
|
||||
grep -v ^sk
|
||||
}
|
||||
|
||||
maybe_filter_sk() {
|
||||
if test -z "$SSH_SK_PROVIDER" ; then
|
||||
filter_sk
|
||||
grep -v ^sk
|
||||
else
|
||||
cat
|
||||
fi
|
||||
}
|
||||
|
||||
SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk`
|
||||
SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | filter_sk`
|
||||
SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | maybe_filter_sk`
|
||||
|
||||
for t in ${SSH_KEYTYPES}; do
|
||||
# generate user key
|
||||
|
|
Loading…
Reference in New Issue