diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2021-06-07 01:16:34 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2021-06-08 17:17:24 +1000 |
| commit | ce04dd4eae23d1c9cf7c424a702f48ee78573bc1 (patch) | |
| tree | e129c6ad139e0b557492a6cab9ff11eb935ccf40 | |
| parent | 9018bd821fca17e26e92f7a7e51d9b24cd62f2db (diff) | |
| download | openssh-git-ce04dd4eae23d1c9cf7c424a702f48ee78573bc1.tar.gz | |
upstream: test AuthenticationMethods inside a Match block as well
as in the main config section
OpenBSD-Regress-ID: ebe0a686621b7cb8bb003ac520975279c28747f7
| -rw-r--r-- | regress/multipubkey.sh | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/regress/multipubkey.sh b/regress/multipubkey.sh index 9b227335..8cdda1a9 100644 --- a/regress/multipubkey.sh +++ b/regress/multipubkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: multipubkey.sh,v 1.3 2019/12/11 18:47:14 djm Exp $ +# $OpenBSD: multipubkey.sh,v 1.4 2021/06/07 01:16:34 djm Exp $ # Placed in the Public Domain. tid="multiple pubkey" @@ -31,27 +31,35 @@ grep -v IdentityFile $OBJ/ssh_proxy.orig > $OBJ/ssh_proxy opts="-oProtocol=2 -F $OBJ/ssh_proxy -oIdentitiesOnly=yes" opts="$opts -i $OBJ/cert_user_key1 -i $OBJ/user_key1 -i $OBJ/user_key2" -for privsep in yes ; do +for match in no yes ; do ( - grep -v "Protocol" $OBJ/sshd_proxy.orig + cat $OBJ/sshd_proxy.orig echo "Protocol 2" - echo "UsePrivilegeSeparation $privsep" - echo "AuthenticationMethods publickey,publickey" echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" echo "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u" ) > $OBJ/sshd_proxy + if test "$match" = "yes" ; then + echo "AuthenticationMethods none" >> $OBJ/sshd_proxy + echo "PubkeyAuthentication no" >> $OBJ/sshd_proxy + echo "Match all" >> $OBJ/sshd_proxy + echo "PubkeyAuthentication yes" >> $OBJ/sshd_proxy + fi + echo "AuthenticationMethods publickey,publickey" >> $OBJ/sshd_proxy # Single key should fail. + trace "match $match single key" rm -f $OBJ/authorized_principals_$USER cat $OBJ/user_key1.pub > $OBJ/authorized_keys_$USER ${SSH} $opts proxy true && fail "ssh succeeded with key" # Single key with same-public cert should fail. + trace "match $match pubkey + identical cert" echo mekmitasdigoat > $OBJ/authorized_principals_$USER cat $OBJ/user_key1.pub > $OBJ/authorized_keys_$USER ${SSH} $opts proxy true && fail "ssh succeeded with key+cert" # Multiple plain keys should succeed. + trace "match $match multiple public" rm -f $OBJ/authorized_principals_$USER cat $OBJ/user_key1.pub $OBJ/user_key2.pub > \ $OBJ/authorized_keys_$USER @@ -59,6 +67,7 @@ for privsep in yes ; do # Cert and different key should succeed # Key and different-public cert should succeed. + trace "match $match pubkey + different cert" echo mekmitasdigoat > $OBJ/authorized_principals_$USER cat $OBJ/user_key2.pub > $OBJ/authorized_keys_$USER ${SSH} $opts proxy true || fail "ssh failed with key/cert" |