1# $OpenBSD: sshfp-connect.sh,v 1.2 2021/07/19 08:48:33 dtucker Exp $ 2# Placed in the Public Domain. 3 4# This test requires external setup and thus is skipped unless 5# TEST_SSH_SSHFP_DOMAIN is set. It requires: 6# 1) A DNSSEC-enabled domain, which TEST_SSH_SSHFP_DOMAIN points to. 7# 2) A DNSSEC-validating resolver such as unwind(8). 8# 3) The following SSHFP records with fingerprints from rsa_openssh.pub 9# in that domain that are expected to succeed: 10# sshtest: valid sha1 and sha256 fingerprints. 11# sshtest-sha{1,256}, : valid fingerprints for that type only. 12# and the following records that are expected to fail: 13# sshtest-bad: invalid sha1 fingerprint and good sha256 fingerprint 14# sshtest-sha{1,256}-bad: invalid fingerprints for that type only. 15# 16# sshtest IN SSHFP 1 1 99C79CC09F5F81069CC017CDF9552CFC94B3B929 17# sshtest IN SSHFP 1 2 E30D6B9EB7A4DE495324E4D5870B8220577993EA6AF417E8E4A4F1C5 BF01A9B6 18# sshtest-sha1 IN SSHFP 1 1 99C79CC09F5F81069CC017CDF9552CFC94B3B929 19# sshtest-sha256 IN SSHFP 1 2 E30D6B9EB7A4DE495324E4D5870B8220577993EA6AF417E8E4A4F1C5 BF01A9B6 20# sshtest-bad IN SSHFP 1 2 E30D6B9EB7A4DE495324E4D5870B8220577993EA6AF417E8E4A4F1C5 BF01A9B6 21# sshtest-bad IN SSHFP 1 1 99C79CC09F5F81069CC017CDF9552CFC94B3B928 22# sshtest-sha1-bad IN SSHFP 1 1 99D79CC09F5F81069CC017CDF9552CFC94B3B929 23# sshtest-sha256-bad IN SSHFP 1 2 E30D6B9EB7A4DE495324E4D5870B8220577993EA6AF417E8E4A4F1C5 BF01A9B5 24 25tid="sshfp connect" 26 27if [ ! -z "${TEST_SSH_SSHFP_DOMAIN}" ] && \ 28 $SSH -Q key-plain | grep ssh-rsa >/dev/null; then 29 30 # Set RSA host key to match fingerprints above. 31 mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig 32 $SUDO cp $SRC/rsa_openssh.prv $OBJ/host.ssh-rsa 33 $SUDO chmod 600 $OBJ/host.ssh-rsa 34 sed -e "s|$OBJ/ssh-rsa|$OBJ/host.ssh-rsa|" \ 35 $OBJ/sshd_proxy.orig > $OBJ/sshd_proxy 36 37 # Zero out known hosts and key aliases to force use of SSHFP records. 38 > $OBJ/known_hosts 39 mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig 40 sed -e "/HostKeyAlias.*localhost-with-alias/d" \ 41 -e "/Hostname.*127.0.0.1/d" \ 42 $OBJ/ssh_proxy.orig > $OBJ/ssh_proxy 43 44 for n in sshtest sshtest-sha1 sshtest-sha256; do 45 trace "sshfp connect $n good fingerprint" 46 host="${n}.dtucker.net" 47 opts="-F $OBJ/ssh_proxy -o VerifyHostKeyDNS=yes " 48 opts="$opts -o HostKeyAlgorithms=ssh-rsa" 49 host="${n}.${TEST_SSH_SSHFP_DOMAIN}" 50 SSH_CONNECTION=`${SSH} $opts $host 'echo $SSH_CONNECTION'` 51 if [ $? -ne 0 ]; then 52 fail "ssh sshfp connect failed" 53 fi 54 if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then 55 fail "bad SSH_CONNECTION: $SSH_CONNECTION" 56 fi 57 58 trace "sshfp connect $n bad fingerprint" 59 host="${n}-bad.${TEST_SSH_SSHFP_DOMAIN}" 60 if ${SSH} $opts ${host} true; then 61 fail "sshfp-connect succeeded with bad SSHFP record" 62 fi 63 done 64else 65 echo SKIPPED: TEST_SSH_SSHFP_DOMAIN not set. 66fi 67