RepoMirrors/openssh
1
0
Fork 0
mirror of git://anongit.mindrot.org/openssh.git synced 2024-12-18 16:14:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
46db8e14b7
openssh/regress/agent.sh
dtucker@openbsd.org a6f4ac8a2b
upstream: Rework logging for the regression tests. 
Previously we would log to ssh.log and sshd.log, but that is insufficient
for tests that have more than one concurent ssh/sshd.

Instead, we'll log to separate datestamped files in a $OBJ/log/ and
leave a symlink at the previous location pointing at the most recent
instance with an entry in regress.log showing which files were created
at each point.  This should be sufficient to reconstruct what happened
even for tests that use multiple instances of each program.  If the test
fails, tar up all of the logs for later analysis.

This will let us also capture the output from some of the other tools
which was previously sent to /dev/null although most of those will be
in future commits.

OpenBSD-Regress-ID: f802aa9e7fa51d1a01225c05fb0412d015c33e24
2023-03-01 22:02:47 +11:00

228 lines
6.6 KiB
Bash
Raw Blame History

# $OpenBSD: agent.sh,v 1.21 2023/03/01 09:29:32 dtucker Exp $
# Placed in the Public Domain.
tid="simple agent test"
SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1
if [ $? -ne 2 ]; then
fail "ssh-add -l did not fail with exit code 2"
fi
trace "start agent, args ${EXTRA_AGENT_ARGS} -s"
eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` >`ssh_logfile ssh-agent`
r=$?
if [ $r -ne 0 ]; then
fatal "could not start ssh-agent: exit code $r"
fi
eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s | sed 's/SSH_/FW_SSH_/g'` > /dev/null
r=$?
if [ $r -ne 0 ]; then
fatal "could not start second ssh-agent: exit code $r"
fi
${SSHADD} -l > /dev/null 2>&1
if [ $? -ne 1 ]; then
fail "ssh-add -l did not fail with exit code 1"
fi
rm -f $OBJ/user_ca_key $OBJ/user_ca_key.pub
${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key \
|| fatal "ssh-keygen failed"
trace "overwrite authorized keys"
printf '' > $OBJ/authorized_keys_$USER
for t in ${SSH_KEYTYPES}; do
# generate user key for agent
rm -f $OBJ/$t-agent $OBJ/$t-agent.pub*
${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\
fatal "ssh-keygen for $t-agent failed"
# Make a certificate for each too.
${SSHKEYGEN} -qs $OBJ/user_ca_key -I "$t cert" \
-n estragon $OBJ/$t-agent.pub || fatal "ca sign failed"
# add to authorized keys
cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER
# add private key to agent
${SSHADD} $OBJ/$t-agent > /dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh-add failed exit code $?"
fi
# add private key to second agent
SSH_AUTH_SOCK=$FW_SSH_AUTH_SOCK ${SSHADD} $OBJ/$t-agent > /dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh-add failed exit code $?"
fi
# Move private key to ensure that we aren't accidentally using it.
# Keep the corresponding public keys/certs around for later use.
mv -f $OBJ/$t-agent $OBJ/$t-agent-private
cp -f $OBJ/$t-agent.pub $OBJ/$t-agent-private.pub
cp -f $OBJ/$t-agent-cert.pub $OBJ/$t-agent-private-cert.pub
done
# Remove explicit identity directives from ssh_proxy
mv $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
grep -vi identityfile $OBJ/ssh_proxy_bak > $OBJ/ssh_proxy
${SSHADD} -l > /dev/null 2>&1
r=$?
if [ $r -ne 0 ]; then
fail "ssh-add -l failed: exit code $r"
fi
# the same for full pubkey output
${SSHADD} -L > /dev/null 2>&1
r=$?
if [ $r -ne 0 ]; then
fail "ssh-add -L failed: exit code $r"
fi
trace "simple connect via agent"
${SSH} -F $OBJ/ssh_proxy somehost exit 52
r=$?
if [ $r -ne 52 ]; then
fail "ssh connect with failed (exit code $r)"
fi
for t in ${SSH_KEYTYPES}; do
trace "connect via agent using $t key"
if [ "$t" = "ssh-dss" ]; then
echo "PubkeyAcceptedAlgorithms +ssh-dss" >> $OBJ/ssh_proxy
echo "PubkeyAcceptedAlgorithms +ssh-dss" >> $OBJ/sshd_proxy
fi
${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub -oIdentitiesOnly=yes \
somehost exit 52
r=$?
if [ $r -ne 52 ]; then
fail "ssh connect with failed (exit code $r)"
fi
done
trace "agent forwarding"
${SSH} -A -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
r=$?
if [ $r -ne 0 ]; then
fail "ssh-add -l via agent fwd failed (exit code $r)"
fi
${SSH} "-oForwardAgent=$SSH_AUTH_SOCK" -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
r=$?
if [ $r -ne 0 ]; then
fail "ssh-add -l via agent path fwd failed (exit code $r)"
fi
${SSH} -A -F $OBJ/ssh_proxy somehost \
"${SSH} -F $OBJ/ssh_proxy somehost exit 52"
r=$?
if [ $r -ne 52 ]; then
fail "agent fwd failed (exit code $r)"
fi
trace "agent forwarding different agent"
${SSH} "-oForwardAgent=$FW_SSH_AUTH_SOCK" -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
r=$?
if [ $r -ne 0 ]; then
fail "ssh-add -l via agent path fwd of different agent failed (exit code $r)"
fi
${SSH} '-oForwardAgent=$FW_SSH_AUTH_SOCK' -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
r=$?
if [ $r -ne 0 ]; then
fail "ssh-add -l via agent path env fwd of different agent failed (exit code $r)"
fi
# Remove keys from forwarded agent, ssh-add on remote machine should now fail.
SSH_AUTH_SOCK=$FW_SSH_AUTH_SOCK ${SSHADD} -D > /dev/null 2>&1
r=$?
if [ $r -ne 0 ]; then
fail "ssh-add -D failed: exit code $r"
fi
${SSH} '-oForwardAgent=$FW_SSH_AUTH_SOCK' -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
r=$?
if [ $r -ne 1 ]; then
fail "ssh-add -l with different agent did not fail with exit code 1 (exit code $r)"
fi
(printf 'cert-authority,principals="estragon" '; cat $OBJ/user_ca_key.pub) \
> $OBJ/authorized_keys_$USER
for t in ${SSH_KEYTYPES}; do
if [ "$t" != "ssh-dss" ]; then
trace "connect via agent using $t key"
${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub \
-oCertificateFile=$OBJ/$t-agent-cert.pub \
-oIdentitiesOnly=yes somehost exit 52
r=$?
if [ $r -ne 52 ]; then
fail "ssh connect with failed (exit code $r)"
fi
fi
done
## Deletion tests.
trace "delete all agent keys"
${SSHADD} -D > /dev/null 2>&1
r=$?
if [ $r -ne 0 ]; then
fail "ssh-add -D failed: exit code $r"
fi
# make sure they're gone
${SSHADD} -l > /dev/null 2>&1
r=$?
if [ $r -ne 1 ]; then
fail "ssh-add -l returned unexpected exit code: $r"
fi
trace "readd keys"
# re-add keys/certs to agent
for t in ${SSH_KEYTYPES}; do
${SSHADD} $OBJ/$t-agent-private >/dev/null 2>&1 || \
fail "ssh-add failed exit code $?"
done
# make sure they are there
${SSHADD} -l > /dev/null 2>&1
r=$?
if [ $r -ne 0 ]; then
fail "ssh-add -l failed: exit code $r"
fi
check_key_absent() {
${SSHADD} -L | grep "^$1 " >/dev/null
if [ $? -eq 0 ]; then
fail "$1 key unexpectedly present"
fi
}
check_key_present() {
${SSHADD} -L | grep "^$1 " >/dev/null
if [ $? -ne 0 ]; then
fail "$1 key missing from agent"
fi
}
# delete the ed25519 key
trace "delete single key by file"
${SSHADD} -qdk $OBJ/ssh-ed25519-agent || fail "ssh-add -d ed25519 failed"
check_key_absent ssh-ed25519
check_key_present ssh-ed25519-cert-v01@openssh.com
# Put key/cert back.
${SSHADD} $OBJ/ssh-ed25519-agent-private >/dev/null 2>&1 || \
fail "ssh-add failed exit code $?"
check_key_present ssh-ed25519
# Delete both key and certificate.
trace "delete key/cert by file"
${SSHADD} -qd $OBJ/ssh-ed25519-agent || fail "ssh-add -d ed25519 failed"
check_key_absent ssh-ed25519
check_key_absent ssh-ed25519-cert-v01@openssh.com
# Put key/cert back.
${SSHADD} $OBJ/ssh-ed25519-agent-private >/dev/null 2>&1 || \
fail "ssh-add failed exit code $?"
check_key_present ssh-ed25519
# Delete certificate via stdin
${SSHADD} -qd - < $OBJ/ssh-ed25519-agent-cert.pub || fail "ssh-add -d - failed"
check_key_present ssh-ed25519
check_key_absent ssh-ed25519-cert-v01@openssh.com
# Delete key via stdin
${SSHADD} -qd - < $OBJ/ssh-ed25519-agent.pub || fail "ssh-add -d - failed"
check_key_absent ssh-ed25519
check_key_absent ssh-ed25519-cert-v01@openssh.com
trace "kill agent"
${SSHAGENT} -k > /dev/null
SSH_AGENT_PID=$FW_SSH_AGENT_PID ${SSHAGENT} -k > /dev/null
Reference in New Issue View Git Blame Copy Permalink