mirror of
https://github.com/freebsd/freebsd-src
synced 2024-09-16 06:52:27 +00:00
1323ec5712
Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
67 lines
2.1 KiB
Bash
67 lines
2.1 KiB
Bash
# $OpenBSD: hostbased.sh,v 1.3 2022/01/08 07:55:26 dtucker Exp $
|
|
# Placed in the Public Domain.
|
|
|
|
# This test requires external setup and thus is skipped unless
|
|
# TEST_SSH_HOSTBASED_AUTH and SUDO are set to "yes".
|
|
# Since ssh-keysign has key paths hard coded, unlike the other tests it
|
|
# needs to use the real host keys. It requires:
|
|
# - ssh-keysign must be installed and setuid.
|
|
# - "EnableSSHKeysign yes" must be in the system ssh_config.
|
|
# - the system's own real FQDN the system-wide shosts.equiv.
|
|
# - the system's real public key fingerprints must me in global ssh_known_hosts.
|
|
#
|
|
tid="hostbased"
|
|
|
|
if [ -z "${TEST_SSH_HOSTBASED_AUTH}" ]; then
|
|
skip "TEST_SSH_HOSTBASED_AUTH not set."
|
|
elif [ -z "${SUDO}" ]; then
|
|
skip "SUDO not set"
|
|
fi
|
|
|
|
# Enable all supported hostkey algos (but no others)
|
|
hostkeyalgos=`${SSH} -Q HostKeyAlgorithms | tr '\n' , | sed 's/,$//'`
|
|
|
|
cat >>$OBJ/sshd_proxy <<EOD
|
|
HostbasedAuthentication yes
|
|
HostbasedAcceptedAlgorithms $hostkeyalgos
|
|
HostbasedUsesNameFromPacketOnly yes
|
|
HostKeyAlgorithms $hostkeyalgos
|
|
EOD
|
|
|
|
cat >>$OBJ/ssh_proxy <<EOD
|
|
HostbasedAuthentication yes
|
|
HostKeyAlgorithms $hostkeyalgos
|
|
HostbasedAcceptedAlgorithms $hostkeyalgos
|
|
PreferredAuthentications hostbased
|
|
EOD
|
|
|
|
algos=""
|
|
for key in `${SUDO} ${SSHD} -T | awk '$1=="hostkey"{print $2}'`; do
|
|
case "`$SSHKEYGEN -l -f ${key}.pub`" in
|
|
256*ECDSA*) algos="$algos ecdsa-sha2-nistp256" ;;
|
|
384*ECDSA*) algos="$algos ecdsa-sha2-nistp384" ;;
|
|
521*ECDSA*) algos="$algos ecdsa-sha2-nistp521" ;;
|
|
*RSA*) algos="$algos ssh-rsa rsa-sha2-256 rsa-sha2-512" ;;
|
|
*ED25519*) algos="$algos ssh-ed25519" ;;
|
|
*DSA*) algos="$algos ssh-dss" ;;
|
|
*) verbose "unknown host key type $key" ;;
|
|
esac
|
|
done
|
|
|
|
for algo in $algos; do
|
|
trace "hostbased algo $algo"
|
|
opts="-F $OBJ/ssh_proxy"
|
|
if [ "x$algo" != "xdefault" ]; then
|
|
opts="$opts -oHostbasedAcceptedAlgorithms=$algo"
|
|
fi
|
|
SSH_CONNECTION=`${SSH} $opts localhost 'echo $SSH_CONNECTION'`
|
|
if [ $? -ne 0 ]; then
|
|
fail "connect failed, hostbased algo $algo"
|
|
elif [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
|
|
fail "hostbased algo $algo bad SSH_CONNECTION" \
|
|
"$SSH_CONNECTION"
|
|
else
|
|
verbose "ok hostbased algo $algo"
|
|
fi
|
|
done
|