Attachment #2691 for bug #2455

View | Details | Raw Unified | Return to bug 2455
Collapse All | Expand All




dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa
expect_nkeys 1 "learn hostkeys"
check_key_present ssh-rsa || fail "didn't learn changed key"

#	$OpenBSD: hostkey-rotate.sh,v 1.4 2015/07/10 06:23:25 markus Exp $
#	Placed in the Public Domain.

tid="hostkey rotate"

# Prepare hostkeys file with one key

# Connect to sshd

# Check that other keys learned

# Change one hostkey (non primary)

# Connect to sshd

# Check that the key was replaced





/* Use of privilege separation or not */
extern int use_privsep;
extern Buffer cfg;
struct include_item *include_list = NULL;

/* Initializes the server options to their default values. */


	sAcceptEnv, sPermitTunnel,
	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
	sUsePrivilegeSeparation, sAllowAgentForwarding,
	sHostCertificate, sInclude,
	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
	sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
	sKexAlgorithms, sIPQoS, sVersionAddendum,

	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
	{ "include", sInclude, SSHCFG_GLOBAL },
	{ "ipqos", sIPQoS, SSHCFG_ALL },
	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },

	size_t len;
	long long val64;
	const struct multistate *multistate_ptr;
	struct include_item *item;
	int found = 0;
	glob_t gbuf;

	cp = line;
	if ((arg = strdelim(&cp)) == NULL)

			*intptr = value;
		break;

	case sInclude:
		arg = strdelim(&cp);
		if (!arg || *arg == '\0')
			fatal("%s line %d: missing argument - file to include",
			    filename, linenum);
		// browse cached list of files
		for (item = include_list; item != NULL; item = item->next) {
			if (strcmp(item->selector, arg) == 0) {
				if (item->filename != NULL)
					parse_server_config(options, item->filename, &(item->buffer), connectinfo);
				found = 1;
			}
		}
		// no match. Go glob
		if (found == 0) {
			debug3("Glob configuration file to include %s", arg);
			if (glob(arg, 0, NULL, &gbuf) == 0)
				for (i = 0; i < gbuf.gl_pathc; i++) {
					debug3("Including configuration file %s",
						gbuf.gl_pathv[i]);
					item = malloc(sizeof(struct include_item));
					item->selector = strdup(arg);
					item->filename = strdup(gbuf.gl_pathv[i]);
					buffer_init(&(item->buffer));
					load_server_config(item->filename, &(item->buffer));
					parse_server_config(options, item->filename, &(item->buffer), connectinfo);
					// prepend item to the start of the list
					item->next = include_list;
					include_list = item;
				}
			else { /* no match or other error */
				// store placeholder to avoid aditional globs
				item = malloc(sizeof(struct include_item));
				item->selector = strdup(arg);
				item->filename = NULL;
				buffer_init(&(item->buffer));
				// prepend item to the start of the list
				item->next = include_list;
				include_list = item;
			}
			globfree(&gbuf);
		}
		break;

	case sMatch:
		if (cmdline)
			fatal("Match directive not supported as a command-line "

Lines 206-211 struct connection_info { Link Here

(-)a/servconf.h (+7 lines)
206	int lport; /* local port */	206	int lport; /* local port */
207	};	207	};
208		208
		209	struct include_item {
		210	const char *selector;
		211	const char *filename;
		212	Buffer buffer;
		213	struct include_item *next;
		214	};
		215
209		216
210	/*	217	/*
211	* These are string config options that must be copied between the	218	* These are string config options that must be copied between the

Return to bug 2455

Lines 108-128 verbose "check rotate primary hostkey" Link Here

(-)a/regress/hostkey-rotate.sh (-18 lines)
108	dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa	108	dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa
109	expect_nkeys 1 "learn hostkeys"	109	expect_nkeys 1 "learn hostkeys"
110	check_key_present ssh-rsa \|\| fail "didn't learn changed key"	110	check_key_present ssh-rsa \|\| fail "didn't learn changed key"
111
112	# $OpenBSD: hostkey-rotate.sh,v 1.4 2015/07/10 06:23:25 markus Exp $
113	# Placed in the Public Domain.
114
115	tid="hostkey rotate"
116
117	# Prepare hostkeys file with one key
118
119	# Connect to sshd
120
121	# Check that other keys learned
122
123	# Change one hostkey (non primary)
124
125	# Connect to sshd
126
127	# Check that the key was replaced
128

Lines 64-69 static void add_one_listen_addr(ServerOptions , char , int); Link Here

(-)a/servconf.c (-1 / +50 lines)
64	/* Use of privilege separation or not */	64	/* Use of privilege separation or not */
65	extern int use_privsep;	65	extern int use_privsep;
66	extern Buffer cfg;	66	extern Buffer cfg;
		67	struct include_item *include_list = NULL;
67		68
68	/* Initializes the server options to their default values. */	69	/* Initializes the server options to their default values. */
69		70
Lines 415-421 typedef enum { Link Here
415	sAcceptEnv, sPermitTunnel,	416	sAcceptEnv, sPermitTunnel,
416	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,	417	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
417	sUsePrivilegeSeparation, sAllowAgentForwarding,	418	sUsePrivilegeSeparation, sAllowAgentForwarding,
418	sHostCertificate,	419	sHostCertificate, sInclude,
419	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,	420	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
420	sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,	421	sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
421	sKexAlgorithms, sIPQoS, sVersionAddendum,	422	sKexAlgorithms, sIPQoS, sVersionAddendum,
Lines 550-555 static struct { Link Here
550	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },	551	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
551	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },	552	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
552	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },	553	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
		554	{ "include", sInclude, SSHCFG_GLOBAL },
553	{ "ipqos", sIPQoS, SSHCFG_ALL },	555	{ "ipqos", sIPQoS, SSHCFG_ALL },
554	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },	556	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
555	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },	557	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
Lines 964-969 process_server_config_line(ServerOptions options, char line, Link Here
964	size_t len;	966	size_t len;
965	long long val64;	967	long long val64;
966	const struct multistate *multistate_ptr;	968	const struct multistate *multistate_ptr;
		969	struct include_item *item;
		970	int found = 0;
		971	glob_t gbuf;
967		972
968	cp = line;	973	cp = line;
969	if ((arg = strdelim(&cp)) == NULL)	974	if ((arg = strdelim(&cp)) == NULL)
Lines 1632-1637 process_server_config_line(ServerOptions options, char line, Link Here
1632	*intptr = value;	1637	*intptr = value;
1633	break;	1638	break;
1634		1639
		1640	case sInclude:
		1641	arg = strdelim(&cp);
		1642	if (!arg \|\| *arg == '\0')
		1643	fatal("%s line %d: missing argument - file to include",
		1644	filename, linenum);
		1645	// browse cached list of files
		1646	for (item = include_list; item != NULL; item = item->next) {
		1647	if (strcmp(item->selector, arg) == 0) {
		1648	if (item->filename != NULL)
		1649	parse_server_config(options, item->filename, &(item->buffer), connectinfo);
		1650	found = 1;
		1651	}
		1652	}
		1653	// no match. Go glob
		1654	if (found == 0) {
		1655	debug3("Glob configuration file to include %s", arg);
		1656	if (glob(arg, 0, NULL, &gbuf) == 0)
		1657	for (i = 0; i < gbuf.gl_pathc; i++) {
		1658	debug3("Including configuration file %s",
		1659	gbuf.gl_pathv[i]);
		1660	item = malloc(sizeof(struct include_item));
		1661	item->selector = strdup(arg);
		1662	item->filename = strdup(gbuf.gl_pathv[i]);
		1663	buffer_init(&(item->buffer));
		1664	load_server_config(item->filename, &(item->buffer));
		1665	parse_server_config(options, item->filename, &(item->buffer), connectinfo);
		1666	// prepend item to the start of the list
		1667	item->next = include_list;
		1668	include_list = item;
		1669	}
		1670	else { /* no match or other error */
		1671	// store placeholder to avoid aditional globs
		1672	item = malloc(sizeof(struct include_item));
		1673	item->selector = strdup(arg);
		1674	item->filename = NULL;
		1675	buffer_init(&(item->buffer));
		1676	// prepend item to the start of the list
		1677	item->next = include_list;
		1678	include_list = item;
		1679	}
		1680	globfree(&gbuf);
		1681	}
		1682	break;
		1683
1635	case sMatch:	1684	case sMatch:
1636	if (cmdline)	1685	if (cmdline)
1637	fatal("Match directive not supported as a command-line "	1686	fatal("Match directive not supported as a command-line "