upstream: Remove references to privsep.

This removes several do..while loops but does not change the
indentation of the now-shallower loops, which will be done in a separate
whitespace-only commit to keep changes of style and substance separate.

OpenBSD-Regress-ID: 4bed1a0249df7b4a87c965066ce689e79472a8f7

diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index de8652b0e5e274376cc0fda74383ed8f478b309b..904dd6930d3258b19ef5ac86a0add616f8b9cb79 100644 (file)
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
-#      $OpenBSD: cert-hostkey.sh,v 1.25 2021/06/08 22:30:27 djm Exp $
+#      $OpenBSD: cert-hostkey.sh,v 1.26 2021/09/30 05:20:08 dtucker Exp $
 #      Placed in the Public Domain.
 
 tid="certified host keys"
@@ -131,14 +131,12 @@ attempt_connect() {
 }
 
 # Basic connect and revocation tests.
-for privsep in yes ; do
        for ktype in $PLAIN_TYPES ; do
-               verbose "$tid: host ${ktype} cert connect privsep $privsep"
+               verbose "$tid: host ${ktype} cert connect"
                (
                        cat $OBJ/sshd_proxy_bak
                        echo HostKey $OBJ/cert_host_key_${ktype}
                        echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
-                       echo UsePrivilegeSeparation $privsep
                ) > $OBJ/sshd_proxy
 
                #               test name                         expect success
@@ -160,7 +158,6 @@ for privsep in yes ; do
                attempt_connect "$ktype CA plaintext revocation"        "no" \
                    -oRevokedHostKeys=$OBJ/host_revoked_ca
        done
-done
 
 # Revoked certificates with key present
 kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
@@ -169,14 +166,12 @@ for ktype in $PLAIN_TYPES ; do
        kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig
 done
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-for privsep in yes ; do
        for ktype in $PLAIN_TYPES ; do
-               verbose "$tid: host ${ktype} revoked cert privsep $privsep"
+               verbose "$tid: host ${ktype} revoked cert"
                (
                        cat $OBJ/sshd_proxy_bak
                        echo HostKey $OBJ/cert_host_key_${ktype}
                        echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
-                       echo UsePrivilegeSeparation $privsep
                ) > $OBJ/sshd_proxy
 
                cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
@@ -187,7 +182,6 @@ for privsep in yes ; do
                        fail "ssh cert connect succeeded unexpectedly"
                fi
        done
-done
 
 # Revoked CA
 kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig

diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index baa6903ea268cc4b7dd560586ba13384ac08764e..53d1951d75b7724fbfd069577c19fd5643655bb3 100644 (file)
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
-#      $OpenBSD: cert-userkey.sh,v 1.26 2021/02/25 03:27:34 djm Exp $
+#      $OpenBSD: cert-userkey.sh,v 1.27 2021/09/30 05:20:08 dtucker Exp $
 #      Placed in the Public Domain.
 
 tid="certified user keys"
@@ -60,14 +60,12 @@ done
 # Test explicitly-specified principals
 for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
        t=$(kname $ktype)
-       for privsep in yes ; do
-               _prefix="${ktype} privsep $privsep"
+               _prefix="${ktype}"
 
                # Setup for AuthorizedPrincipalsFile
                rm -f $OBJ/authorized_keys_$USER
                (
                        cat $OBJ/sshd_proxy_bak
-                       echo "UsePrivilegeSeparation $privsep"
                        echo "AuthorizedPrincipalsFile " \
                            "$OBJ/authorized_principals_%u"
                        echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
@@ -148,7 +146,6 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
                rm -f $OBJ/authorized_principals_$USER
                (
                        cat $OBJ/sshd_proxy_bak
-                       echo "UsePrivilegeSeparation $privsep"
                        echo "PubkeyAcceptedAlgorithms ${t}"
                ) > $OBJ/sshd_proxy
                (
@@ -179,7 +176,6 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
                if [ $? -ne 0 ]; then
                        fail "ssh cert connect failed"
                fi
-       done
 done
 
 basic_tests() {
@@ -197,13 +193,11 @@ basic_tests() {
 
        for ktype in $PLAIN_TYPES ; do
                t=$(kname $ktype)
-               for privsep in yes ; do
-                       _prefix="${ktype} privsep $privsep $auth"
+                       _prefix="${ktype} $auth"
                        # Simple connect
                        verbose "$tid: ${_prefix} connect"
                        (
                                cat $OBJ/sshd_proxy_bak
-                               echo "UsePrivilegeSeparation $privsep"
                                echo "PubkeyAcceptedAlgorithms ${t}"
                                echo "$extra_sshd"
                        ) > $OBJ/sshd_proxy
@@ -222,7 +216,6 @@ basic_tests() {
                        verbose "$tid: ${_prefix} revoked key"
                        (
                                cat $OBJ/sshd_proxy_bak
-                               echo "UsePrivilegeSeparation $privsep"
                                echo "RevokedKeys $OBJ/cert_user_key_revoked"
                                echo "PubkeyAcceptedAlgorithms ${t}"
                                echo "$extra_sshd"
@@ -265,7 +258,6 @@ basic_tests() {
                if [ $? -eq 0 ]; then
                        fail "ssh cert connect succeeded unexpecedly"
                fi
-       done
 
        verbose "$tid: $auth CA does not authenticate"
        (

diff --git a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh
index 9549b33a75971f9bc3c0c3a764edadb93e93ec99..222d424bd34f128a36f2efd1d569199caee89644 100644 (file)
--- a/regress/hostkey-agent.sh
+++ b/regress/hostkey-agent.sh
@@ -1,4 +1,4 @@
-#      $OpenBSD: hostkey-agent.sh,v 1.12 2021/09/29 01:32:21 djm Exp $
+#      $OpenBSD: hostkey-agent.sh,v 1.13 2021/09/30 05:20:08 dtucker Exp $
 #      Placed in the Public Domain.
 
 tid="hostkey agent"
@@ -45,7 +45,7 @@ for k in $SSH_KEYTYPES ; do
                fail "keytype $k failed"
        fi
        if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
-               fail "bad SSH_CONNECTION key type $k privsep=$ps"
+               fail "bad SSH_CONNECTION key type $k"
        fi
 done
 
@@ -78,7 +78,7 @@ for k in $SSH_CERTTYPES ; do
                fail "cert type $k failed"
        fi
        if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
-               fail "bad SSH_CONNECTION key type $k privsep=$ps"
+               fail "bad SSH_CONNECTION key type $k"
        fi
 done
 

diff --git a/regress/login-timeout.sh b/regress/login-timeout.sh
index 4c2d07dc255da0391cc2a53c72181cb9a48802fc..1577da1590f6450807c3e5a4440d1e85428978d1 100644 (file)
--- a/regress/login-timeout.sh
+++ b/regress/login-timeout.sh
@@ -1,9 +1,9 @@
-#      $OpenBSD: login-timeout.sh,v 1.9 2017/08/07 00:53:51 dtucker Exp $
+#      $OpenBSD: login-timeout.sh,v 1.10 2021/09/30 05:20:08 dtucker Exp $
 #      Placed in the Public Domain.
 
 tid="connect after login grace timeout"
 
-trace "test login grace with privsep"
+trace "test login grace time"
 cp $OBJ/sshd_config $OBJ/sshd_config.orig
 grep -vi LoginGraceTime $OBJ/sshd_config.orig > $OBJ/sshd_config
 echo "LoginGraceTime 10s" >> $OBJ/sshd_config

diff --git a/regress/principals-command.sh b/regress/principals-command.sh
index a808f9c359fb6a96102e5f44bdcc3f2d549ee46f..74da09a9648ab4546181d9a23b36f02eceb5755a 100644 (file)
--- a/regress/principals-command.sh
+++ b/regress/principals-command.sh
@@ -1,4 +1,4 @@
-#      $OpenBSD: principals-command.sh,v 1.12 2021/09/30 04:22:50 dtucker Exp $
+#      $OpenBSD: principals-command.sh,v 1.13 2021/09/30 05:20:08 dtucker Exp $
 #      Placed in the Public Domain.
 
 tid="authorized principals command"
@@ -59,114 +59,110 @@ if ! $OBJ/check-perm -m keys-command $PRINCIPALS_COMMAND ; then
        exit 0
 fi
 
-if [ -x $PRINCIPALS_COMMAND ]; then
-       # Test explicitly-specified principals
-       for privsep in yes ; do
-               _prefix="privsep $privsep"
-
-               # Setup for AuthorizedPrincipalsCommand
-               rm -f $OBJ/authorized_keys_$USER
-               (
-                       cat $OBJ/sshd_proxy_bak
-                       echo "UsePrivilegeSeparation $privsep"
-                       echo "AuthorizedKeysFile none"
-                       echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
-                           "%u %t %T %i %s %F %f %k %K"
-                       echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
-                       echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
-               ) > $OBJ/sshd_proxy
-
-               # XXX test missing command
-               # XXX test failing command
-
-               # Empty authorized_principals
-               verbose "$tid: ${_prefix} empty authorized_principals"
-               echo > $OBJ/authorized_principals_$USER
-               ${SSH} -i $OBJ/cert_user_key \
-                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-               if [ $? -eq 0 ]; then
-                       fail "ssh cert connect succeeded unexpectedly"
-               fi
-
-               # Wrong authorized_principals
-               verbose "$tid: ${_prefix} wrong authorized_principals"
-               echo gregorsamsa > $OBJ/authorized_principals_$USER
-               ${SSH} -i $OBJ/cert_user_key \
-                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-               if [ $? -eq 0 ]; then
-                       fail "ssh cert connect succeeded unexpectedly"
-               fi
-
-               # Correct authorized_principals
-               verbose "$tid: ${_prefix} correct authorized_principals"
-               echo mekmitasdigoat > $OBJ/authorized_principals_$USER
-               ${SSH} -i $OBJ/cert_user_key \
-                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-               if [ $? -ne 0 ]; then
-                       fail "ssh cert connect failed"
-               fi
-
-               # authorized_principals with bad key option
-               verbose "$tid: ${_prefix} authorized_principals bad key opt"
-               echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
-               ${SSH} -i $OBJ/cert_user_key \
-                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-               if [ $? -eq 0 ]; then
-                       fail "ssh cert connect succeeded unexpectedly"
-               fi
-
-               # authorized_principals with command=false
-               verbose "$tid: ${_prefix} authorized_principals command=false"
-               echo 'command="false" mekmitasdigoat' > \
-                   $OBJ/authorized_principals_$USER
-               ${SSH} -i $OBJ/cert_user_key \
-                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-               if [ $? -eq 0 ]; then
-                       fail "ssh cert connect succeeded unexpectedly"
-               fi
-
-               # authorized_principals with command=true
-               verbose "$tid: ${_prefix} authorized_principals command=true"
-               echo 'command="true" mekmitasdigoat' > \
-                   $OBJ/authorized_principals_$USER
-               ${SSH} -i $OBJ/cert_user_key \
-                   -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
-               if [ $? -ne 0 ]; then
-                       fail "ssh cert connect failed"
-               fi
-
-               # Setup for principals= key option
-               rm -f $OBJ/authorized_principals_$USER
-               (
-                       cat $OBJ/sshd_proxy_bak
-                       echo "UsePrivilegeSeparation $privsep"
-               ) > $OBJ/sshd_proxy
-
-               # Wrong principals list
-               verbose "$tid: ${_prefix} wrong principals key option"
-               (
-                       printf 'cert-authority,principals="gregorsamsa" '
-                       cat $OBJ/user_ca_key.pub
-               ) > $OBJ/authorized_keys_$USER
-               ${SSH} -i $OBJ/cert_user_key \
-                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-               if [ $? -eq 0 ]; then
-                       fail "ssh cert connect succeeded unexpectedly"
-               fi
-
-               # Correct principals list
-               verbose "$tid: ${_prefix} correct principals key option"
-               (
-                       printf 'cert-authority,principals="mekmitasdigoat" '
-                       cat $OBJ/user_ca_key.pub
-               ) > $OBJ/authorized_keys_$USER
-               ${SSH} -i $OBJ/cert_user_key \
-                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-               if [ $? -ne 0 ]; then
-                       fail "ssh cert connect failed"
-               fi
-       done
-else
-       echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
+if [ ! -x $PRINCIPALS_COMMAND ]; then
+       skip "$PRINCIPALS_COMMAND not executable " \
            "(/var/run mounted noexec?)"
 fi
+
+#Test explicitly-specified principals
+       # Setup for AuthorizedPrincipalsCommand
+       rm -f $OBJ/authorized_keys_$USER
+       (
+               cat $OBJ/sshd_proxy_bak
+               echo "AuthorizedKeysFile none"
+               echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
+                   "%u %t %T %i %s %F %f %k %K"
+               echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
+               echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+       ) > $OBJ/sshd_proxy
+
+       # XXX test missing command
+       # XXX test failing command
+
+       # Empty authorized_principals
+       verbose "$tid: empty authorized_principals"
+       echo > $OBJ/authorized_principals_$USER
+       ${SSH} -i $OBJ/cert_user_key \
+           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+       if [ $? -eq 0 ]; then
+               fail "ssh cert connect succeeded unexpectedly"
+       fi
+
+       # Wrong authorized_principals
+       verbose "$tid: wrong authorized_principals"
+       echo gregorsamsa > $OBJ/authorized_principals_$USER
+       ${SSH} -i $OBJ/cert_user_key \
+           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+       if [ $? -eq 0 ]; then
+               fail "ssh cert connect succeeded unexpectedly"
+       fi
+
+       # Correct authorized_principals
+       verbose "$tid: correct authorized_principals"
+       echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+       ${SSH} -i $OBJ/cert_user_key \
+           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+       if [ $? -ne 0 ]; then
+               fail "ssh cert connect failed"
+       fi
+
+       # authorized_principals with bad key option
+       verbose "$tid: authorized_principals bad key opt"
+       echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
+       ${SSH} -i $OBJ/cert_user_key \
+           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+       if [ $? -eq 0 ]; then
+               fail "ssh cert connect succeeded unexpectedly"
+       fi
+
+       # authorized_principals with command=false
+       verbose "$tid: authorized_principals command=false"
+       echo 'command="false" mekmitasdigoat' > \
+           $OBJ/authorized_principals_$USER
+       ${SSH} -i $OBJ/cert_user_key \
+           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+       if [ $? -eq 0 ]; then
+               fail "ssh cert connect succeeded unexpectedly"
+       fi
+
+
+       # authorized_principals with command=true
+       verbose "$tid: authorized_principals command=true"
+       echo 'command="true" mekmitasdigoat' > \
+           $OBJ/authorized_principals_$USER
+       ${SSH} -i $OBJ/cert_user_key \
+           -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
+       if [ $? -ne 0 ]; then
+               fail "ssh cert connect failed"
+       fi
+
+       # Setup for principals= key option
+       # TODO: remove?
+       rm -f $OBJ/authorized_principals_$USER
+       (
+               cat $OBJ/sshd_proxy_bak
+       ) > $OBJ/sshd_proxy
+
+       # Wrong principals list
+       verbose "$tid: wrong principals key option"
+       (
+               printf 'cert-authority,principals="gregorsamsa" '
+               cat $OBJ/user_ca_key.pub
+       ) > $OBJ/authorized_keys_$USER
+       ${SSH} -i $OBJ/cert_user_key \
+           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+       if [ $? -eq 0 ]; then
+               fail "ssh cert connect succeeded unexpectedly"
+       fi
+
+       # Correct principals list
+       verbose "$tid: correct principals key option"
+       (
+               printf 'cert-authority,principals="mekmitasdigoat" '
+               cat $OBJ/user_ca_key.pub
+       ) > $OBJ/authorized_keys_$USER
+       ${SSH} -i $OBJ/cert_user_key \
+           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+       if [ $? -ne 0 ]; then
+               fail "ssh cert connect failed"
+       fi