mirror of
https://github.com/PowerShell/openssh-portable.git
synced 2025-07-27 15:54:22 +02:00
upstream: test security key host keys in addition to user keys
OpenBSD-Regress-ID: 9fb45326106669a27e4bf150575c321806e275b1
This commit is contained in:
djm@openbsd.org
Damien Miller
parent
40be78f503
commit
e5b7cf8edc
@ -1,4 +1,4 @@
|
|||||||
# $OpenBSD: cert-hostkey.sh,v 1.21 2019/12/11 18:47:14 djm Exp $
|
# $OpenBSD: cert-hostkey.sh,v 1.22 2019/12/16 02:39:05 djm Exp $
|
||||||
# Placed in the Public Domain.
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
tid="certified host keys"
|
tid="certified host keys"
|
||||||
@ -9,7 +9,7 @@ rm -f $OBJ/cert_host_key* $OBJ/host_krl_*
|
|||||||
# Allow all hostkey/pubkey types, prefer certs for the client
|
# Allow all hostkey/pubkey types, prefer certs for the client
|
||||||
rsa=0
|
rsa=0
|
||||||
types=""
|
types=""
|
||||||
for i in `$SSH -Q key | filter_sk`; do
|
for i in `$SSH -Q key | maybe_filter_sk`; do
|
||||||
if [ -z "$types" ]; then
|
if [ -z "$types" ]; then
|
||||||
types="$i"
|
types="$i"
|
||||||
continue
|
continue
|
||||||
@ -70,7 +70,7 @@ touch $OBJ/host_revoked_plain
|
|||||||
touch $OBJ/host_revoked_cert
|
touch $OBJ/host_revoked_cert
|
||||||
cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca
|
cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca
|
||||||
|
|
||||||
PLAIN_TYPES=`$SSH -Q key-plain | filter_sk | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
|
PLAIN_TYPES=`echo "$SSH_KEYTYPES" | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
|
||||||
|
|
||||||
if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
|
if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
|
||||||
PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
|
PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
# $OpenBSD: hostkey-agent.sh,v 1.10 2019/12/11 18:47:14 djm Exp $
|
# $OpenBSD: hostkey-agent.sh,v 1.11 2019/12/16 02:39:05 djm Exp $
|
||||||
# Placed in the Public Domain.
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
tid="hostkey agent"
|
tid="hostkey agent"
|
||||||
@ -14,7 +14,7 @@ grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig
|
|||||||
echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig
|
echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig
|
||||||
|
|
||||||
trace "load hostkeys"
|
trace "load hostkeys"
|
||||||
for k in `${SSH} -Q key-plain | filter_sk` ; do
|
for k in $SSH_KEYTYPES ; do
|
||||||
${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k"
|
${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k"
|
||||||
(
|
(
|
||||||
printf 'localhost-with-alias,127.0.0.1,::1 '
|
printf 'localhost-with-alias,127.0.0.1,::1 '
|
||||||
@ -31,7 +31,7 @@ cp $OBJ/known_hosts.orig $OBJ/known_hosts
|
|||||||
unset SSH_AUTH_SOCK
|
unset SSH_AUTH_SOCK
|
||||||
|
|
||||||
for ps in yes; do
|
for ps in yes; do
|
||||||
for k in `${SSH} -Q key-plain | filter_sk` ; do
|
for k in $SSH_KEYTYPES ; do
|
||||||
verbose "key type $k privsep=$ps"
|
verbose "key type $k privsep=$ps"
|
||||||
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
|
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
|
||||||
echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
|
echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
# $OpenBSD: keygen-change.sh,v 1.8 2019/11/26 23:43:10 djm Exp $
|
# $OpenBSD: keygen-change.sh,v 1.9 2019/12/16 02:39:05 djm Exp $
|
||||||
# Placed in the Public Domain.
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
tid="change passphrase for key"
|
tid="change passphrase for key"
|
||||||
@ -6,9 +6,7 @@ tid="change passphrase for key"
|
|||||||
S1="secret1"
|
S1="secret1"
|
||||||
S2="2secret"
|
S2="2secret"
|
||||||
|
|
||||||
KEYTYPES=`${SSH} -Q key-plain | maybe_filter_sk`
|
for t in $SSH_KEYTYPES; do
|
||||||
|
|
||||||
for t in $KEYTYPES; do
|
|
||||||
trace "generating $t key"
|
trace "generating $t key"
|
||||||
rm -f $OBJ/$t-key
|
rm -f $OBJ/$t-key
|
||||||
${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key
|
${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key
|
||||||
|
|||||||
@ -1,10 +1,9 @@
|
|||||||
# $OpenBSD: keyscan.sh,v 1.11 2019/11/26 23:43:10 djm Exp $
|
# $OpenBSD: keyscan.sh,v 1.12 2019/12/16 02:39:05 djm Exp $
|
||||||
# Placed in the Public Domain.
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
tid="keyscan"
|
tid="keyscan"
|
||||||
|
|
||||||
KEYTYPES=`${SSH} -Q key-plain | filter_sk`
|
for i in $SSH_KEYTYPES; do
|
||||||
for i in $KEYTYPES; do
|
|
||||||
if [ -z "$algs" ]; then
|
if [ -z "$algs" ]; then
|
||||||
algs="$i"
|
algs="$i"
|
||||||
else
|
else
|
||||||
@ -15,7 +14,7 @@ echo "HostKeyAlgorithms $algs" >> $OBJ/sshd_config
|
|||||||
|
|
||||||
start_sshd
|
start_sshd
|
||||||
|
|
||||||
for t in $KEYTYPES; do
|
for t in $SSH_KEYTYPES; do
|
||||||
trace "keyscan type $t"
|
trace "keyscan type $t"
|
||||||
${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \
|
${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \
|
||||||
> /dev/null 2>&1
|
> /dev/null 2>&1
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
# $OpenBSD: keytype.sh,v 1.9 2019/11/26 23:43:10 djm Exp $
|
# $OpenBSD: keytype.sh,v 1.10 2019/12/16 02:39:05 djm Exp $
|
||||||
# Placed in the Public Domain.
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
tid="login with different key types"
|
tid="login with different key types"
|
||||||
@ -50,11 +50,7 @@ kname_to_ktype() {
|
|||||||
tries="1 2 3"
|
tries="1 2 3"
|
||||||
for ut in $ktypes; do
|
for ut in $ktypes; do
|
||||||
user_type=`kname_to_ktype "$ut"`
|
user_type=`kname_to_ktype "$ut"`
|
||||||
# SK keys are not supported for hostkeys.
|
htypes="$ut"
|
||||||
case "$ut" in
|
|
||||||
*sk) htypes=ed25519-512;;
|
|
||||||
*) htypes="$ut";;
|
|
||||||
esac
|
|
||||||
#htypes=$ktypes
|
#htypes=$ktypes
|
||||||
for ht in $htypes; do
|
for ht in $htypes; do
|
||||||
host_type=`kname_to_ktype "$ht"`
|
host_type=`kname_to_ktype "$ht"`
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
# $OpenBSD: krl.sh,v 1.10 2019/11/26 23:43:10 djm Exp $
|
# $OpenBSD: krl.sh,v 1.11 2019/12/16 02:39:05 djm Exp $
|
||||||
# Placed in the Public Domain.
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
tid="key revocation lists"
|
tid="key revocation lists"
|
||||||
@ -7,7 +7,7 @@ tid="key revocation lists"
|
|||||||
# w/out OpenSSL. Populate ktype[2-4] with the other types if supported.
|
# w/out OpenSSL. Populate ktype[2-4] with the other types if supported.
|
||||||
ktype1=ed25519; ktype2=ed25519; ktype3=ed25519;
|
ktype1=ed25519; ktype2=ed25519; ktype3=ed25519;
|
||||||
ktype4=ed25519; ktype5=ed25519; ktype6=ed25519;
|
ktype4=ed25519; ktype5=ed25519; ktype6=ed25519;
|
||||||
for t in `${SSH} -Q key-plain | maybe_filter_sk`; do
|
for t in $SSH_KEYTYPES; do
|
||||||
case "$t" in
|
case "$t" in
|
||||||
ecdsa*) ktype2=ecdsa ;;
|
ecdsa*) ktype2=ecdsa ;;
|
||||||
ssh-rsa) ktype3=rsa ;;
|
ssh-rsa) ktype3=rsa ;;
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
# $OpenBSD: limit-keytype.sh,v 1.8 2019/11/26 23:43:10 djm Exp $
|
# $OpenBSD: limit-keytype.sh,v 1.9 2019/12/16 02:39:05 djm Exp $
|
||||||
# Placed in the Public Domain.
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
tid="restrict pubkey type"
|
tid="restrict pubkey type"
|
||||||
@ -13,7 +13,7 @@ mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig
|
|||||||
|
|
||||||
ktype1=ed25519; ktype2=ed25519; ktype3=ed25519;
|
ktype1=ed25519; ktype2=ed25519; ktype3=ed25519;
|
||||||
ktype4=ed25519; ktype5=ed25519; ktype6=ed25519;
|
ktype4=ed25519; ktype5=ed25519; ktype6=ed25519;
|
||||||
for t in `${SSH} -Q key-plain | maybe_filter_sk`; do
|
for t in $SSH_KEYTYPES ; do
|
||||||
case "$t" in
|
case "$t" in
|
||||||
ssh-rsa) ktype2=rsa ;;
|
ssh-rsa) ktype2=rsa ;;
|
||||||
ecdsa*) ktype3=ecdsa ;; # unused
|
ecdsa*) ktype3=ecdsa ;; # unused
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
# $OpenBSD: principals-command.sh,v 1.10 2019/12/11 18:47:14 djm Exp $
|
# $OpenBSD: principals-command.sh,v 1.11 2019/12/16 02:39:05 djm Exp $
|
||||||
# Placed in the Public Domain.
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
tid="authorized principals command"
|
tid="authorized principals command"
|
||||||
@ -12,7 +12,7 @@ if [ -z "$SUDO" -a ! -w /var/run ]; then
|
|||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
case "`${SSH} -Q key-plain`" in
|
case "$SSH_KEYTYPES" in
|
||||||
*ssh-rsa*) userkeytype=rsa ;;
|
*ssh-rsa*) userkeytype=rsa ;;
|
||||||
*) userkeytype=ed25519 ;;
|
*) userkeytype=ed25519 ;;
|
||||||
esac
|
esac
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
# $OpenBSD: test-exec.sh,v 1.68 2019/11/26 23:43:10 djm Exp $
|
# $OpenBSD: test-exec.sh,v 1.69 2019/12/16 02:39:05 djm Exp $
|
||||||
# Placed in the Public Domain.
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
#SUDO=sudo
|
#SUDO=sudo
|
||||||
@ -493,23 +493,21 @@ export SSH_SK_PROVIDER
|
|||||||
if ! test -z "$SSH_SK_PROVIDER"; then
|
if ! test -z "$SSH_SK_PROVIDER"; then
|
||||||
EXTRA_AGENT_ARGS='-P/*' # XXX want realpath(1)...
|
EXTRA_AGENT_ARGS='-P/*' # XXX want realpath(1)...
|
||||||
echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/ssh_config
|
echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/ssh_config
|
||||||
|
echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_config
|
||||||
|
echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_proxy
|
||||||
fi
|
fi
|
||||||
export EXTRA_AGENT_ARGS
|
export EXTRA_AGENT_ARGS
|
||||||
|
|
||||||
filter_sk() {
|
|
||||||
grep -v ^sk
|
|
||||||
}
|
|
||||||
|
|
||||||
maybe_filter_sk() {
|
maybe_filter_sk() {
|
||||||
if test -z "$SSH_SK_PROVIDER" ; then
|
if test -z "$SSH_SK_PROVIDER" ; then
|
||||||
filter_sk
|
grep -v ^sk
|
||||||
else
|
else
|
||||||
cat
|
cat
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk`
|
SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk`
|
||||||
SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | filter_sk`
|
SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | maybe_filter_sk`
|
||||||
|
|
||||||
for t in ${SSH_KEYTYPES}; do
|
for t in ${SSH_KEYTYPES}; do
|
||||||
# generate user key
|
# generate user key
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user