mirror of
https://github.com/freebsd/freebsd-src
synced 2024-07-21 18:27:22 +00:00
19261079b7
Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
84 lines
2.4 KiB
Bash
84 lines
2.4 KiB
Bash
# $OpenBSD: keytype.sh,v 1.11 2021/02/25 03:27:34 djm Exp $
|
|
# Placed in the Public Domain.
|
|
|
|
tid="login with different key types"
|
|
|
|
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
|
|
cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
|
|
|
|
# Construct list of key types based on what the built binaries support.
|
|
ktypes=""
|
|
for i in ${SSH_KEYTYPES}; do
|
|
case "$i" in
|
|
ssh-dss) ktypes="$ktypes dsa-1024" ;;
|
|
ssh-rsa) ktypes="$ktypes rsa-2048 rsa-3072" ;;
|
|
ssh-ed25519) ktypes="$ktypes ed25519-512" ;;
|
|
ecdsa-sha2-nistp256) ktypes="$ktypes ecdsa-256" ;;
|
|
ecdsa-sha2-nistp384) ktypes="$ktypes ecdsa-384" ;;
|
|
ecdsa-sha2-nistp521) ktypes="$ktypes ecdsa-521" ;;
|
|
sk-ssh-ed25519*) ktypes="$ktypes ed25519-sk" ;;
|
|
sk-ecdsa-sha2-nistp256*) ktypes="$ktypes ecdsa-sk" ;;
|
|
esac
|
|
done
|
|
|
|
for kt in $ktypes; do
|
|
rm -f $OBJ/key.$kt
|
|
xbits=`echo ${kt} | awk -F- '{print $2}'`
|
|
xtype=`echo ${kt} | awk -F- '{print $1}'`
|
|
case "$kt" in
|
|
*sk) type="$kt"; bits="n/a"; bits_arg="";;
|
|
*) type=$xtype; bits=$xbits; bits_arg="-b $bits";;
|
|
esac
|
|
verbose "keygen $type, $bits bits"
|
|
${SSHKEYGEN} $bits_arg -q -N '' -t $type -f $OBJ/key.$kt || \
|
|
fail "ssh-keygen for type $type, $bits bits failed"
|
|
done
|
|
|
|
kname_to_ktype() {
|
|
case $1 in
|
|
dsa-1024) echo ssh-dss;;
|
|
ecdsa-256) echo ecdsa-sha2-nistp256;;
|
|
ecdsa-384) echo ecdsa-sha2-nistp384;;
|
|
ecdsa-521) echo ecdsa-sha2-nistp521;;
|
|
ed25519-512) echo ssh-ed25519;;
|
|
rsa-*) echo rsa-sha2-512,rsa-sha2-256,ssh-rsa;;
|
|
ed25519-sk) echo sk-ssh-ed25519@openssh.com;;
|
|
ecdsa-sk) echo sk-ecdsa-sha2-nistp256@openssh.com;;
|
|
esac
|
|
}
|
|
|
|
tries="1 2 3"
|
|
for ut in $ktypes; do
|
|
user_type=`kname_to_ktype "$ut"`
|
|
htypes="$ut"
|
|
#htypes=$ktypes
|
|
for ht in $htypes; do
|
|
host_type=`kname_to_ktype "$ht"`
|
|
trace "ssh connect, userkey $ut, hostkey $ht"
|
|
(
|
|
grep -v HostKey $OBJ/sshd_proxy_bak
|
|
echo HostKey $OBJ/key.$ht
|
|
echo PubkeyAcceptedAlgorithms $user_type
|
|
echo HostKeyAlgorithms $host_type
|
|
) > $OBJ/sshd_proxy
|
|
(
|
|
grep -v IdentityFile $OBJ/ssh_proxy_bak
|
|
echo IdentityFile $OBJ/key.$ut
|
|
echo PubkeyAcceptedAlgorithms $user_type
|
|
echo HostKeyAlgorithms $host_type
|
|
) > $OBJ/ssh_proxy
|
|
(
|
|
printf 'localhost-with-alias,127.0.0.1,::1 '
|
|
cat $OBJ/key.$ht.pub
|
|
) > $OBJ/known_hosts
|
|
cat $OBJ/key.$ut.pub > $OBJ/authorized_keys_$USER
|
|
for i in $tries; do
|
|
verbose "userkey $ut, hostkey ${ht}"
|
|
${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true
|
|
if [ $? -ne 0 ]; then
|
|
fail "ssh userkey $ut, hostkey $ht failed"
|
|
fi
|
|
done
|
|
done
|
|
done
|