1*190cef3dSDag-Erling Smørgrav# $OpenBSD: keygen-knownhosts.sh,v 1.4 2018/06/01 03:52:37 djm Exp $ 2bc5531deSDag-Erling Smørgrav# Placed in the Public Domain. 3bc5531deSDag-Erling Smørgrav 4bc5531deSDag-Erling Smørgravtid="ssh-keygen known_hosts" 5bc5531deSDag-Erling Smørgrav 6bc5531deSDag-Erling Smørgravrm -f $OBJ/kh.* 7bc5531deSDag-Erling Smørgrav 8bc5531deSDag-Erling Smørgrav# Generate some keys for testing (just ed25519 for speed) and make a hosts file. 9bc5531deSDag-Erling Smørgravfor x in host-a host-b host-c host-d host-e host-f host-a2 host-b2; do 10bc5531deSDag-Erling Smørgrav ${SSHKEYGEN} -qt ed25519 -f $OBJ/kh.$x -C "$x" -N "" || \ 11bc5531deSDag-Erling Smørgrav fatal "ssh-keygen failed" 12bc5531deSDag-Erling Smørgrav # Add a comment that we expect should be preserved. 13bc5531deSDag-Erling Smørgrav echo "# $x" >> $OBJ/kh.hosts 14bc5531deSDag-Erling Smørgrav ( 15bc5531deSDag-Erling Smørgrav case "$x" in 16bc5531deSDag-Erling Smørgrav host-a|host-b) printf "$x " ;; 17bc5531deSDag-Erling Smørgrav host-c) printf "@cert-authority $x " ;; 18bc5531deSDag-Erling Smørgrav host-d) printf "@revoked $x " ;; 19bc5531deSDag-Erling Smørgrav host-e) printf "host-e* " ;; 20bc5531deSDag-Erling Smørgrav host-f) printf "host-f,host-g,host-h " ;; 21bc5531deSDag-Erling Smørgrav host-a2) printf "host-a " ;; 22bc5531deSDag-Erling Smørgrav host-b2) printf "host-b " ;; 23bc5531deSDag-Erling Smørgrav esac 24bc5531deSDag-Erling Smørgrav cat $OBJ/kh.${x}.pub 25bc5531deSDag-Erling Smørgrav # Blank line should be preserved. 26bc5531deSDag-Erling Smørgrav echo "" >> $OBJ/kh.hosts 27bc5531deSDag-Erling Smørgrav ) >> $OBJ/kh.hosts 28bc5531deSDag-Erling Smørgravdone 29bc5531deSDag-Erling Smørgrav 30bc5531deSDag-Erling Smørgrav# Generate a variant with an invalid line. We'll use this for most tests, 31bc5531deSDag-Erling Smørgrav# because keygen should be able to cope and it should be preserved in any 32bc5531deSDag-Erling Smørgrav# output file. 33bc5531deSDag-Erling Smørgravcat $OBJ/kh.hosts >> $OBJ/kh.invalid 34bc5531deSDag-Erling Smørgravecho "host-i " >> $OBJ/kh.invalid 35bc5531deSDag-Erling Smørgrav 36bc5531deSDag-Erling Smørgravcp $OBJ/kh.invalid $OBJ/kh.invalid.orig 37bc5531deSDag-Erling Smørgravcp $OBJ/kh.hosts $OBJ/kh.hosts.orig 38bc5531deSDag-Erling Smørgrav 39bc5531deSDag-Erling Smørgravexpect_key() { 40bc5531deSDag-Erling Smørgrav _host=$1 41bc5531deSDag-Erling Smørgrav _hosts=$2 42bc5531deSDag-Erling Smørgrav _key=$3 43bc5531deSDag-Erling Smørgrav _line=$4 44bc5531deSDag-Erling Smørgrav _mark=$5 45bc5531deSDag-Erling Smørgrav _marker="" 46bc5531deSDag-Erling Smørgrav test "x$_mark" = "xCA" && _marker="@cert-authority " 47bc5531deSDag-Erling Smørgrav test "x$_mark" = "xREVOKED" && _marker="@revoked " 48bc5531deSDag-Erling Smørgrav test "x$_line" != "x" && 49bc5531deSDag-Erling Smørgrav echo "# Host $_host found: line $_line $_mark" >> $OBJ/kh.expect 50bc5531deSDag-Erling Smørgrav printf "${_marker}$_hosts " >> $OBJ/kh.expect 51bc5531deSDag-Erling Smørgrav cat $OBJ/kh.${_key}.pub >> $OBJ/kh.expect || 52bc5531deSDag-Erling Smørgrav fatal "${_key}.pub missing" 53bc5531deSDag-Erling Smørgrav} 54bc5531deSDag-Erling Smørgrav 55bc5531deSDag-Erling Smørgravcheck_find() { 56bc5531deSDag-Erling Smørgrav _host=$1 57bc5531deSDag-Erling Smørgrav _name=$2 58*190cef3dSDag-Erling Smørgrav shift; shift 59*190cef3dSDag-Erling Smørgrav ${SSHKEYGEN} "$@" -f $OBJ/kh.invalid -F $_host > $OBJ/kh.result 60eccfee6eSDag-Erling Smørgrav if ! diff -w $OBJ/kh.expect $OBJ/kh.result ; then 61bc5531deSDag-Erling Smørgrav fail "didn't find $_name" 62bc5531deSDag-Erling Smørgrav fi 63bc5531deSDag-Erling Smørgrav} 64bc5531deSDag-Erling Smørgrav 65*190cef3dSDag-Erling Smørgravcheck_find_exit_code() { 66*190cef3dSDag-Erling Smørgrav _host=$1 67*190cef3dSDag-Erling Smørgrav _name=$2 68*190cef3dSDag-Erling Smørgrav _keygenopt=$3 69*190cef3dSDag-Erling Smørgrav _exp_exit_code=$4 70*190cef3dSDag-Erling Smørgrav ${SSHKEYGEN} $_keygenopt -f $OBJ/kh.invalid -F $_host > /dev/null 71*190cef3dSDag-Erling Smørgrav if [ "$?" != "$_exp_exit_code" ] ; then 72*190cef3dSDag-Erling Smørgrav fail "Unexpected exit code $_name" 73*190cef3dSDag-Erling Smørgrav fi 74*190cef3dSDag-Erling Smørgrav} 75*190cef3dSDag-Erling Smørgrav 76bc5531deSDag-Erling Smørgrav# Find key 77bc5531deSDag-Erling Smørgravrm -f $OBJ/kh.expect 78bc5531deSDag-Erling Smørgravexpect_key host-a host-a host-a 2 79bc5531deSDag-Erling Smørgravexpect_key host-a host-a host-a2 20 80bc5531deSDag-Erling Smørgravcheck_find host-a "simple find" 81bc5531deSDag-Erling Smørgrav 82bc5531deSDag-Erling Smørgrav# find CA key 83bc5531deSDag-Erling Smørgravrm -f $OBJ/kh.expect 84bc5531deSDag-Erling Smørgravexpect_key host-c host-c host-c 8 CA 85bc5531deSDag-Erling Smørgravcheck_find host-c "find CA key" 86bc5531deSDag-Erling Smørgrav 87bc5531deSDag-Erling Smørgrav# find revoked key 88bc5531deSDag-Erling Smørgravrm -f $OBJ/kh.expect 89bc5531deSDag-Erling Smørgravexpect_key host-d host-d host-d 11 REVOKED 90bc5531deSDag-Erling Smørgravcheck_find host-d "find revoked key" 91bc5531deSDag-Erling Smørgrav 92bc5531deSDag-Erling Smørgrav# find key with wildcard 93bc5531deSDag-Erling Smørgravrm -f $OBJ/kh.expect 94bc5531deSDag-Erling Smørgravexpect_key host-e.somedomain "host-e*" host-e 14 95bc5531deSDag-Erling Smørgravcheck_find host-e.somedomain "find wildcard key" 96bc5531deSDag-Erling Smørgrav 97bc5531deSDag-Erling Smørgrav# find key among multiple hosts 98bc5531deSDag-Erling Smørgravrm -f $OBJ/kh.expect 99bc5531deSDag-Erling Smørgravexpect_key host-h "host-f,host-g,host-h " host-f 17 100bc5531deSDag-Erling Smørgravcheck_find host-h "find multiple hosts" 101bc5531deSDag-Erling Smørgrav 102*190cef3dSDag-Erling Smørgrav# Check exit code, known host 103*190cef3dSDag-Erling Smørgravcheck_find_exit_code host-a "known host" "-q" "0" 104*190cef3dSDag-Erling Smørgrav 105*190cef3dSDag-Erling Smørgrav# Check exit code, unknown host 106*190cef3dSDag-Erling Smørgravcheck_find_exit_code host-aa "unknown host" "-q" "1" 107*190cef3dSDag-Erling Smørgrav 108*190cef3dSDag-Erling Smørgrav# Check exit code, the hash mode, known host 109*190cef3dSDag-Erling Smørgravcheck_find_exit_code host-a "known host" "-q -H" "0" 110*190cef3dSDag-Erling Smørgrav 111*190cef3dSDag-Erling Smørgrav# Check exit code, the hash mode, unknown host 112*190cef3dSDag-Erling Smørgravcheck_find_exit_code host-aa "unknown host" "-q -H" "1" 113*190cef3dSDag-Erling Smørgrav 114bc5531deSDag-Erling Smørgravcheck_hashed_find() { 115bc5531deSDag-Erling Smørgrav _host=$1 116bc5531deSDag-Erling Smørgrav _name=$2 117bc5531deSDag-Erling Smørgrav _file=$3 118bc5531deSDag-Erling Smørgrav test "x$_file" = "x" && _file=$OBJ/kh.invalid 119bc5531deSDag-Erling Smørgrav ${SSHKEYGEN} -f $_file -HF $_host | grep '|1|' | \ 120bc5531deSDag-Erling Smørgrav sed "s/^[^ ]*/$_host/" > $OBJ/kh.result 121eccfee6eSDag-Erling Smørgrav if ! diff -w $OBJ/kh.expect $OBJ/kh.result ; then 122bc5531deSDag-Erling Smørgrav fail "didn't find $_name" 123bc5531deSDag-Erling Smørgrav fi 124bc5531deSDag-Erling Smørgrav} 125bc5531deSDag-Erling Smørgrav 126bc5531deSDag-Erling Smørgrav# Find key and hash 127bc5531deSDag-Erling Smørgravrm -f $OBJ/kh.expect 128bc5531deSDag-Erling Smørgravexpect_key host-a host-a host-a 129bc5531deSDag-Erling Smørgravexpect_key host-a host-a host-a2 130bc5531deSDag-Erling Smørgravcheck_hashed_find host-a "find simple and hash" 131bc5531deSDag-Erling Smørgrav 132bc5531deSDag-Erling Smørgrav# Find CA key and hash 133bc5531deSDag-Erling Smørgravrm -f $OBJ/kh.expect 134bc5531deSDag-Erling Smørgravexpect_key host-c host-c host-c "" CA 135bc5531deSDag-Erling Smørgrav# CA key output is not hashed. 136*190cef3dSDag-Erling Smørgravcheck_find host-c "find simple and hash" -Hq 137bc5531deSDag-Erling Smørgrav 138bc5531deSDag-Erling Smørgrav# Find revoked key and hash 139bc5531deSDag-Erling Smørgravrm -f $OBJ/kh.expect 140bc5531deSDag-Erling Smørgravexpect_key host-d host-d host-d "" REVOKED 141bc5531deSDag-Erling Smørgrav# Revoked key output is not hashed. 142*190cef3dSDag-Erling Smørgravcheck_find host-d "find simple and hash" -Hq 143bc5531deSDag-Erling Smørgrav 144bc5531deSDag-Erling Smørgrav# find key with wildcard and hash 145bc5531deSDag-Erling Smørgravrm -f $OBJ/kh.expect 146bc5531deSDag-Erling Smørgravexpect_key host-e "host-e*" host-e "" 147bc5531deSDag-Erling Smørgrav# Key with wildcard hostname should not be hashed. 148*190cef3dSDag-Erling Smørgravcheck_find host-e "find wildcard key" -Hq 149bc5531deSDag-Erling Smørgrav 150bc5531deSDag-Erling Smørgrav# find key among multiple hosts 151bc5531deSDag-Erling Smørgravrm -f $OBJ/kh.expect 152bc5531deSDag-Erling Smørgrav# Comma-separated hostnames should be expanded and hashed. 153bc5531deSDag-Erling Smørgravexpect_key host-f "host-h " host-f 154bc5531deSDag-Erling Smørgravexpect_key host-g "host-h " host-f 155bc5531deSDag-Erling Smørgravexpect_key host-h "host-h " host-f 156bc5531deSDag-Erling Smørgravcheck_hashed_find host-h "find multiple hosts" 157bc5531deSDag-Erling Smørgrav 158bc5531deSDag-Erling Smørgrav# Attempt remove key on invalid file. 159bc5531deSDag-Erling Smørgravcp $OBJ/kh.invalid.orig $OBJ/kh.invalid 160bc5531deSDag-Erling Smørgrav${SSHKEYGEN} -qf $OBJ/kh.invalid -R host-a 2>/dev/null 161eccfee6eSDag-Erling Smørgravdiff $OBJ/kh.invalid $OBJ/kh.invalid.orig || fail "remove on invalid succeeded" 162bc5531deSDag-Erling Smørgrav 163bc5531deSDag-Erling Smørgrav# Remove key 164bc5531deSDag-Erling Smørgravcp $OBJ/kh.hosts.orig $OBJ/kh.hosts 165bc5531deSDag-Erling Smørgrav${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-a 2>/dev/null 166bc5531deSDag-Erling Smørgravgrep -v "^host-a " $OBJ/kh.hosts.orig > $OBJ/kh.expect 167eccfee6eSDag-Erling Smørgravdiff $OBJ/kh.hosts $OBJ/kh.expect || fail "remove simple" 168bc5531deSDag-Erling Smørgrav 169bc5531deSDag-Erling Smørgrav# Remove CA key 170bc5531deSDag-Erling Smørgravcp $OBJ/kh.hosts.orig $OBJ/kh.hosts 171bc5531deSDag-Erling Smørgrav${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-c 2>/dev/null 172bc5531deSDag-Erling Smørgrav# CA key should not be removed. 173eccfee6eSDag-Erling Smørgravdiff $OBJ/kh.hosts $OBJ/kh.hosts.orig || fail "remove CA" 174bc5531deSDag-Erling Smørgrav 175bc5531deSDag-Erling Smørgrav# Remove revoked key 176bc5531deSDag-Erling Smørgravcp $OBJ/kh.hosts.orig $OBJ/kh.hosts 177bc5531deSDag-Erling Smørgrav${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-d 2>/dev/null 178bc5531deSDag-Erling Smørgrav# revoked key should not be removed. 179eccfee6eSDag-Erling Smørgravdiff $OBJ/kh.hosts $OBJ/kh.hosts.orig || fail "remove revoked" 180bc5531deSDag-Erling Smørgrav 181bc5531deSDag-Erling Smørgrav# Remove wildcard 182bc5531deSDag-Erling Smørgravcp $OBJ/kh.hosts.orig $OBJ/kh.hosts 183bc5531deSDag-Erling Smørgrav${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-e.blahblah 2>/dev/null 184bc5531deSDag-Erling Smørgravgrep -v "^host-e[*] " $OBJ/kh.hosts.orig > $OBJ/kh.expect 185eccfee6eSDag-Erling Smørgravdiff $OBJ/kh.hosts $OBJ/kh.expect || fail "remove wildcard" 186bc5531deSDag-Erling Smørgrav 187bc5531deSDag-Erling Smørgrav# Remove multiple 188bc5531deSDag-Erling Smørgravcp $OBJ/kh.hosts.orig $OBJ/kh.hosts 189bc5531deSDag-Erling Smørgrav${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-h 2>/dev/null 190bc5531deSDag-Erling Smørgravgrep -v "^host-f," $OBJ/kh.hosts.orig > $OBJ/kh.expect 191eccfee6eSDag-Erling Smørgravdiff $OBJ/kh.hosts $OBJ/kh.expect || fail "remove wildcard" 192bc5531deSDag-Erling Smørgrav 193bc5531deSDag-Erling Smørgrav# Attempt hash on invalid file 194bc5531deSDag-Erling Smørgravcp $OBJ/kh.invalid.orig $OBJ/kh.invalid 195bc5531deSDag-Erling Smørgrav${SSHKEYGEN} -qf $OBJ/kh.invalid -H 2>/dev/null && fail "hash invalid succeeded" 196eccfee6eSDag-Erling Smørgravdiff $OBJ/kh.invalid $OBJ/kh.invalid.orig || fail "invalid file modified" 197bc5531deSDag-Erling Smørgrav 198bc5531deSDag-Erling Smørgrav# Hash valid file 199bc5531deSDag-Erling Smørgravcp $OBJ/kh.hosts.orig $OBJ/kh.hosts 200bc5531deSDag-Erling Smørgrav${SSHKEYGEN} -qf $OBJ/kh.hosts -H 2>/dev/null || fail "hash failed" 201eccfee6eSDag-Erling Smørgravdiff $OBJ/kh.hosts.old $OBJ/kh.hosts.orig || fail "backup differs" 202bc5531deSDag-Erling Smørgravgrep "^host-[abfgh]" $OBJ/kh.hosts && fail "original hostnames persist" 203bc5531deSDag-Erling Smørgrav 204bc5531deSDag-Erling Smørgravcp $OBJ/kh.hosts $OBJ/kh.hashed.orig 205bc5531deSDag-Erling Smørgrav 206bc5531deSDag-Erling Smørgrav# Test lookup 207bc5531deSDag-Erling Smørgravrm -f $OBJ/kh.expect 208bc5531deSDag-Erling Smørgravexpect_key host-a host-a host-a 209bc5531deSDag-Erling Smørgravexpect_key host-a host-a host-a2 210bc5531deSDag-Erling Smørgravcheck_hashed_find host-a "find simple in hashed" $OBJ/kh.hosts 211bc5531deSDag-Erling Smørgrav 212bc5531deSDag-Erling Smørgrav# Test multiple expanded 213bc5531deSDag-Erling Smørgravrm -f $OBJ/kh.expect 214bc5531deSDag-Erling Smørgravexpect_key host-h host-h host-f 215bc5531deSDag-Erling Smørgravcheck_hashed_find host-h "find simple in hashed" $OBJ/kh.hosts 216bc5531deSDag-Erling Smørgrav 217bc5531deSDag-Erling Smørgrav# Test remove 218bc5531deSDag-Erling Smørgravcp $OBJ/kh.hashed.orig $OBJ/kh.hashed 219bc5531deSDag-Erling Smørgrav${SSHKEYGEN} -qf $OBJ/kh.hashed -R host-a 2>/dev/null 220bc5531deSDag-Erling Smørgrav${SSHKEYGEN} -qf $OBJ/kh.hashed -F host-a && fail "found key after hashed remove" 221