upstream: Remove references to privsep.

This removes several do..while loops but does not change the indentation of the now-shallower loops, which will be done in a separate whitespace-only commit to keep changes of style and substance separate. OpenBSD-Regress-ID: 4bed1a0249df7b4a87c965066ce689e79472a8f7
2025-01-03 00:02:05 +00:00 · 2021-09-30 05:20:08 +00:00 · 2021-09-30 05:20:08 +00:00 · ddcb53b7a7
commit ddcb53b7a7
parent ece2fbe486
5 changed files with 117 additions and 135 deletions
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: cert-hostkey.sh,v 1.25 2021/06/08 22:30:27 djm Exp $
+#	$OpenBSD: cert-hostkey.sh,v 1.26 2021/09/30 05:20:08 dtucker Exp $
 #	Placed in the Public Domain.

 tid="certified host keys"
@ -131,14 +131,12 @@ attempt_connect() {
 }

 # Basic connect and revocation tests.
-for privsep in yes ; do
 	for ktype in $PLAIN_TYPES ; do
-		verbose "$tid: host ${ktype} cert connect privsep $privsep"
+		verbose "$tid: host ${ktype} cert connect"
 		(
 			cat $OBJ/sshd_proxy_bak
 			echo HostKey $OBJ/cert_host_key_${ktype}
 			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
-			echo UsePrivilegeSeparation $privsep
 		) > $OBJ/sshd_proxy

 		#               test name                         expect success
@ -160,7 +158,6 @@ for privsep in yes ; do
 		attempt_connect "$ktype CA plaintext revocation"	"no" \
 		    -oRevokedHostKeys=$OBJ/host_revoked_ca
 	done
-done

 # Revoked certificates with key present
 kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
@ -169,14 +166,12 @@ for ktype in $PLAIN_TYPES ; do
 	kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig
 done
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-for privsep in yes ; do
 	for ktype in $PLAIN_TYPES ; do
-		verbose "$tid: host ${ktype} revoked cert privsep $privsep"
+		verbose "$tid: host ${ktype} revoked cert"
 		(
 			cat $OBJ/sshd_proxy_bak
 			echo HostKey $OBJ/cert_host_key_${ktype}
 			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
-			echo UsePrivilegeSeparation $privsep
 		) > $OBJ/sshd_proxy

 		cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
@ -187,7 +182,6 @@ for privsep in yes ; do
 			fail "ssh cert connect succeeded unexpectedly"
 		fi
 	done
-done

 # Revoked CA
 kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: cert-userkey.sh,v 1.26 2021/02/25 03:27:34 djm Exp $
+#	$OpenBSD: cert-userkey.sh,v 1.27 2021/09/30 05:20:08 dtucker Exp $
 #	Placed in the Public Domain.

 tid="certified user keys"
@ -60,14 +60,12 @@ done
 # Test explicitly-specified principals
 for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 	t=$(kname $ktype)
-	for privsep in yes ; do
-		_prefix="${ktype} privsep $privsep"
+		_prefix="${ktype}"

 		# Setup for AuthorizedPrincipalsFile
 		rm -f $OBJ/authorized_keys_$USER
 		(
 			cat $OBJ/sshd_proxy_bak
-			echo "UsePrivilegeSeparation $privsep"
 			echo "AuthorizedPrincipalsFile " \
 			    "$OBJ/authorized_principals_%u"
 			echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
@ -148,7 +146,6 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 		rm -f $OBJ/authorized_principals_$USER
 		(
 			cat $OBJ/sshd_proxy_bak
-			echo "UsePrivilegeSeparation $privsep"
 			echo "PubkeyAcceptedAlgorithms ${t}"
 		) > $OBJ/sshd_proxy
 		(
@ -179,7 +176,6 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 		if [ $? -ne 0 ]; then
 			fail "ssh cert connect failed"
 		fi
-	done
 done

 basic_tests() {
@ -197,13 +193,11 @@ basic_tests() {

 	for ktype in $PLAIN_TYPES ; do
 		t=$(kname $ktype)
-		for privsep in yes ; do
-			_prefix="${ktype} privsep $privsep $auth"
+			_prefix="${ktype} $auth"
 			# Simple connect
 			verbose "$tid: ${_prefix} connect"
 			(
 				cat $OBJ/sshd_proxy_bak
-				echo "UsePrivilegeSeparation $privsep"
 				echo "PubkeyAcceptedAlgorithms ${t}"
 				echo "$extra_sshd"
 			) > $OBJ/sshd_proxy
@ -222,7 +216,6 @@ basic_tests() {
 			verbose "$tid: ${_prefix} revoked key"
 			(
 				cat $OBJ/sshd_proxy_bak
-				echo "UsePrivilegeSeparation $privsep"
 				echo "RevokedKeys $OBJ/cert_user_key_revoked"
 				echo "PubkeyAcceptedAlgorithms ${t}"
 				echo "$extra_sshd"
@ -265,7 +258,6 @@ basic_tests() {
 		if [ $? -eq 0 ]; then
 			fail "ssh cert connect succeeded unexpecedly"
 		fi
-	done

 	verbose "$tid: $auth CA does not authenticate"
 	(
--- a/regress/hostkey-agent.sh
+++ b/regress/hostkey-agent.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: hostkey-agent.sh,v 1.12 2021/09/29 01:32:21 djm Exp $
+#	$OpenBSD: hostkey-agent.sh,v 1.13 2021/09/30 05:20:08 dtucker Exp $
 #	Placed in the Public Domain.

 tid="hostkey agent"
@ -45,7 +45,7 @@ for k in $SSH_KEYTYPES ; do
 		fail "keytype $k failed"
 	fi
 	if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
-		fail "bad SSH_CONNECTION key type $k privsep=$ps"
+		fail "bad SSH_CONNECTION key type $k"
 	fi
 done

@ -78,7 +78,7 @@ for k in $SSH_CERTTYPES ; do
 		fail "cert type $k failed"
 	fi
 	if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
-		fail "bad SSH_CONNECTION key type $k privsep=$ps"
+		fail "bad SSH_CONNECTION key type $k"
 	fi
 done

--- a/regress/login-timeout.sh
+++ b/regress/login-timeout.sh
@ -1,9 +1,9 @@
-#	$OpenBSD: login-timeout.sh,v 1.9 2017/08/07 00:53:51 dtucker Exp $
+#	$OpenBSD: login-timeout.sh,v 1.10 2021/09/30 05:20:08 dtucker Exp $
 #	Placed in the Public Domain.

 tid="connect after login grace timeout"

-trace "test login grace with privsep"
+trace "test login grace time"
 cp $OBJ/sshd_config $OBJ/sshd_config.orig
 grep -vi LoginGraceTime $OBJ/sshd_config.orig > $OBJ/sshd_config
 echo "LoginGraceTime 10s" >> $OBJ/sshd_config
--- a/regress/principals-command.sh
+++ b/regress/principals-command.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: principals-command.sh,v 1.12 2021/09/30 04:22:50 dtucker Exp $
+#	$OpenBSD: principals-command.sh,v 1.13 2021/09/30 05:20:08 dtucker Exp $
 #	Placed in the Public Domain.

 tid="authorized principals command"
@ -59,16 +59,16 @@ if ! $OBJ/check-perm -m keys-command $PRINCIPALS_COMMAND ; then
 	exit 0
 fi

-if [ -x $PRINCIPALS_COMMAND ]; then
-	# Test explicitly-specified principals
-	for privsep in yes ; do
-		_prefix="privsep $privsep"
+if [ ! -x $PRINCIPALS_COMMAND ]; then
+	skip "$PRINCIPALS_COMMAND not executable " \
+	    "(/var/run mounted noexec?)"
+fi

+#Test explicitly-specified principals
 	# Setup for AuthorizedPrincipalsCommand
 	rm -f $OBJ/authorized_keys_$USER
 	(
 		cat $OBJ/sshd_proxy_bak
-			echo "UsePrivilegeSeparation $privsep"
 		echo "AuthorizedKeysFile none"
 		echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
 		    "%u %t %T %i %s %F %f %k %K"
@ -80,7 +80,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
 	# XXX test failing command

 	# Empty authorized_principals
-		verbose "$tid: ${_prefix} empty authorized_principals"
+	verbose "$tid: empty authorized_principals"
 	echo > $OBJ/authorized_principals_$USER
 	${SSH} -i $OBJ/cert_user_key \
 	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
@ -89,7 +89,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
 	fi

 	# Wrong authorized_principals
-		verbose "$tid: ${_prefix} wrong authorized_principals"
+	verbose "$tid: wrong authorized_principals"
 	echo gregorsamsa > $OBJ/authorized_principals_$USER
 	${SSH} -i $OBJ/cert_user_key \
 	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
@ -98,7 +98,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
 	fi

 	# Correct authorized_principals
-		verbose "$tid: ${_prefix} correct authorized_principals"
+	verbose "$tid: correct authorized_principals"
 	echo mekmitasdigoat > $OBJ/authorized_principals_$USER
 	${SSH} -i $OBJ/cert_user_key \
 	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
@ -107,7 +107,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
 	fi

 	# authorized_principals with bad key option
-		verbose "$tid: ${_prefix} authorized_principals bad key opt"
+	verbose "$tid: authorized_principals bad key opt"
 	echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
 	${SSH} -i $OBJ/cert_user_key \
 	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
@ -116,7 +116,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
 	fi

 	# authorized_principals with command=false
-		verbose "$tid: ${_prefix} authorized_principals command=false"
+	verbose "$tid: authorized_principals command=false"
 	echo 'command="false" mekmitasdigoat' > \
 	    $OBJ/authorized_principals_$USER
 	${SSH} -i $OBJ/cert_user_key \
@ -125,8 +125,9 @@ if [ -x $PRINCIPALS_COMMAND ]; then
 		fail "ssh cert connect succeeded unexpectedly"
 	fi

+
 	# authorized_principals with command=true
-		verbose "$tid: ${_prefix} authorized_principals command=true"
+	verbose "$tid: authorized_principals command=true"
 	echo 'command="true" mekmitasdigoat' > \
 	    $OBJ/authorized_principals_$USER
 	${SSH} -i $OBJ/cert_user_key \
@ -136,14 +137,14 @@ if [ -x $PRINCIPALS_COMMAND ]; then
 	fi

 	# Setup for principals= key option
+	# TODO: remove?
 	rm -f $OBJ/authorized_principals_$USER
 	(
 		cat $OBJ/sshd_proxy_bak
-			echo "UsePrivilegeSeparation $privsep"
 	) > $OBJ/sshd_proxy

 	# Wrong principals list
-		verbose "$tid: ${_prefix} wrong principals key option"
+	verbose "$tid: wrong principals key option"
 	(
 		printf 'cert-authority,principals="gregorsamsa" '
 		cat $OBJ/user_ca_key.pub
@ -155,7 +156,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
 	fi

 	# Correct principals list
-		verbose "$tid: ${_prefix} correct principals key option"
+	verbose "$tid: correct principals key option"
 	(
 		printf 'cert-authority,principals="mekmitasdigoat" '
 		cat $OBJ/user_ca_key.pub
@ -165,8 +166,3 @@ if [ -x $PRINCIPALS_COMMAND ]; then
 	if [ $? -ne 0 ]; then
 		fail "ssh cert connect failed"
 	fi
-	done
-else
-	echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
-	    "(/var/run mounted noexec?)"
-fi