1*1323ec57SEd Maste# $OpenBSD: cert-hostkey.sh,v 1.27 2021/09/30 05:26:26 dtucker Exp $ 2ce3adf43SDag-Erling Smørgrav# Placed in the Public Domain. 3ce3adf43SDag-Erling Smørgrav 4ce3adf43SDag-Erling Smørgravtid="certified host keys" 5ce3adf43SDag-Erling Smørgrav 6bc5531deSDag-Erling Smørgravrm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/host_revoked_* 7bc5531deSDag-Erling Smørgravrm -f $OBJ/cert_host_key* $OBJ/host_krl_* 8eccfee6eSDag-Erling Smørgrav 9eccfee6eSDag-Erling Smørgrav# Allow all hostkey/pubkey types, prefer certs for the client 1019261079SEd Mastersa=0 11eccfee6eSDag-Erling Smørgravtypes="" 1219261079SEd Mastefor i in `$SSH -Q key | maybe_filter_sk`; do 13eccfee6eSDag-Erling Smørgrav if [ -z "$types" ]; then 14eccfee6eSDag-Erling Smørgrav types="$i" 15eccfee6eSDag-Erling Smørgrav continue 16eccfee6eSDag-Erling Smørgrav fi 17eccfee6eSDag-Erling Smørgrav case "$i" in 18190cef3dSDag-Erling Smørgrav # Special treatment for RSA keys. 19190cef3dSDag-Erling Smørgrav *rsa*cert*) 20190cef3dSDag-Erling Smørgrav types="rsa-sha2-256-cert-v01@openssh.com,$i,$types" 21190cef3dSDag-Erling Smørgrav types="rsa-sha2-512-cert-v01@openssh.com,$types";; 22190cef3dSDag-Erling Smørgrav *rsa*) 2319261079SEd Maste rsa=1 24190cef3dSDag-Erling Smørgrav types="$types,rsa-sha2-512,rsa-sha2-256,$i";; 25190cef3dSDag-Erling Smørgrav # Prefer certificate to plain keys. 26eccfee6eSDag-Erling Smørgrav *cert*) types="$i,$types";; 27eccfee6eSDag-Erling Smørgrav *) types="$types,$i";; 28eccfee6eSDag-Erling Smørgrav esac 29eccfee6eSDag-Erling Smørgravdone 30eccfee6eSDag-Erling Smørgrav( 31eccfee6eSDag-Erling Smørgrav echo "HostKeyAlgorithms ${types}" 3219261079SEd Maste echo "PubkeyAcceptedAlgorithms *" 33eccfee6eSDag-Erling Smørgrav) >> $OBJ/ssh_proxy 34ce3adf43SDag-Erling Smørgravcp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 35eccfee6eSDag-Erling Smørgrav( 36eccfee6eSDag-Erling Smørgrav echo "HostKeyAlgorithms *" 3719261079SEd Maste echo "PubkeyAcceptedAlgorithms *" 38eccfee6eSDag-Erling Smørgrav) >> $OBJ/sshd_proxy_bak 39ce3adf43SDag-Erling Smørgrav 40ce3adf43SDag-Erling SmørgravHOSTS='localhost-with-alias,127.0.0.1,::1' 41ce3adf43SDag-Erling Smørgrav 42076ad2f8SDag-Erling Smørgravkh_ca() { 43076ad2f8SDag-Erling Smørgrav for k in "$@" ; do 44076ad2f8SDag-Erling Smørgrav printf "@cert-authority $HOSTS " 45076ad2f8SDag-Erling Smørgrav cat $OBJ/$k || fatal "couldn't cat $k" 46076ad2f8SDag-Erling Smørgrav done 47076ad2f8SDag-Erling Smørgrav} 48076ad2f8SDag-Erling Smørgravkh_revoke() { 49076ad2f8SDag-Erling Smørgrav for k in "$@" ; do 50076ad2f8SDag-Erling Smørgrav printf "@revoked * " 51076ad2f8SDag-Erling Smørgrav cat $OBJ/$k || fatal "couldn't cat $k" 52076ad2f8SDag-Erling Smørgrav done 53076ad2f8SDag-Erling Smørgrav} 54076ad2f8SDag-Erling Smørgrav 55076ad2f8SDag-Erling Smørgrav# Create a CA key and add it to known hosts. Ed25519 chosen for speed. 5619261079SEd Maste# RSA for testing RSA/SHA2 signatures if supported. 5719261079SEd Mastektype2=ed25519 5819261079SEd Maste[ "x$rsa" = "x1" ] && ktype2=rsa 59bc5531deSDag-Erling Smørgrav${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key ||\ 60ce3adf43SDag-Erling Smørgrav fail "ssh-keygen of host_ca_key failed" 6119261079SEd Maste${SSHKEYGEN} -q -N '' -t $ktype2 -f $OBJ/host_ca_key2 ||\ 62076ad2f8SDag-Erling Smørgrav fail "ssh-keygen of host_ca_key failed" 63076ad2f8SDag-Erling Smørgrav 64076ad2f8SDag-Erling Smørgravkh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig 65bc5531deSDag-Erling Smørgravcp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 66bc5531deSDag-Erling Smørgrav 67bc5531deSDag-Erling Smørgrav# Plain text revocation files 68bc5531deSDag-Erling Smørgravtouch $OBJ/host_revoked_empty 69bc5531deSDag-Erling Smørgravtouch $OBJ/host_revoked_plain 70bc5531deSDag-Erling Smørgravtouch $OBJ/host_revoked_cert 71076ad2f8SDag-Erling Smørgravcat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca 72ce3adf43SDag-Erling Smørgrav 7319261079SEd MastePLAIN_TYPES=`echo "$SSH_KEYTYPES" | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` 74f7167e0eSDag-Erling Smørgrav 75076ad2f8SDag-Erling Smørgravif echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then 76076ad2f8SDag-Erling Smørgrav PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" 77076ad2f8SDag-Erling Smørgravfi 78076ad2f8SDag-Erling Smørgrav 79bc5531deSDag-Erling Smørgrav# Prepare certificate, plain key and CA KRLs 80bc5531deSDag-Erling Smørgrav${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed" 81bc5531deSDag-Erling Smørgrav${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed" 82bc5531deSDag-Erling Smørgrav${SSHKEYGEN} -kf $OBJ/host_krl_cert || fatal "KRL init failed" 83076ad2f8SDag-Erling Smørgrav${SSHKEYGEN} -kf $OBJ/host_krl_ca $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub \ 84bc5531deSDag-Erling Smørgrav || fatal "KRL init failed" 85bc5531deSDag-Erling Smørgrav 86ce3adf43SDag-Erling Smørgrav# Generate and sign host keys 87bc5531deSDag-Erling Smørgravserial=1 88f7167e0eSDag-Erling Smørgravfor ktype in $PLAIN_TYPES ; do 89ce3adf43SDag-Erling Smørgrav verbose "$tid: sign host ${ktype} cert" 90ce3adf43SDag-Erling Smørgrav # Generate and sign a host key 91ce3adf43SDag-Erling Smørgrav ${SSHKEYGEN} -q -N '' -t ${ktype} \ 92ce3adf43SDag-Erling Smørgrav -f $OBJ/cert_host_key_${ktype} || \ 93bc5531deSDag-Erling Smørgrav fatal "ssh-keygen of cert_host_key_${ktype} failed" 94bc5531deSDag-Erling Smørgrav ${SSHKEYGEN} -ukf $OBJ/host_krl_plain \ 95bc5531deSDag-Erling Smørgrav $OBJ/cert_host_key_${ktype}.pub || fatal "KRL update failed" 96bc5531deSDag-Erling Smørgrav cat $OBJ/cert_host_key_${ktype}.pub >> $OBJ/host_revoked_plain 97076ad2f8SDag-Erling Smørgrav case $ktype in 98076ad2f8SDag-Erling Smørgrav rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;; 99076ad2f8SDag-Erling Smørgrav *) tflag=""; ca="$OBJ/host_ca_key" ;; 100076ad2f8SDag-Erling Smørgrav esac 101076ad2f8SDag-Erling Smørgrav ${SSHKEYGEN} -h -q -s $ca -z $serial $tflag \ 102ce3adf43SDag-Erling Smørgrav -I "regress host key for $USER" \ 103ce3adf43SDag-Erling Smørgrav -n $HOSTS $OBJ/cert_host_key_${ktype} || 104bc5531deSDag-Erling Smørgrav fatal "couldn't sign cert_host_key_${ktype}" 105bc5531deSDag-Erling Smørgrav ${SSHKEYGEN} -ukf $OBJ/host_krl_cert \ 106bc5531deSDag-Erling Smørgrav $OBJ/cert_host_key_${ktype}-cert.pub || \ 107bc5531deSDag-Erling Smørgrav fatal "KRL update failed" 108bc5531deSDag-Erling Smørgrav cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert 109bc5531deSDag-Erling Smørgrav serial=`expr $serial + 1` 110ce3adf43SDag-Erling Smørgravdone 111ce3adf43SDag-Erling Smørgrav 112bc5531deSDag-Erling Smørgravattempt_connect() { 113bc5531deSDag-Erling Smørgrav _ident="$1" 114bc5531deSDag-Erling Smørgrav _expect_success="$2" 115bc5531deSDag-Erling Smørgrav shift; shift 116bc5531deSDag-Erling Smørgrav verbose "$tid: $_ident expect success $_expect_success" 117bc5531deSDag-Erling Smørgrav cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 1184f52dfbbSDag-Erling Smørgrav ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 119bc5531deSDag-Erling Smørgrav -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 120bc5531deSDag-Erling Smørgrav "$@" -F $OBJ/ssh_proxy somehost true 121bc5531deSDag-Erling Smørgrav _r=$? 122bc5531deSDag-Erling Smørgrav if [ "x$_expect_success" = "xyes" ] ; then 123bc5531deSDag-Erling Smørgrav if [ $_r -ne 0 ]; then 124bc5531deSDag-Erling Smørgrav fail "ssh cert connect $_ident failed" 125bc5531deSDag-Erling Smørgrav fi 126bc5531deSDag-Erling Smørgrav else 127bc5531deSDag-Erling Smørgrav if [ $_r -eq 0 ]; then 128bc5531deSDag-Erling Smørgrav fail "ssh cert connect $_ident succeeded unexpectedly" 129bc5531deSDag-Erling Smørgrav fi 130bc5531deSDag-Erling Smørgrav fi 131bc5531deSDag-Erling Smørgrav} 132bc5531deSDag-Erling Smørgrav 133bc5531deSDag-Erling Smørgrav# Basic connect and revocation tests. 134eccfee6eSDag-Erling Smørgravfor ktype in $PLAIN_TYPES ; do 135*1323ec57SEd Maste verbose "$tid: host ${ktype} cert connect" 136ce3adf43SDag-Erling Smørgrav ( 137ce3adf43SDag-Erling Smørgrav cat $OBJ/sshd_proxy_bak 138ce3adf43SDag-Erling Smørgrav echo HostKey $OBJ/cert_host_key_${ktype} 139ce3adf43SDag-Erling Smørgrav echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 140ce3adf43SDag-Erling Smørgrav ) > $OBJ/sshd_proxy 141ce3adf43SDag-Erling Smørgrav 142bc5531deSDag-Erling Smørgrav # test name expect success 143bc5531deSDag-Erling Smørgrav attempt_connect "$ktype basic connect" "yes" 144bc5531deSDag-Erling Smørgrav attempt_connect "$ktype empty KRL" "yes" \ 145bc5531deSDag-Erling Smørgrav -oRevokedHostKeys=$OBJ/host_krl_empty 146bc5531deSDag-Erling Smørgrav attempt_connect "$ktype KRL w/ plain key revoked" "no" \ 147bc5531deSDag-Erling Smørgrav -oRevokedHostKeys=$OBJ/host_krl_plain 148bc5531deSDag-Erling Smørgrav attempt_connect "$ktype KRL w/ cert revoked" "no" \ 149bc5531deSDag-Erling Smørgrav -oRevokedHostKeys=$OBJ/host_krl_cert 150bc5531deSDag-Erling Smørgrav attempt_connect "$ktype KRL w/ CA revoked" "no" \ 151bc5531deSDag-Erling Smørgrav -oRevokedHostKeys=$OBJ/host_krl_ca 152bc5531deSDag-Erling Smørgrav attempt_connect "$ktype empty plaintext revocation" "yes" \ 153bc5531deSDag-Erling Smørgrav -oRevokedHostKeys=$OBJ/host_revoked_empty 154bc5531deSDag-Erling Smørgrav attempt_connect "$ktype plain key plaintext revocation" "no" \ 155bc5531deSDag-Erling Smørgrav -oRevokedHostKeys=$OBJ/host_revoked_plain 156bc5531deSDag-Erling Smørgrav attempt_connect "$ktype cert plaintext revocation" "no" \ 157bc5531deSDag-Erling Smørgrav -oRevokedHostKeys=$OBJ/host_revoked_cert 158bc5531deSDag-Erling Smørgrav attempt_connect "$ktype CA plaintext revocation" "no" \ 159bc5531deSDag-Erling Smørgrav -oRevokedHostKeys=$OBJ/host_revoked_ca 160ce3adf43SDag-Erling Smørgravdone 161ce3adf43SDag-Erling Smørgrav 162ce3adf43SDag-Erling Smørgrav# Revoked certificates with key present 163076ad2f8SDag-Erling Smørgravkh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig 164eccfee6eSDag-Erling Smørgravfor ktype in $PLAIN_TYPES ; do 165f7167e0eSDag-Erling Smørgrav test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey" 166076ad2f8SDag-Erling Smørgrav kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig 167f7167e0eSDag-Erling Smørgravdone 168bc5531deSDag-Erling Smørgravcp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 169eccfee6eSDag-Erling Smørgravfor ktype in $PLAIN_TYPES ; do 170*1323ec57SEd Maste verbose "$tid: host ${ktype} revoked cert" 171ce3adf43SDag-Erling Smørgrav ( 172ce3adf43SDag-Erling Smørgrav cat $OBJ/sshd_proxy_bak 173ce3adf43SDag-Erling Smørgrav echo HostKey $OBJ/cert_host_key_${ktype} 174ce3adf43SDag-Erling Smørgrav echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 175ce3adf43SDag-Erling Smørgrav ) > $OBJ/sshd_proxy 176ce3adf43SDag-Erling Smørgrav 177bc5531deSDag-Erling Smørgrav cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 1784f52dfbbSDag-Erling Smørgrav ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 179ce3adf43SDag-Erling Smørgrav -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 180ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 181ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ]; then 182ce3adf43SDag-Erling Smørgrav fail "ssh cert connect succeeded unexpectedly" 183ce3adf43SDag-Erling Smørgrav fi 184ce3adf43SDag-Erling Smørgravdone 185ce3adf43SDag-Erling Smørgrav 186ce3adf43SDag-Erling Smørgrav# Revoked CA 187076ad2f8SDag-Erling Smørgravkh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig 188076ad2f8SDag-Erling Smørgravkh_revoke host_ca_key.pub host_ca_key2.pub >> $OBJ/known_hosts-cert.orig 189bc5531deSDag-Erling Smørgravcp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 190eccfee6eSDag-Erling Smørgravfor ktype in $PLAIN_TYPES ; do 191ce3adf43SDag-Erling Smørgrav verbose "$tid: host ${ktype} revoked cert" 192ce3adf43SDag-Erling Smørgrav ( 193ce3adf43SDag-Erling Smørgrav cat $OBJ/sshd_proxy_bak 194ce3adf43SDag-Erling Smørgrav echo HostKey $OBJ/cert_host_key_${ktype} 195ce3adf43SDag-Erling Smørgrav echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 196ce3adf43SDag-Erling Smørgrav ) > $OBJ/sshd_proxy 197bc5531deSDag-Erling Smørgrav cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 1984f52dfbbSDag-Erling Smørgrav ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 199ce3adf43SDag-Erling Smørgrav -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 200ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 201ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ]; then 202ce3adf43SDag-Erling Smørgrav fail "ssh cert connect succeeded unexpectedly" 203ce3adf43SDag-Erling Smørgrav fi 204ce3adf43SDag-Erling Smørgravdone 205ce3adf43SDag-Erling Smørgrav 206ce3adf43SDag-Erling Smørgrav# Create a CA key and add it to known hosts 207076ad2f8SDag-Erling Smørgravkh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig 208bc5531deSDag-Erling Smørgravcp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 209ce3adf43SDag-Erling Smørgrav 210ce3adf43SDag-Erling Smørgravtest_one() { 211ce3adf43SDag-Erling Smørgrav ident=$1 212ce3adf43SDag-Erling Smørgrav result=$2 213ce3adf43SDag-Erling Smørgrav sign_opts=$3 214ce3adf43SDag-Erling Smørgrav 21519261079SEd Maste for kt in $PLAIN_TYPES; do 216076ad2f8SDag-Erling Smørgrav case $ktype in 217076ad2f8SDag-Erling Smørgrav rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;; 218076ad2f8SDag-Erling Smørgrav *) tflag=""; ca="$OBJ/host_ca_key" ;; 219076ad2f8SDag-Erling Smørgrav esac 220076ad2f8SDag-Erling Smørgrav ${SSHKEYGEN} -q -s $ca $tflag -I "regress host key for $USER" \ 221eccfee6eSDag-Erling Smørgrav $sign_opts $OBJ/cert_host_key_${kt} || 222076ad2f8SDag-Erling Smørgrav fatal "couldn't sign cert_host_key_${kt}" 223ce3adf43SDag-Erling Smørgrav ( 224ce3adf43SDag-Erling Smørgrav cat $OBJ/sshd_proxy_bak 225ce3adf43SDag-Erling Smørgrav echo HostKey $OBJ/cert_host_key_${kt} 226ce3adf43SDag-Erling Smørgrav echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub 227ce3adf43SDag-Erling Smørgrav ) > $OBJ/sshd_proxy 228ce3adf43SDag-Erling Smørgrav 229bc5531deSDag-Erling Smørgrav cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 2304f52dfbbSDag-Erling Smørgrav ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 231ce3adf43SDag-Erling Smørgrav -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 232ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 233ce3adf43SDag-Erling Smørgrav rc=$? 234ce3adf43SDag-Erling Smørgrav if [ "x$result" = "xsuccess" ] ; then 235ce3adf43SDag-Erling Smørgrav if [ $rc -ne 0 ]; then 236ce3adf43SDag-Erling Smørgrav fail "ssh cert connect $ident failed unexpectedly" 237ce3adf43SDag-Erling Smørgrav fi 238ce3adf43SDag-Erling Smørgrav else 239ce3adf43SDag-Erling Smørgrav if [ $rc -eq 0 ]; then 240ce3adf43SDag-Erling Smørgrav fail "ssh cert connect $ident succeeded unexpectedly" 241ce3adf43SDag-Erling Smørgrav fi 242ce3adf43SDag-Erling Smørgrav fi 243ce3adf43SDag-Erling Smørgrav done 244ce3adf43SDag-Erling Smørgrav} 245ce3adf43SDag-Erling Smørgrav 246ce3adf43SDag-Erling Smørgravtest_one "user-certificate" failure "-n $HOSTS" 247ce3adf43SDag-Erling Smørgravtest_one "empty principals" success "-h" 248ce3adf43SDag-Erling Smørgravtest_one "wrong principals" failure "-h -n foo" 24919261079SEd Mastetest_one "cert not yet valid" failure "-h -V20300101:20320101" 250ce3adf43SDag-Erling Smørgravtest_one "cert expired" failure "-h -V19800101:19900101" 251ce3adf43SDag-Erling Smørgravtest_one "cert valid interval" success "-h -V-1w:+2w" 252ce3adf43SDag-Erling Smørgravtest_one "cert has constraints" failure "-h -Oforce-command=false" 253ce3adf43SDag-Erling Smørgrav 254ce3adf43SDag-Erling Smørgrav# Check downgrade of cert to raw key when no CA found 255f7167e0eSDag-Erling Smørgravfor ktype in $PLAIN_TYPES ; do 256ce3adf43SDag-Erling Smørgrav rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* 257ce3adf43SDag-Erling Smørgrav verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" 258ce3adf43SDag-Erling Smørgrav # Generate and sign a host key 259076ad2f8SDag-Erling Smørgrav ${SSHKEYGEN} -q -N '' -t ${ktype} -f $OBJ/cert_host_key_${ktype} || \ 260ce3adf43SDag-Erling Smørgrav fail "ssh-keygen of cert_host_key_${ktype} failed" 261076ad2f8SDag-Erling Smørgrav case $ktype in 262076ad2f8SDag-Erling Smørgrav rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;; 263076ad2f8SDag-Erling Smørgrav *) tflag=""; ca="$OBJ/host_ca_key" ;; 264076ad2f8SDag-Erling Smørgrav esac 265076ad2f8SDag-Erling Smørgrav ${SSHKEYGEN} -h -q $tflag -s $ca $tflag \ 266ce3adf43SDag-Erling Smørgrav -I "regress host key for $USER" \ 267ce3adf43SDag-Erling Smørgrav -n $HOSTS $OBJ/cert_host_key_${ktype} || 268076ad2f8SDag-Erling Smørgrav fatal "couldn't sign cert_host_key_${ktype}" 269ce3adf43SDag-Erling Smørgrav ( 270ce3adf43SDag-Erling Smørgrav printf "$HOSTS " 271ce3adf43SDag-Erling Smørgrav cat $OBJ/cert_host_key_${ktype}.pub 272ce3adf43SDag-Erling Smørgrav ) > $OBJ/known_hosts-cert 273ce3adf43SDag-Erling Smørgrav ( 274ce3adf43SDag-Erling Smørgrav cat $OBJ/sshd_proxy_bak 275ce3adf43SDag-Erling Smørgrav echo HostKey $OBJ/cert_host_key_${ktype} 276ce3adf43SDag-Erling Smørgrav echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 277ce3adf43SDag-Erling Smørgrav ) > $OBJ/sshd_proxy 278ce3adf43SDag-Erling Smørgrav 2794f52dfbbSDag-Erling Smørgrav ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 28019261079SEd Maste -oGlobalKnownHostsFile=none -F $OBJ/ssh_proxy somehost true 281ce3adf43SDag-Erling Smørgrav if [ $? -ne 0 ]; then 282ce3adf43SDag-Erling Smørgrav fail "ssh cert connect failed" 283ce3adf43SDag-Erling Smørgrav fi 28419261079SEd Maste # Also check that it works when the known_hosts file is not in the 28519261079SEd Maste # first array position. 28619261079SEd Maste ${SSH} -oUserKnownHostsFile="/dev/null $OBJ/known_hosts-cert" \ 28719261079SEd Maste -oGlobalKnownHostsFile=none -F $OBJ/ssh_proxy somehost true 28819261079SEd Maste if [ $? -ne 0 ]; then 28919261079SEd Maste fail "ssh cert connect failed known_hosts 2nd" 29019261079SEd Maste fi 291ce3adf43SDag-Erling Smørgravdone 292ce3adf43SDag-Erling Smørgrav 293ce3adf43SDag-Erling Smørgrav# Wrong certificate 294076ad2f8SDag-Erling Smørgravkh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig 295bc5531deSDag-Erling Smørgravcp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 296f7167e0eSDag-Erling Smørgravfor kt in $PLAIN_TYPES ; do 297076ad2f8SDag-Erling Smørgrav verbose "$tid: host ${kt} connect wrong cert" 298ce3adf43SDag-Erling Smørgrav rm -f $OBJ/cert_host_key* 299ce3adf43SDag-Erling Smørgrav # Self-sign key 300076ad2f8SDag-Erling Smørgrav ${SSHKEYGEN} -q -N '' -t ${kt} -f $OBJ/cert_host_key_${kt} || \ 301ce3adf43SDag-Erling Smørgrav fail "ssh-keygen of cert_host_key_${kt} failed" 302076ad2f8SDag-Erling Smørgrav case $kt in 303076ad2f8SDag-Erling Smørgrav rsa-sha2-*) tflag="-t $kt" ;; 304076ad2f8SDag-Erling Smørgrav *) tflag="" ;; 305076ad2f8SDag-Erling Smørgrav esac 306076ad2f8SDag-Erling Smørgrav ${SSHKEYGEN} $tflag -h -q -s $OBJ/cert_host_key_${kt} \ 307ce3adf43SDag-Erling Smørgrav -I "regress host key for $USER" \ 308ce3adf43SDag-Erling Smørgrav -n $HOSTS $OBJ/cert_host_key_${kt} || 309076ad2f8SDag-Erling Smørgrav fatal "couldn't sign cert_host_key_${kt}" 310ce3adf43SDag-Erling Smørgrav ( 311ce3adf43SDag-Erling Smørgrav cat $OBJ/sshd_proxy_bak 312ce3adf43SDag-Erling Smørgrav echo HostKey $OBJ/cert_host_key_${kt} 313ce3adf43SDag-Erling Smørgrav echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub 314ce3adf43SDag-Erling Smørgrav ) > $OBJ/sshd_proxy 315ce3adf43SDag-Erling Smørgrav 316bc5531deSDag-Erling Smørgrav cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 3174f52dfbbSDag-Erling Smørgrav ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 318ce3adf43SDag-Erling Smørgrav -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 319ce3adf43SDag-Erling Smørgrav -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 320ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ]; then 321ce3adf43SDag-Erling Smørgrav fail "ssh cert connect $ident succeeded unexpectedly" 322ce3adf43SDag-Erling Smørgrav fi 323ce3adf43SDag-Erling Smørgravdone 324ce3adf43SDag-Erling Smørgrav 325bc5531deSDag-Erling Smørgravrm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key* 326