|
Line
Link Here
|
| 0 |
-- a/regress/cert-file.sh |
0 |
++ b/regress/cert-file.sh |
|
Lines 17-22
${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 || \
Link Here
|
| 17 |
fatal "ssh-keygen failed" |
17 |
fatal "ssh-keygen failed" |
| 18 |
${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key2 || \ |
18 |
${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key2 || \ |
| 19 |
fatal "ssh-keygen failed" |
19 |
fatal "ssh-keygen failed" |
|
|
20 |
${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key3 || \ |
| 21 |
fatal "ssh-keygen failed" |
| 22 |
${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key4 || \ |
| 23 |
fatal "ssh-keygen failed" |
| 24 |
|
| 20 |
# Move the certificate to a different address to better control |
25 |
# Move the certificate to a different address to better control |
| 21 |
# when it is offered. |
26 |
# when it is offered. |
| 22 |
${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ |
27 |
${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ |
|
Lines 27-39
${SSHKEYGEN} -q -s $OBJ/user_ca_key2 -I "regress user key for $USER" \
Link Here
|
| 27 |
-z $$ -n ${USER} $OBJ/user_key1 || |
32 |
-z $$ -n ${USER} $OBJ/user_key1 || |
| 28 |
fail "couldn't sign user_key1 with user_ca_key2" |
33 |
fail "couldn't sign user_key1 with user_ca_key2" |
| 29 |
mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_2.pub |
34 |
mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_2.pub |
|
|
35 |
${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ |
| 36 |
-z $$ -n ${USER} $OBJ/user_key3 || |
| 37 |
fail "couldn't sign user_key3 with user_ca_key1" |
| 38 |
rm $OBJ/user_key3.pub # make sure we remove this, as that's the point of this test |
| 39 |
${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ |
| 40 |
-z $$ -n ${USER} $OBJ/user_key4 || |
| 41 |
fail "couldn't sign user_key4 with user_ca_key1" |
| 42 |
rm $OBJ/user_key4 $OBJ/user_key4.pub # remove them both, we want this to be a broken cert |
| 30 |
|
43 |
|
| 31 |
trace 'try with identity files' |
44 |
trace 'try with identity files' |
| 32 |
opts="-F $OBJ/ssh_proxy -oIdentitiesOnly=yes" |
45 |
opts="-F $OBJ/ssh_proxy -oIdentitiesOnly=yes" |
| 33 |
opts2="$opts -i $OBJ/user_key1 -i $OBJ/user_key2" |
46 |
opts2="$opts -i $OBJ/user_key1 -i $OBJ/user_key2" |
| 34 |
echo "cert-authority $(cat $OBJ/user_ca_key1.pub)" > $OBJ/authorized_keys_$USER |
47 |
echo "cert-authority $(cat $OBJ/user_ca_key1.pub)" > $OBJ/authorized_keys_$USER |
| 35 |
|
48 |
|
|
|
49 |
# Make a clean config that doesn't have any pre-added identities. |
| 50 |
cat $OBJ/ssh_proxy | grep -v IdentityFile > $OBJ/no_identity_config |
| 51 |
|
| 36 |
for p in ${SSH_PROTOCOLS}; do |
52 |
for p in ${SSH_PROTOCOLS}; do |
|
|
53 |
# IdentitiesOnly should count a CertificateFile as an identity, and not fall back |
| 54 |
# to ~/.ssh/id_rsa and friends, even if the cert is busted. |
| 55 |
${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes -oCertificateFile=$OBJ/user_key4-cert.pub somehost exit 5$p |
| 56 |
r=$? |
| 57 |
if [ $r -eq 5$p ]; then |
| 58 |
fail "ssh should fail, and not fallback to other working user $p" |
| 59 |
fi |
| 60 |
# Bad form to grep over log file, but can't see any other way to determine |
| 61 |
# if the default home directory location is used or not. |
| 62 |
cnt=$(grep -c id_rsa $OBJ/ssh.log) |
| 63 |
if [ $cnt -ne "0" ]; then |
| 64 |
fail "ssh must not try to use id_rsa when IdentitiesOnly is specified ($cnt found, want 0) $p" |
| 65 |
fi |
| 66 |
|
| 67 |
# xxx alone should work (find the equivalent cert) |
| 68 |
${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes -i $OBJ/user_key3 somehost exit 5$p |
| 69 |
r=$? |
| 70 |
if [ $r -ne 5$p ]; then |
| 71 |
fail "ssh with cert failed with private key file specified only $p" |
| 72 |
fi |
| 73 |
|
| 74 |
# xxx-cert.pub should work (find the equivalent private key) |
| 75 |
${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes -oCertificateFile=$OBJ/user_key3-cert.pub somehost exit 5$p |
| 76 |
r=$? |
| 77 |
if [ $r -ne 5$p ]; then |
| 78 |
fail "ssh failed with cert only $p" |
| 79 |
fi |
| 80 |
|
| 81 |
# Both together must work, even when key.pub is missing |
| 82 |
${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes -oCertificateFile=$OBJ/user_key3-cert.pub -i $OBJ/user_key3 somehost exit 5$p |
| 83 |
r=$? |
| 84 |
if [ $r -ne 5$p ]; then |
| 85 |
fail "ssh failed with cert and private key file only $p" |
| 86 |
fi |
| 87 |
|
| 37 |
# Just keys should fail |
88 |
# Just keys should fail |
| 38 |
${SSH} $opts2 somehost exit 5$p |
89 |
${SSH} $opts2 somehost exit 5$p |
| 39 |
r=$? |
90 |
r=$? |