-# $OpenBSD: agent-getpeereid.sh,v 1.10 2018/02/09 03:40:22 dtucker Exp $
+# $OpenBSD: agent-getpeereid.sh,v 1.11 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="disallow agent attach from other uid"
esac
trace "start agent"
-eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null
+eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s -a ${ASOCK}` > /dev/null
r=$?
if [ $r -ne 0 ]; then
fail "could not start ssh-agent: exit code $r"
-# $OpenBSD: agent-pkcs11.sh,v 1.6 2019/01/21 09:13:41 djm Exp $
+# $OpenBSD: agent-pkcs11.sh,v 1.7 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="pkcs11 agent test"
softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" --import /dev/stdin
trace "start agent"
-eval `${SSHAGENT} -s` > /dev/null
+eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
r=$?
if [ $r -ne 0 ]; then
fail "could not start ssh-agent: exit code $r"
fi
trace "start agent"
-eval `${SSHAGENT} -s` > /dev/null
+eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
r=$?
if [ $r -ne 0 ]; then
fail "could not start ssh-agent: exit code $r"
-# $OpenBSD: agent-timeout.sh,v 1.5 2019/09/03 08:37:06 djm Exp $
+# $OpenBSD: agent-timeout.sh,v 1.6 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="agent timeout test"
SSHAGENT_TIMEOUT=10
trace "start agent"
-eval `${SSHAGENT} -s` > /dev/null
+eval `${SSHAGENT} -s ${EXTRA_AGENT_ARGS}` > /dev/null
r=$?
if [ $r -ne 0 ]; then
fail "could not start ssh-agent: exit code $r"
-# $OpenBSD: agent.sh,v 1.15 2019/07/23 07:39:43 dtucker Exp $
+# $OpenBSD: agent.sh,v 1.16 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="simple agent test"
fail "ssh-add -l did not fail with exit code 2"
fi
-trace "start agent"
-eval `${SSHAGENT} -s` > /dev/null
+trace "start agent, args ${EXTRA_AGENT_ARGS} -s"
+eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
r=$?
if [ $r -ne 0 ]; then
fatal "could not start ssh-agent: exit code $r"
# add to authorized keys
cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER
# add privat key to agent
- ${SSHADD} $OBJ/$t-agent > /dev/null 2>&1
+ ${SSHADD} $OBJ/$t-agent #> /dev/null 2>&1
if [ $? -ne 0 ]; then
- fail "ssh-add did succeed exit code 0"
+ fail "ssh-add failed exit code $?"
fi
# Remove private key to ensure that we aren't accidentally using it.
rm -f $OBJ/$t-agent
-# $OpenBSD: cert-file.sh,v 1.7 2018/04/10 00:14:10 djm Exp $
+# $OpenBSD: cert-file.sh,v 1.8 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="ssh with certificates"
fi
trace "start agent"
-eval `${SSHAGENT} -s` > /dev/null
+eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
r=$?
if [ $r -ne 0 ]; then
fatal "could not start ssh-agent: exit code $r"
-# $OpenBSD: cert-hostkey.sh,v 1.19 2019/11/01 01:55:41 djm Exp $
+# $OpenBSD: cert-hostkey.sh,v 1.20 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="certified host keys"
# Allow all hostkey/pubkey types, prefer certs for the client
rsa=0
types=""
-for i in `$SSH -Q key | grep -v ^sk-`; do
+for i in `$SSH -Q key | filter_sk`; do
if [ -z "$types" ]; then
types="$i"
continue
touch $OBJ/host_revoked_cert
cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca
-PLAIN_TYPES=`$SSH -Q key-plain | grep -v ^sk- | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
+PLAIN_TYPES=`$SSH -Q key-plain | filter_sk | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
-# $OpenBSD: cert-userkey.sh,v 1.22 2019/11/01 01:55:41 djm Exp $
+# $OpenBSD: cert-userkey.sh,v 1.23 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="certified user keys"
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
-PLAIN_TYPES=`$SSH -Q key-plain | grep -v ^sk- | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
+PLAIN_TYPES=`$SSH -Q key-plain | maybe_filter_sk | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
EXTRA_TYPES=""
rsa=""
fi
kname() {
- case $ktype in
- rsa-sha2-*) n="$ktype" ;;
+ case $1 in
+ rsa-sha2-*) n="$1" ;;
+ sk-ecdsa-*) n="sk-ecdsa" ;;
+ sk-ssh-ed25519*) n="sk-ssh-ed25519" ;;
# subshell because some seds will add a newline
*) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;;
esac
-# $OpenBSD: hostkey-agent.sh,v 1.8 2019/11/01 01:55:41 djm Exp $
+# $OpenBSD: hostkey-agent.sh,v 1.9 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="hostkey agent"
rm -f $OBJ/agent-key.* $OBJ/ssh_proxy.orig $OBJ/known_hosts.orig
trace "start agent"
-eval `${SSHAGENT} -s` > /dev/null
+eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
r=$?
[ $r -ne 0 ] && fatal "could not start ssh-agent: exit code $r"
echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig
trace "load hostkeys"
-for k in `${SSH} -Q key-plain | grep -v ^sk-` ; do
+for k in `${SSH} -Q key-plain | filter_sk` ; do
${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k"
(
printf 'localhost-with-alias,127.0.0.1,::1 '
unset SSH_AUTH_SOCK
for ps in no yes; do
- for k in `${SSH} -Q key-plain | grep -v ^sk-` ; do
+ for k in `${SSH} -Q key-plain | filter_sk` ; do
verbose "key type $k privsep=$ps"
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
-# $OpenBSD: hostkey-rotate.sh,v 1.7 2019/11/01 01:55:41 djm Exp $
+# $OpenBSD: hostkey-rotate.sh,v 1.8 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="hostkey rotate"
-# Need full names here since they are used in HostKeyAlgorithms
-HOSTKEY_TYPES="`${SSH} -Q key-plain | grep -v ^sk-`"
-
rm -f $OBJ/hkr.* $OBJ/ssh_proxy.orig
grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig
trace "prepare hostkeys"
nkeys=0
all_algs=""
-for k in $HOSTKEY_TYPES; do
+for k in $SSH_HOSTKEY_TYPES; do
${SSHKEYGEN} -qt $k -f $OBJ/hkr.$k -N '' || fatal "ssh-keygen $k"
echo "Hostkey $OBJ/hkr.${k}" >> $OBJ/sshd_proxy.orig
nkeys=`expr $nkeys + 1`
dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs
# Check that other keys learned
expect_nkeys $nkeys "learn hostkeys"
-for k in $HOSTKEY_TYPES; do
+for k in $SSH_HOSTKEY_TYPES; do
check_key_present $k || fail "didn't learn keytype $k"
done
# Check each key type
-for k in $HOSTKEY_TYPES; do
+for k in $SSH_HOSTKEY_TYPES; do
verbose "learn additional hostkeys, type=$k"
dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$k,$all_algs
expect_nkeys $nkeys "learn hostkeys $k"
-# $OpenBSD: keygen-change.sh,v 1.7 2019/11/01 01:55:41 djm Exp $
+# $OpenBSD: keygen-change.sh,v 1.8 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="change passphrase for key"
S1="secret1"
S2="2secret"
-KEYTYPES=`${SSH} -Q key-plain | grep -v ^sk-`
+KEYTYPES=`${SSH} -Q key-plain | maybe_filter_sk`
for t in $KEYTYPES; do
- # generate user key for agent
trace "generating $t key"
rm -f $OBJ/$t-key
${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key
-# $OpenBSD: keyscan.sh,v 1.10 2019/11/01 01:55:41 djm Exp $
+# $OpenBSD: keyscan.sh,v 1.11 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="keyscan"
-KEYTYPES=`${SSH} -Q key-plain | grep -v ^sk-`
+KEYTYPES=`${SSH} -Q key-plain | filter_sk`
for i in $KEYTYPES; do
if [ -z "$algs" ]; then
algs="$i"
-# $OpenBSD: keytype.sh,v 1.8 2019/07/23 13:49:14 dtucker Exp $
+# $OpenBSD: keytype.sh,v 1.9 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="login with different key types"
ecdsa-sha2-nistp256) ktypes="$ktypes ecdsa-256" ;;
ecdsa-sha2-nistp384) ktypes="$ktypes ecdsa-384" ;;
ecdsa-sha2-nistp521) ktypes="$ktypes ecdsa-521" ;;
+ sk-ssh-ed25519*) ktypes="$ktypes ed25519-sk" ;;
+ sk-ecdsa-sha2-nistp256*) ktypes="$ktypes ecdsa-sk" ;;
esac
done
for kt in $ktypes; do
rm -f $OBJ/key.$kt
- bits=`echo ${kt} | awk -F- '{print $2}'`
- type=`echo ${kt} | awk -F- '{print $1}'`
+ xbits=`echo ${kt} | awk -F- '{print $2}'`
+ xtype=`echo ${kt} | awk -F- '{print $1}'`
+ case "$kt" in
+ *sk) type="$kt"; bits="n/a"; bits_arg="";;
+ *) type=$xtype; bits=$xbits; bits_arg="-b $bits";;
+ esac
verbose "keygen $type, $bits bits"
- ${SSHKEYGEN} -b $bits -q -N '' -t $type -f $OBJ/key.$kt ||\
+ ${SSHKEYGEN} $bits_arg -q -N '' -t $type -f $OBJ/key.$kt || \
fail "ssh-keygen for type $type, $bits bits failed"
done
+kname_to_ktype() {
+ case $1 in
+ dsa-1024) echo ssh-dss;;
+ ecdsa-256) echo ecdsa-sha2-nistp256;;
+ ecdsa-384) echo ecdsa-sha2-nistp384;;
+ ecdsa-521) echo ecdsa-sha2-nistp521;;
+ ed25519-512) echo ssh-ed25519;;
+ rsa-*) echo rsa-sha2-512,rsa-sha2-256,ssh-rsa;;
+ ed25519-sk) echo sk-ssh-ed25519@openssh.com;;
+ ecdsa-sk) echo sk-ecdsa-sha2-nistp256@openssh.com;;
+ esac
+}
+
tries="1 2 3"
for ut in $ktypes; do
- htypes=$ut
+ user_type=`kname_to_ktype "$ut"`
+ # SK keys are not supported for hostkeys.
+ case "$ut" in
+ *sk) htypes=ed25519-512;;
+ *) htypes="$ut";;
+ esac
#htypes=$ktypes
for ht in $htypes; do
- case $ht in
- dsa-1024) t=ssh-dss;;
- ecdsa-256) t=ecdsa-sha2-nistp256;;
- ecdsa-384) t=ecdsa-sha2-nistp384;;
- ecdsa-521) t=ecdsa-sha2-nistp521;;
- ed25519-512) t=ssh-ed25519;;
- rsa-*) t=rsa-sha2-512,rsa-sha2-256,ssh-rsa;;
- esac
+ host_type=`kname_to_ktype "$ht"`
trace "ssh connect, userkey $ut, hostkey $ht"
(
grep -v HostKey $OBJ/sshd_proxy_bak
echo HostKey $OBJ/key.$ht
- echo PubkeyAcceptedKeyTypes $t
- echo HostKeyAlgorithms $t
+ echo PubkeyAcceptedKeyTypes $user_type
+ echo HostKeyAlgorithms $host_type
) > $OBJ/sshd_proxy
(
grep -v IdentityFile $OBJ/ssh_proxy_bak
echo IdentityFile $OBJ/key.$ut
- echo PubkeyAcceptedKeyTypes $t
- echo HostKeyAlgorithms $t
+ echo PubkeyAcceptedKeyTypes $user_type
+ echo HostKeyAlgorithms $host_type
) > $OBJ/ssh_proxy
(
printf 'localhost-with-alias,127.0.0.1,::1 '
-# $OpenBSD: krl.sh,v 1.9 2019/11/01 01:55:41 djm Exp $
+# $OpenBSD: krl.sh,v 1.10 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="key revocation lists"
# Use ed25519 by default since it's fast and it's supported when building
# w/out OpenSSL. Populate ktype[2-4] with the other types if supported.
-ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; ktype4=ed25519
-for t in `${SSH} -Q key-plain | grep -v ^sk-`; do
+ktype1=ed25519; ktype2=ed25519; ktype3=ed25519;
+ktype4=ed25519; ktype5=ed25519; ktype6=ed25519;
+for t in `${SSH} -Q key-plain | maybe_filter_sk`; do
case "$t" in
ecdsa*) ktype2=ecdsa ;;
ssh-rsa) ktype3=rsa ;;
ssh-dss) ktype4=dsa ;;
+ sk-ssh-ed25519@openssh.com) ktype5=ed25519-sk ;;
+ sk-ecdsa-sha2-nistp256@openssh.com) ktype6=ecdsa-sk ;;
esac
done
serial: 15
serial: 30
serial: 50
+serial: 90
serial: 999
# The following sum to 500-799
serial: 500
# A specification that revokes some certificated by key ID.
touch $OBJ/revoked-keyid
-for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do
+for n in 1 2 3 4 10 15 30 50 90 `jot 500 300` 999 1000 1001 1002; do
test "x$n" = "x499" && continue
# Fill in by-ID revocation spec.
echo "id: revoked $n" >> $OBJ/revoked-keyid
# supported.
keytype=$ktype1
case $N in
- 2 | 10 | 510 | 1001) keytype=$ktype2 ;;
- 4 | 30 | 520 | 1002) keytype=$ktype3 ;;
- 8 | 50 | 530 | 1003) keytype=$ktype4 ;;
+ 2 | 10 | 510 | 1001) keytype=$ktype2 ;;
+ 4 | 30 | 520 | 1002) keytype=$ktype3 ;;
+ 8 | 50 | 530 | 1003) keytype=$ktype4 ;;
+ 16 | 70 | 540 | 1004) keytype=$ktype5 ;;
+ 32 | 90 | 550 | 1005) keytype=$ktype6 ;;
esac
$SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
|| fatal "$SSHKEYGEN failed"
# Generate some keys.
verbose "$tid: generating test keys"
-REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"
+REVOKED_SERIALS="1 4 10 50 90 500 510 520 550 799 999"
for n in $REVOKED_SERIALS ; do
f=`keygen $n`
RKEYS="$RKEYS ${f}.pub"
-# $OpenBSD: limit-keytype.sh,v 1.7 2019/11/01 01:55:41 djm Exp $
+# $OpenBSD: limit-keytype.sh,v 1.8 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="restrict pubkey type"
+# XXX sk-* keys aren't actually tested ATM.
+
rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/user_key*
rm -f $OBJ/authorized_principals_$USER $OBJ/cert_user_key*
mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig
-ktype1=ed25519; ktype2=$ktype1; ktype3=$ktype1; ktype4=$ktype1
-for t in `${SSH} -Q key-plain | grep -v ^sk-`; do
+ktype1=ed25519; ktype2=ed25519; ktype3=ed25519;
+ktype4=ed25519; ktype5=ed25519; ktype6=ed25519;
+for t in `${SSH} -Q key-plain | maybe_filter_sk`; do
case "$t" in
ssh-rsa) ktype2=rsa ;;
ecdsa*) ktype3=ecdsa ;; # unused
ssh-dss) ktype4=dsa ;;
+ sk-ssh-ed25519@openssh.com) ktype5=ed25519-sk ;;
+ sk-ecdsa-sha2-nistp256@openssh.com) ktype6=ecdsa-sk ;;
esac
done
fatal "ssh-keygen failed"
${SSHKEYGEN} -q -N '' -t $ktype4 -f $OBJ/user_key4 || \
fatal "ssh-keygen failed"
+${SSHKEYGEN} -q -N '' -t $ktype5 -f $OBJ/user_key5 || \
+ fatal "ssh-keygen failed"
+${SSHKEYGEN} -q -N '' -t $ktype6 -f $OBJ/user_key6 || \
+ fatal "ssh-keygen failed"
${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
-z $$ -n ${USER},mekmitasdigoat $OBJ/user_key3 ||
fatal "couldn't sign user_key1"
ed25519) printf "ssh-ed25519" ;;
dsa) printf "ssh-dss" ;;
rsa) printf "rsa-sha2-256,rsa-sha2-512,ssh-rsa" ;;
+ sk-ecdsa) printf "sk-ecdsa-*" ;;
+ sk-ssh-ed25519) printf "sk-ssh-ed25519-*" ;;
esac
}
exit 0
fi
-case "`${SSH} -Q key-plain | grep -v ^sk-`" in
+case "`${SSH} -Q key-plain`" in
*ssh-rsa*) userkeytype=rsa ;;
*) userkeytype=ed25519 ;;
esac
-# $OpenBSD: sshsig.sh,v 1.2 2019/10/04 03:39:19 djm Exp $
+# $OpenBSD: sshsig.sh,v 1.3 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
tid="sshsig"
CA_PUB=$OBJ/sigca-key.pub
trace "start agent"
-eval `${SSHAGENT} -s` > /dev/null
+eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
r=$?
if [ $r -ne 0 ]; then
fatal "could not start ssh-agent: exit code $r"
-# $OpenBSD: test-exec.sh,v 1.67 2019/11/01 01:55:41 djm Exp $
+# $OpenBSD: test-exec.sh,v 1.68 2019/11/26 23:43:10 djm Exp $
# Placed in the Public Domain.
#SUDO=sudo
*) CONCH=`which ${TEST_SSH_CONCH} 2>/dev/null` ;;
esac
fi
+if [ "x$TEST_SSH_PKCS11_HELPER" != "x" ]; then
+ SSH_PKCS11_HELPER="${TEST_SSH_PKCS11_HELPER}"
+fi
+if [ "x$TEST_SSH_SK_HELPER" != "x" ]; then
+ SSH_SK_HELPER="${TEST_SSH_SK_HELPER}"
+fi
# Path to sshd must be absolute for rexec
case "$SSHD" in
# these should be used in tests
export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP
+export SSH_PKCS11_HELPER SSH_SK_HELPER
#echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP
# Portable specific functions
rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER
-SSH_KEYTYPES=`$SSH -Q key-plain | grep -v ^sk`
+SSH_SK_PROVIDER=
+if [ -f "${SRC}/misc/sk-dummy/obj/sk-dummy.so" ] ; then
+ SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/obj/sk-dummy.so"
+elif [ -f "${SRC}/misc/sk-dummy/sk-dummy.so" ] ; then
+ SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/sk-dummy.so"
+fi
+export SSH_SK_PROVIDER
+
+if ! test -z "$SSH_SK_PROVIDER"; then
+ EXTRA_AGENT_ARGS='-P/*' # XXX want realpath(1)...
+ echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/ssh_config
+fi
+export EXTRA_AGENT_ARGS
+
+filter_sk() {
+ grep -v ^sk
+}
+
+maybe_filter_sk() {
+ if test -z "$SSH_SK_PROVIDER" ; then
+ filter_sk
+ else
+ cat
+ fi
+}
+SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk`
+SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | filter_sk`
+
for t in ${SSH_KEYTYPES}; do
# generate user key
trace "generating key type $t"
fail "ssh-keygen for $t failed"
fi
+ # setup authorized keys
+ cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
+ echo IdentityFile $OBJ/$t >> $OBJ/ssh_config
+done
+
+for t in ${SSH_HOSTKEY_TYPES}; do
# known hosts file for client
(
printf 'localhost-with-alias,127.0.0.1,::1 '
cat $OBJ/$t.pub
) >> $OBJ/known_hosts
- # setup authorized keys
- cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
- echo IdentityFile $OBJ/$t >> $OBJ/ssh_config
-
# use key as host key, too
$SUDO cp $OBJ/$t $OBJ/host.$t
echo HostKey $OBJ/host.$t >> $OBJ/sshd_config
projects / thirdparty / openssh-portable.git / commitdiff
