mirror of
https://github.com/freebsd/freebsd-src
synced 2024-07-21 02:06:37 +00:00
19261079b7
Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
125 lines
3.4 KiB
Bash
125 lines
3.4 KiB
Bash
# $OpenBSD: key-options.sh,v 1.9 2018/07/03 13:53:26 djm Exp $
|
|
# Placed in the Public Domain.
|
|
|
|
tid="key options"
|
|
|
|
origkeys="$OBJ/authkeys_orig"
|
|
authkeys="$OBJ/authorized_keys_${USER}"
|
|
cp $authkeys $origkeys
|
|
|
|
# Allocating ptys can require privileges on some platforms.
|
|
skip_pty=""
|
|
if ! config_defined HAVE_OPENPTY && [ "x$SUDO" = "x" ]; then
|
|
skip_pty="no openpty(3) and SUDO not set"
|
|
fi
|
|
|
|
# Test command= forced command
|
|
for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do
|
|
sed "s/.*/$c &/" $origkeys >$authkeys
|
|
verbose "key option $c"
|
|
r=`${SSH} -q -F $OBJ/ssh_proxy somehost echo foo`
|
|
if [ "$r" = "foo" ]; then
|
|
fail "key option forced command not restricted"
|
|
fi
|
|
if [ "$r" != "bar" ]; then
|
|
fail "key option forced command not executed"
|
|
fi
|
|
done
|
|
|
|
# Test no-pty
|
|
expect_pty_succeed() {
|
|
which=$1
|
|
opts=$2
|
|
rm -f $OBJ/data
|
|
sed "s/.*/$opts &/" $origkeys >$authkeys
|
|
verbose "key option pty $which"
|
|
[ "x$skip_pty" != "x" ] && verbose "skipped because $skip_pty" && return
|
|
${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0"
|
|
if [ $? -ne 0 ] ; then
|
|
fail "key option failed $which"
|
|
else
|
|
r=`cat $OBJ/data`
|
|
case "$r" in
|
|
/dev/*) ;;
|
|
*) fail "key option failed $which (pty $r)" ;;
|
|
esac
|
|
fi
|
|
}
|
|
expect_pty_fail() {
|
|
which=$1
|
|
opts=$2
|
|
rm -f $OBJ/data
|
|
sed "s/.*/$opts &/" $origkeys >$authkeys
|
|
verbose "key option pty $which"
|
|
[ "x$skip_pty" != "x" ] && verbose "skipped because $skip_pty" && return
|
|
${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0"
|
|
if [ $? -eq 0 ]; then
|
|
r=`cat $OBJ/data`
|
|
if [ -e "$r" ]; then
|
|
fail "key option failed $which (pty $r)"
|
|
fi
|
|
case "$r" in
|
|
/dev/*) fail "key option failed $which (pty $r)" ;;
|
|
*) ;;
|
|
esac
|
|
fi
|
|
}
|
|
# First ensure that we can allocate a pty by default.
|
|
expect_pty_succeed "default" ""
|
|
expect_pty_fail "no-pty" "no-pty"
|
|
expect_pty_fail "restrict" "restrict"
|
|
expect_pty_succeed "restrict,pty" "restrict,pty"
|
|
|
|
# Test environment=
|
|
# XXX this can fail if ~/.ssh/environment exists for the user running the test
|
|
echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy
|
|
sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys
|
|
verbose "key option environment"
|
|
r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo $FOO'`
|
|
if [ "$r" != "bar" ]; then
|
|
fail "key option environment not set"
|
|
fi
|
|
|
|
# Test from= restriction
|
|
start_sshd
|
|
for f in 127.0.0.1 '127.0.0.0\/8'; do
|
|
cat $origkeys >$authkeys
|
|
${SSH} -q -F $OBJ/ssh_proxy somehost true
|
|
if [ $? -ne 0 ]; then
|
|
fail "key option failed without restriction"
|
|
fi
|
|
|
|
sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys
|
|
from=`head -1 $authkeys | cut -f1 -d ' '`
|
|
verbose "key option $from"
|
|
r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'`
|
|
if [ "$r" = "true" ]; then
|
|
fail "key option $from not restricted"
|
|
fi
|
|
|
|
r=`${SSH} -q -F $OBJ/ssh_config somehost 'echo true'`
|
|
if [ "$r" != "true" ]; then
|
|
fail "key option $from not allowed but should be"
|
|
fi
|
|
done
|
|
|
|
check_valid_before() {
|
|
which=$1
|
|
opts=$2
|
|
expect=$3
|
|
sed "s/.*/$opts &/" $origkeys >$authkeys
|
|
verbose "key option expiry-time $which"
|
|
${SSH} -q -F $OBJ/ssh_proxy somehost true
|
|
r=$?
|
|
case "$expect" in
|
|
fail) test $r -eq 0 && fail "key option succeeded $which" ;;
|
|
pass) test $r -ne 0 && fail "key option failed $which" ;;
|
|
*) fatal "unknown expectation $expect" ;;
|
|
esac
|
|
}
|
|
check_valid_before "default" "" "pass"
|
|
check_valid_before "invalid" 'expiry-time="INVALID"' "fail"
|
|
check_valid_before "expired" 'expiry-time="19990101"' "fail"
|
|
check_valid_before "valid" 'expiry-time="20380101"' "pass"
|
|
|