diff options
| author | dtucker@openbsd.org <dtucker@openbsd.org> | 2021-09-30 05:20:08 +0000 |
|---|---|---|
| committer | Darren Tucker <dtucker@dtucker.net> | 2021-10-01 14:55:12 +1000 |
| commit | ddcb53b7a7b29be65d57562302b2d5f41733e8dd (patch) | |
| tree | 3be7c54adfd7746814f44bd8356f1b955ec4a463 | |
| parent | ece2fbe486164860de8df3f8b943cccca3085eff (diff) | |
upstream: Remove references to privsep.
This removes several do..while loops but does not change the
indentation of the now-shallower loops, which will be done in a separate
whitespace-only commit to keep changes of style and substance separate.
OpenBSD-Regress-ID: 4bed1a0249df7b4a87c965066ce689e79472a8f7
| -rw-r--r-- | regress/cert-hostkey.sh | 12 | ||||
| -rw-r--r-- | regress/cert-userkey.sh | 14 | ||||
| -rw-r--r-- | regress/hostkey-agent.sh | 6 | ||||
| -rw-r--r-- | regress/login-timeout.sh | 4 | ||||
| -rw-r--r-- | regress/principals-command.sh | 216 |
5 files changed, 117 insertions, 135 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index de8652b0..904dd693 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-hostkey.sh,v 1.25 2021/06/08 22:30:27 djm Exp $ +# $OpenBSD: cert-hostkey.sh,v 1.26 2021/09/30 05:20:08 dtucker Exp $ # Placed in the Public Domain. tid="certified host keys" @@ -131,14 +131,12 @@ attempt_connect() { } # Basic connect and revocation tests. -for privsep in yes ; do for ktype in $PLAIN_TYPES ; do - verbose "$tid: host ${ktype} cert connect privsep $privsep" + verbose "$tid: host ${ktype} cert connect" ( cat $OBJ/sshd_proxy_bak echo HostKey $OBJ/cert_host_key_${ktype} echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub - echo UsePrivilegeSeparation $privsep ) > $OBJ/sshd_proxy # test name expect success @@ -160,7 +158,6 @@ for privsep in yes ; do attempt_connect "$ktype CA plaintext revocation" "no" \ -oRevokedHostKeys=$OBJ/host_revoked_ca done -done # Revoked certificates with key present kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig @@ -169,14 +166,12 @@ for ktype in $PLAIN_TYPES ; do kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig done cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert -for privsep in yes ; do for ktype in $PLAIN_TYPES ; do - verbose "$tid: host ${ktype} revoked cert privsep $privsep" + verbose "$tid: host ${ktype} revoked cert" ( cat $OBJ/sshd_proxy_bak echo HostKey $OBJ/cert_host_key_${ktype} echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub - echo UsePrivilegeSeparation $privsep ) > $OBJ/sshd_proxy cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert @@ -187,7 +182,6 @@ for privsep in yes ; do fail "ssh cert connect succeeded unexpectedly" fi done -done # Revoked CA kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index baa6903e..53d1951d 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-userkey.sh,v 1.26 2021/02/25 03:27:34 djm Exp $ +# $OpenBSD: cert-userkey.sh,v 1.27 2021/09/30 05:20:08 dtucker Exp $ # Placed in the Public Domain. tid="certified user keys" @@ -60,14 +60,12 @@ done # Test explicitly-specified principals for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do t=$(kname $ktype) - for privsep in yes ; do - _prefix="${ktype} privsep $privsep" + _prefix="${ktype}" # Setup for AuthorizedPrincipalsFile rm -f $OBJ/authorized_keys_$USER ( cat $OBJ/sshd_proxy_bak - echo "UsePrivilegeSeparation $privsep" echo "AuthorizedPrincipalsFile " \ "$OBJ/authorized_principals_%u" echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" @@ -148,7 +146,6 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do rm -f $OBJ/authorized_principals_$USER ( cat $OBJ/sshd_proxy_bak - echo "UsePrivilegeSeparation $privsep" echo "PubkeyAcceptedAlgorithms ${t}" ) > $OBJ/sshd_proxy ( @@ -179,7 +176,6 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do if [ $? -ne 0 ]; then fail "ssh cert connect failed" fi - done done basic_tests() { @@ -197,13 +193,11 @@ basic_tests() { for ktype in $PLAIN_TYPES ; do t=$(kname $ktype) - for privsep in yes ; do - _prefix="${ktype} privsep $privsep $auth" + _prefix="${ktype} $auth" # Simple connect verbose "$tid: ${_prefix} connect" ( cat $OBJ/sshd_proxy_bak - echo "UsePrivilegeSeparation $privsep" echo "PubkeyAcceptedAlgorithms ${t}" echo "$extra_sshd" ) > $OBJ/sshd_proxy @@ -222,7 +216,6 @@ basic_tests() { verbose "$tid: ${_prefix} revoked key" ( cat $OBJ/sshd_proxy_bak - echo "UsePrivilegeSeparation $privsep" echo "RevokedKeys $OBJ/cert_user_key_revoked" echo "PubkeyAcceptedAlgorithms ${t}" echo "$extra_sshd" @@ -265,7 +258,6 @@ basic_tests() { if [ $? -eq 0 ]; then fail "ssh cert connect succeeded unexpecedly" fi - done verbose "$tid: $auth CA does not authenticate" ( diff --git a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh index 9549b33a..222d424b 100644 --- a/regress/hostkey-agent.sh +++ b/regress/hostkey-agent.sh @@ -1,4 +1,4 @@ -# $OpenBSD: hostkey-agent.sh,v 1.12 2021/09/29 01:32:21 djm Exp $ +# $OpenBSD: hostkey-agent.sh,v 1.13 2021/09/30 05:20:08 dtucker Exp $ # Placed in the Public Domain. tid="hostkey agent" @@ -45,7 +45,7 @@ for k in $SSH_KEYTYPES ; do fail "keytype $k failed" fi if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then - fail "bad SSH_CONNECTION key type $k privsep=$ps" + fail "bad SSH_CONNECTION key type $k" fi done @@ -78,7 +78,7 @@ for k in $SSH_CERTTYPES ; do fail "cert type $k failed" fi if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then - fail "bad SSH_CONNECTION key type $k privsep=$ps" + fail "bad SSH_CONNECTION key type $k" fi done diff --git a/regress/login-timeout.sh b/regress/login-timeout.sh index 4c2d07dc..1577da15 100644 --- a/regress/login-timeout.sh +++ b/regress/login-timeout.sh @@ -1,9 +1,9 @@ -# $OpenBSD: login-timeout.sh,v 1.9 2017/08/07 00:53:51 dtucker Exp $ +# $OpenBSD: login-timeout.sh,v 1.10 2021/09/30 05:20:08 dtucker Exp $ # Placed in the Public Domain. tid="connect after login grace timeout" -trace "test login grace with privsep" +trace "test login grace time" cp $OBJ/sshd_config $OBJ/sshd_config.orig grep -vi LoginGraceTime $OBJ/sshd_config.orig > $OBJ/sshd_config echo "LoginGraceTime 10s" >> $OBJ/sshd_config diff --git a/regress/principals-command.sh b/regress/principals-command.sh index a808f9c3..74da09a9 100644 --- a/regress/principals-command.sh +++ b/regress/principals-command.sh @@ -1,4 +1,4 @@ -# $OpenBSD: principals-command.sh,v 1.12 2021/09/30 04:22:50 dtucker Exp $ +# $OpenBSD: principals-command.sh,v 1.13 2021/09/30 05:20:08 dtucker Exp $ # Placed in the Public Domain. tid="authorized principals command" @@ -59,114 +59,110 @@ if ! $OBJ/check-perm -m keys-command $PRINCIPALS_COMMAND ; then exit 0 fi -if [ -x $PRINCIPALS_COMMAND ]; then - # Test explicitly-specified principals - for privsep in yes ; do - _prefix="privsep $privsep" - - # Setup for AuthorizedPrincipalsCommand - rm -f $OBJ/authorized_keys_$USER - ( - cat $OBJ/sshd_proxy_bak - echo "UsePrivilegeSeparation $privsep" - echo "AuthorizedKeysFile none" - echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \ - "%u %t %T %i %s %F %f %k %K" - echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" - echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" - ) > $OBJ/sshd_proxy - - # XXX test missing command - # XXX test failing command - - # Empty authorized_principals - verbose "$tid: ${_prefix} empty authorized_principals" - echo > $OBJ/authorized_principals_$USER - ${SSH} -i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpectedly" - fi - - # Wrong authorized_principals - verbose "$tid: ${_prefix} wrong authorized_principals" - echo gregorsamsa > $OBJ/authorized_principals_$USER - ${SSH} -i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpectedly" - fi - - # Correct authorized_principals - verbose "$tid: ${_prefix} correct authorized_principals" - echo mekmitasdigoat > $OBJ/authorized_principals_$USER - ${SSH} -i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -ne 0 ]; then - fail "ssh cert connect failed" - fi - - # authorized_principals with bad key option - verbose "$tid: ${_prefix} authorized_principals bad key opt" - echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER - ${SSH} -i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpectedly" - fi - - # authorized_principals with command=false - verbose "$tid: ${_prefix} authorized_principals command=false" - echo 'command="false" mekmitasdigoat' > \ - $OBJ/authorized_principals_$USER - ${SSH} -i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpectedly" - fi - - # authorized_principals with command=true - verbose "$tid: ${_prefix} authorized_principals command=true" - echo 'command="true" mekmitasdigoat' > \ - $OBJ/authorized_principals_$USER - ${SSH} -i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 - if [ $? -ne 0 ]; then - fail "ssh cert connect failed" - fi - - # Setup for principals= key option - rm -f $OBJ/authorized_principals_$USER - ( - cat $OBJ/sshd_proxy_bak - echo "UsePrivilegeSeparation $privsep" - ) > $OBJ/sshd_proxy - - # Wrong principals list - verbose "$tid: ${_prefix} wrong principals key option" - ( - printf 'cert-authority,principals="gregorsamsa" ' - cat $OBJ/user_ca_key.pub - ) > $OBJ/authorized_keys_$USER - ${SSH} -i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpectedly" - fi - - # Correct principals list - verbose "$tid: ${_prefix} correct principals key option" - ( - printf 'cert-authority,principals="mekmitasdigoat" ' - cat $OBJ/user_ca_key.pub - ) > $OBJ/authorized_keys_$USER - ${SSH} -i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -ne 0 ]; then - fail "ssh cert connect failed" - fi - done -else - echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \ +if [ ! -x $PRINCIPALS_COMMAND ]; then + skip "$PRINCIPALS_COMMAND not executable " \ "(/var/run mounted noexec?)" fi + +#Test explicitly-specified principals + # Setup for AuthorizedPrincipalsCommand + rm -f $OBJ/authorized_keys_$USER + ( + cat $OBJ/sshd_proxy_bak + echo "AuthorizedKeysFile none" + echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \ + "%u %t %T %i %s %F %f %k %K" + echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" + echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" + ) > $OBJ/sshd_proxy + + # XXX test missing command + # XXX test failing command + + # Empty authorized_principals + verbose "$tid: empty authorized_principals" + echo > $OBJ/authorized_principals_$USER + ${SSH} -i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Wrong authorized_principals + verbose "$tid: wrong authorized_principals" + echo gregorsamsa > $OBJ/authorized_principals_$USER + ${SSH} -i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Correct authorized_principals + verbose "$tid: correct authorized_principals" + echo mekmitasdigoat > $OBJ/authorized_principals_$USER + ${SSH} -i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi + + # authorized_principals with bad key option + verbose "$tid: authorized_principals bad key opt" + echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER + ${SSH} -i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # authorized_principals with command=false + verbose "$tid: authorized_principals command=false" + echo 'command="false" mekmitasdigoat' > \ + $OBJ/authorized_principals_$USER + ${SSH} -i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + + # authorized_principals with command=true + verbose "$tid: authorized_principals command=true" + echo 'command="true" mekmitasdigoat' > \ + $OBJ/authorized_principals_$USER + ${SSH} -i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi + + # Setup for principals= key option + # TODO: remove? + rm -f $OBJ/authorized_principals_$USER + ( + cat $OBJ/sshd_proxy_bak + ) > $OBJ/sshd_proxy + + # Wrong principals list + verbose "$tid: wrong principals key option" + ( + printf 'cert-authority,principals="gregorsamsa" ' + cat $OBJ/user_ca_key.pub + ) > $OBJ/authorized_keys_$USER + ${SSH} -i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Correct principals list + verbose "$tid: correct principals key option" + ( + printf 'cert-authority,principals="mekmitasdigoat" ' + cat $OBJ/user_ca_key.pub + ) > $OBJ/authorized_keys_$USER + ${SSH} -i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi |