diff options
author | djm@openbsd.org <djm@openbsd.org> | 2021-02-25 03:27:34 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2021-02-25 15:15:46 +1100 |
commit | 9beeab8a37a49a9e3ffb1972fff6621ee5bd7a71 (patch) | |
tree | 9d52723c066229e1b58271cf5b9389d75fa83679 /regress/limit-keytype.sh | |
parent | 2dd9870c16ddbd83740adeead5030d6840288c8f (diff) | |
download | openssh-git-9beeab8a37a49a9e3ffb1972fff6621ee5bd7a71.tar.gz |
upstream: s/PubkeyAcceptedKeyTypes/PubkeyAcceptedAlgorithms/
OpenBSD-Regress-ID: 3dbc005fa29f69dc23d97e433b6dffed6fe7cb69
Diffstat (limited to 'regress/limit-keytype.sh')
-rw-r--r-- | regress/limit-keytype.sh | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/regress/limit-keytype.sh b/regress/limit-keytype.sh index 010a88cd..7127de00 100644 --- a/regress/limit-keytype.sh +++ b/regress/limit-keytype.sh @@ -1,4 +1,4 @@ -# $OpenBSD: limit-keytype.sh,v 1.9 2019/12/16 02:39:05 djm Exp $ +# $OpenBSD: limit-keytype.sh,v 1.10 2021/02/25 03:27:34 djm Exp $ # Placed in the Public Domain. tid="restrict pubkey type" @@ -69,7 +69,7 @@ prepare_config() { ) > $OBJ/sshd_proxy } -# Return the required parameter for PubkeyAcceptedKeyTypes corresponding to +# Return the required parameter for PubkeyAcceptedAlgorithms corresponding to # the supplied key type. keytype() { case "$1" in @@ -92,14 +92,14 @@ ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" # Allow plain Ed25519 and RSA. The certificate should fail. verbose "allow $ktype2,$ktype1" prepare_config \ - "PubkeyAcceptedKeyTypes `keytype $ktype2`,`keytype $ktype1`" + "PubkeyAcceptedAlgorithms `keytype $ktype2`,`keytype $ktype1`" ${SSH} $certopts proxy true && fatal "cert succeeded" ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" # Allow Ed25519 only. verbose "allow $ktype1" -prepare_config "PubkeyAcceptedKeyTypes `keytype $ktype1`" +prepare_config "PubkeyAcceptedAlgorithms `keytype $ktype1`" ${SSH} $certopts proxy true && fatal "cert succeeded" ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" if [ "$ktype1" != "$ktype2" ]; then @@ -108,15 +108,15 @@ fi # Allow all certs. Plain keys should fail. verbose "allow cert only" -prepare_config "PubkeyAcceptedKeyTypes *-cert-v01@openssh.com" +prepare_config "PubkeyAcceptedAlgorithms *-cert-v01@openssh.com" ${SSH} $certopts proxy true || fatal "cert failed" ${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded" ${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded" # Allow RSA in main config, Ed25519 for non-existent user. verbose "match w/ no match" -prepare_config "PubkeyAcceptedKeyTypes `keytype $ktype2`" \ - "Match user x$USER" "PubkeyAcceptedKeyTypes +`keytype $ktype1`" +prepare_config "PubkeyAcceptedAlgorithms `keytype $ktype2`" \ + "Match user x$USER" "PubkeyAcceptedAlgorithms +`keytype $ktype1`" ${SSH} $certopts proxy true && fatal "cert succeeded" if [ "$ktype1" != "$ktype2" ]; then ${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded" @@ -125,8 +125,8 @@ ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" # Allow only DSA in main config, Ed25519 for user. verbose "match w/ matching" -prepare_config "PubkeyAcceptedKeyTypes `keytype $ktype4`" \ - "Match user $USER" "PubkeyAcceptedKeyTypes +`keytype $ktype1`" +prepare_config "PubkeyAcceptedAlgorithms `keytype $ktype4`" \ + "Match user $USER" "PubkeyAcceptedAlgorithms +`keytype $ktype1`" ${SSH} $certopts proxy true || fatal "cert failed" ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" ${SSH} $opts -i $OBJ/user_key4 proxy true && fatal "key4 succeeded" |