xref: /freebsd/crypto/openssh/regress/sshfp-connect.sh (revision 24e4dcf4ba5e9dedcf89efd358ea3e1fe5867020) 
1#	$OpenBSD: sshfp-connect.sh,v 1.5 2025/03/11 11:46:44 dtucker Exp $
2#	Placed in the Public Domain.
3
4# This test requires external setup and thus is skipped unless
5# TEST_SSH_SSHFP_DOMAIN is set.  It requires:
6# 1) A DNSSEC-enabled domain, which TEST_SSH_SSHFP_DOMAIN points to.
7# 2) A DNSSEC-validating resolver such as unwind(8).
8# 3) The following SSHFP records with fingerprints from rsa_openssh.pub
9#    in that domain that are expected to succeed:
10#      sshtest: valid sha1 and sha256 fingerprints.
11#      sshtest-sha{1,256}, : valid fingerprints for that type only.
12#    and the following records that are expected to fail:
13#      sshtest-bad: invalid sha1 fingerprint and good sha256 fingerprint
14#      sshtest-sha{1,256}-bad: invalid fingerprints for that type only.
15#
16# sshtest IN SSHFP 1 1 99C79CC09F5F81069CC017CDF9552CFC94B3B929
17# sshtest IN SSHFP 1 2 E30D6B9EB7A4DE495324E4D5870B8220577993EA6AF417E8E4A4F1C5 BF01A9B6
18# sshtest-sha1 IN SSHFP 1 1 99C79CC09F5F81069CC017CDF9552CFC94B3B929
19# sshtest-sha256 IN SSHFP 1 2 E30D6B9EB7A4DE495324E4D5870B8220577993EA6AF417E8E4A4F1C5 BF01A9B6
20# sshtest-bad IN SSHFP 1 2 E30D6B9EB7A4DE495324E4D5870B8220577993EA6AF417E8E4A4F1C5 BF01A9B6
21# sshtest-bad IN SSHFP 1 1 99C79CC09F5F81069CC017CDF9552CFC94B3B928
22# sshtest-sha1-bad IN SSHFP 1 1 99D79CC09F5F81069CC017CDF9552CFC94B3B929
23# sshtest-sha256-bad IN SSHFP 1 2 E30D6B9EB7A4DE495324E4D5870B8220577993EA6AF417E8E4A4F1C5 BF01A9B5
24
25tid="sshfp connect"
26
27if ! $SSH -Q key-plain | grep ssh-rsa >/dev/null; then
28	skip "RSA keys not supported."
29elif [ -z "${TEST_SSH_SSHFP_DOMAIN}" ]; then
30	skip "TEST_SSH_SSHFP_DOMAIN not set."
31else
32	# Prime any DNS caches and resolvers.
33	for i in sshtest sshtest-sha1 sshtest-sha256; do
34		host -t sshfp ${i}.${TEST_SSH_SSHFP_DOMAIN} >/dev/null 2>&1
35		host -t sshfp ${i}-bad.${TEST_SSH_SSHFP_DOMAIN} >/dev/null 2>&1
36	done
37
38	# Set RSA host key to match fingerprints above.
39	mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
40	$SUDO cp $SRC/rsa_openssh.prv $OBJ/host.ssh-rsa
41	$SUDO chmod 600 $OBJ/host.ssh-rsa
42	sed -e "s|$OBJ/ssh-rsa|$OBJ/host.ssh-rsa|" \
43	    $OBJ/sshd_proxy.orig > $OBJ/sshd_proxy
44
45	# Zero out known hosts and key aliases to force use of SSHFP records.
46	> $OBJ/known_hosts
47	mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig
48	sed -e "/HostKeyAlias.*localhost-with-alias/d" \
49	    -e "/Hostname.*127.0.0.1/d" \
50	    $OBJ/ssh_proxy.orig > $OBJ/ssh_proxy
51
52	for n in sshtest sshtest-sha1 sshtest-sha256; do
53		trace "sshfp connect $n good fingerprint"
54		host="${n}.dtucker.net"
55		opts="-F $OBJ/ssh_proxy -o VerifyHostKeyDNS=yes "
56		opts="$opts -o HostKeyAlgorithms=rsa-sha2-512,rsa-sha2-256"
57		host="${n}.${TEST_SSH_SSHFP_DOMAIN}"
58		SSH_CONNECTION=`${SSH} $opts $host 'echo $SSH_CONNECTION'`
59		if [ $? -ne 0 ]; then
60			fail "ssh sshfp connect failed"
61		fi
62		if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
63			fail "bad SSH_CONNECTION: $SSH_CONNECTION"
64		fi
65
66		trace "sshfp connect $n bad fingerprint"
67		host="${n}-bad.${TEST_SSH_SSHFP_DOMAIN}"
68		if ${SSH} $opts ${host} true; then
69			fail "sshfp-connect succeeded with bad SSHFP record"
70		fi
71	done
72fi
73