From ce04dd4eae23d1c9cf7c424a702f48ee78573bc1 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 7 Jun 2021 01:16:34 +0000 Subject: [PATCH] upstream: test AuthenticationMethods inside a Match block as well as in the main config section OpenBSD-Regress-ID: ebe0a686621b7cb8bb003ac520975279c28747f7 --- regress/multipubkey.sh | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/regress/multipubkey.sh b/regress/multipubkey.sh index 9b2273353..8cdda1a9a 100644 --- a/regress/multipubkey.sh +++ b/regress/multipubkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: multipubkey.sh,v 1.3 2019/12/11 18:47:14 djm Exp $ +# $OpenBSD: multipubkey.sh,v 1.4 2021/06/07 01:16:34 djm Exp $ # Placed in the Public Domain. tid="multiple pubkey" @@ -31,27 +31,35 @@ grep -v IdentityFile $OBJ/ssh_proxy.orig > $OBJ/ssh_proxy opts="-oProtocol=2 -F $OBJ/ssh_proxy -oIdentitiesOnly=yes" opts="$opts -i $OBJ/cert_user_key1 -i $OBJ/user_key1 -i $OBJ/user_key2" -for privsep in yes ; do +for match in no yes ; do ( - grep -v "Protocol" $OBJ/sshd_proxy.orig + cat $OBJ/sshd_proxy.orig echo "Protocol 2" - echo "UsePrivilegeSeparation $privsep" - echo "AuthenticationMethods publickey,publickey" echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" echo "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u" ) > $OBJ/sshd_proxy + if test "$match" = "yes" ; then + echo "AuthenticationMethods none" >> $OBJ/sshd_proxy + echo "PubkeyAuthentication no" >> $OBJ/sshd_proxy + echo "Match all" >> $OBJ/sshd_proxy + echo "PubkeyAuthentication yes" >> $OBJ/sshd_proxy + fi + echo "AuthenticationMethods publickey,publickey" >> $OBJ/sshd_proxy # Single key should fail. + trace "match $match single key" rm -f $OBJ/authorized_principals_$USER cat $OBJ/user_key1.pub > $OBJ/authorized_keys_$USER ${SSH} $opts proxy true && fail "ssh succeeded with key" # Single key with same-public cert should fail. + trace "match $match pubkey + identical cert" echo mekmitasdigoat > $OBJ/authorized_principals_$USER cat $OBJ/user_key1.pub > $OBJ/authorized_keys_$USER ${SSH} $opts proxy true && fail "ssh succeeded with key+cert" # Multiple plain keys should succeed. + trace "match $match multiple public" rm -f $OBJ/authorized_principals_$USER cat $OBJ/user_key1.pub $OBJ/user_key2.pub > \ $OBJ/authorized_keys_$USER @@ -59,6 +67,7 @@ for privsep in yes ; do # Cert and different key should succeed # Key and different-public cert should succeed. + trace "match $match pubkey + different cert" echo mekmitasdigoat > $OBJ/authorized_principals_$USER cat $OBJ/user_key2.pub > $OBJ/authorized_keys_$USER ${SSH} $opts proxy true || fail "ssh failed with key/cert"