summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2010-03-04 21:57:21 +1100
committerDamien Miller <djm@mindrot.org>2010-03-04 21:57:21 +1100
commit017d1e777ef197eab866b9d0046e000a46baf10b (patch)
tree9fd0ffce102946db33980cc92cc2c17b568d6bfb
parent1aed65eb27feec505997c98621bdf158f9ab8b99 (diff)
- djm@cvs.openbsd.org 2010/03/03 00:47:23
[regress/cert-hostkey.sh regress/cert-userkey.sh] add an extra test to ensure that authentication with the wrong certificate fails as it should (and it does)
-rw-r--r--ChangeLog4
-rw-r--r--regress/cert-hostkey.sh29
-rw-r--r--regress/cert-userkey.sh18
3 files changed, 48 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index 07d4aeb0..116ce569 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -35,6 +35,10 @@
authentication.
feedback and ok markus@
+ - djm@cvs.openbsd.org 2010/03/03 00:47:23
+ [regress/cert-hostkey.sh regress/cert-userkey.sh]
+ add an extra test to ensure that authentication with the wrong
+ certificate fails as it should (and it does)
20100303
- (djm) [PROTOCOL.certkeys] Add RCS Ident
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 9539a927..9097a135 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: cert-hostkey.sh,v 1.1 2010/02/26 20:33:21 djm Exp $
+# $OpenBSD: cert-hostkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $
# Placed in the Public Domain.
tid="certified host keys"
@@ -119,4 +119,31 @@ for ktype in rsa dsa ; do
fi
done
+# Wrong certificate
+(
+ echon '@cert-authority '
+ echon "$HOSTS "
+ cat $OBJ/host_ca_key.pub
+) > $OBJ/known_hosts-cert
+for ktype in rsa dsa ; do
+ # Self-sign key
+ ${SSHKEYGEN} -h -q -s $OBJ/cert_host_key_${ktype} \
+ -I "regress host key for $USER" \
+ -n $HOSTS $OBJ/cert_host_key_${ktype} ||
+ fail "couldn't sign cert_host_key_${ktype}"
+ verbose "$tid: host ${ktype} connect wrong cert"
+ (
+ cat $OBJ/sshd_proxy_bak
+ echo HostKey $OBJ/cert_host_key_${ktype}
+ echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+ ) > $OBJ/sshd_proxy
+
+ ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+ -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+ -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ fail "ssh cert connect $ident succeeded unexpectedly"
+ fi
+done
+
rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 9588e0b6..87491520 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: cert-userkey.sh,v 1.1 2010/02/26 20:33:21 djm Exp $
+# $OpenBSD: cert-userkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $
# Placed in the Public Domain.
tid="certified user keys"
@@ -24,7 +24,6 @@ for ktype in rsa dsa ; do
"regress user key for $USER" \
-n $USER $OBJ/cert_user_key_${ktype} ||
fail "couldn't sign cert_user_key_${ktype}"
-
done
# Basic connect tests
@@ -86,4 +85,19 @@ test_one "cert valid interval" success "-V-1w:+2w"
test_one "wrong source-address" failure "-Osource-address=10.0.0.0/8"
test_one "force-command" failure "-Oforce-command=false"
+# Wrong certificate
+for ktype in rsa dsa ; do
+ # Self-sign
+ ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
+ "regress user key for $USER" \
+ -n $USER $OBJ/cert_user_key_${ktype} ||
+ fail "couldn't sign cert_user_key_${ktype}"
+ verbose "$tid: user ${ktype} connect wrong cert"
+ ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
+ somehost true >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ fail "ssh cert connect $ident succeeded unexpectedly"
+ fi
+done
+
rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*