mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-12-22 18:02:20 +00:00
a6f4ac8a2b
Previously we would log to ssh.log and sshd.log, but that is insufficient for tests that have more than one concurent ssh/sshd. Instead, we'll log to separate datestamped files in a $OBJ/log/ and leave a symlink at the previous location pointing at the most recent instance with an entry in regress.log showing which files were created at each point. This should be sufficient to reconstruct what happened even for tests that use multiple instances of each program. If the test fails, tar up all of the logs for later analysis. This will let us also capture the output from some of the other tools which was previously sent to /dev/null although most of those will be in future commits. OpenBSD-Regress-ID: f802aa9e7fa51d1a01225c05fb0412d015c33e24
228 lines
6.6 KiB
Bash
228 lines
6.6 KiB
Bash
# $OpenBSD: agent.sh,v 1.21 2023/03/01 09:29:32 dtucker Exp $
|
|
# Placed in the Public Domain.
|
|
|
|
tid="simple agent test"
|
|
|
|
SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1
|
|
if [ $? -ne 2 ]; then
|
|
fail "ssh-add -l did not fail with exit code 2"
|
|
fi
|
|
|
|
trace "start agent, args ${EXTRA_AGENT_ARGS} -s"
|
|
eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` >`ssh_logfile ssh-agent`
|
|
r=$?
|
|
if [ $r -ne 0 ]; then
|
|
fatal "could not start ssh-agent: exit code $r"
|
|
fi
|
|
|
|
eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s | sed 's/SSH_/FW_SSH_/g'` > /dev/null
|
|
r=$?
|
|
if [ $r -ne 0 ]; then
|
|
fatal "could not start second ssh-agent: exit code $r"
|
|
fi
|
|
|
|
${SSHADD} -l > /dev/null 2>&1
|
|
if [ $? -ne 1 ]; then
|
|
fail "ssh-add -l did not fail with exit code 1"
|
|
fi
|
|
|
|
rm -f $OBJ/user_ca_key $OBJ/user_ca_key.pub
|
|
${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key \
|
|
|| fatal "ssh-keygen failed"
|
|
|
|
trace "overwrite authorized keys"
|
|
printf '' > $OBJ/authorized_keys_$USER
|
|
|
|
for t in ${SSH_KEYTYPES}; do
|
|
# generate user key for agent
|
|
rm -f $OBJ/$t-agent $OBJ/$t-agent.pub*
|
|
${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\
|
|
fatal "ssh-keygen for $t-agent failed"
|
|
# Make a certificate for each too.
|
|
${SSHKEYGEN} -qs $OBJ/user_ca_key -I "$t cert" \
|
|
-n estragon $OBJ/$t-agent.pub || fatal "ca sign failed"
|
|
|
|
# add to authorized keys
|
|
cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER
|
|
# add private key to agent
|
|
${SSHADD} $OBJ/$t-agent > /dev/null 2>&1
|
|
if [ $? -ne 0 ]; then
|
|
fail "ssh-add failed exit code $?"
|
|
fi
|
|
# add private key to second agent
|
|
SSH_AUTH_SOCK=$FW_SSH_AUTH_SOCK ${SSHADD} $OBJ/$t-agent > /dev/null 2>&1
|
|
if [ $? -ne 0 ]; then
|
|
fail "ssh-add failed exit code $?"
|
|
fi
|
|
# Move private key to ensure that we aren't accidentally using it.
|
|
# Keep the corresponding public keys/certs around for later use.
|
|
mv -f $OBJ/$t-agent $OBJ/$t-agent-private
|
|
cp -f $OBJ/$t-agent.pub $OBJ/$t-agent-private.pub
|
|
cp -f $OBJ/$t-agent-cert.pub $OBJ/$t-agent-private-cert.pub
|
|
done
|
|
|
|
# Remove explicit identity directives from ssh_proxy
|
|
mv $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
|
|
grep -vi identityfile $OBJ/ssh_proxy_bak > $OBJ/ssh_proxy
|
|
|
|
${SSHADD} -l > /dev/null 2>&1
|
|
r=$?
|
|
if [ $r -ne 0 ]; then
|
|
fail "ssh-add -l failed: exit code $r"
|
|
fi
|
|
# the same for full pubkey output
|
|
${SSHADD} -L > /dev/null 2>&1
|
|
r=$?
|
|
if [ $r -ne 0 ]; then
|
|
fail "ssh-add -L failed: exit code $r"
|
|
fi
|
|
|
|
trace "simple connect via agent"
|
|
${SSH} -F $OBJ/ssh_proxy somehost exit 52
|
|
r=$?
|
|
if [ $r -ne 52 ]; then
|
|
fail "ssh connect with failed (exit code $r)"
|
|
fi
|
|
|
|
for t in ${SSH_KEYTYPES}; do
|
|
trace "connect via agent using $t key"
|
|
if [ "$t" = "ssh-dss" ]; then
|
|
echo "PubkeyAcceptedAlgorithms +ssh-dss" >> $OBJ/ssh_proxy
|
|
echo "PubkeyAcceptedAlgorithms +ssh-dss" >> $OBJ/sshd_proxy
|
|
fi
|
|
${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub -oIdentitiesOnly=yes \
|
|
somehost exit 52
|
|
r=$?
|
|
if [ $r -ne 52 ]; then
|
|
fail "ssh connect with failed (exit code $r)"
|
|
fi
|
|
done
|
|
|
|
trace "agent forwarding"
|
|
${SSH} -A -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
|
|
r=$?
|
|
if [ $r -ne 0 ]; then
|
|
fail "ssh-add -l via agent fwd failed (exit code $r)"
|
|
fi
|
|
${SSH} "-oForwardAgent=$SSH_AUTH_SOCK" -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
|
|
r=$?
|
|
if [ $r -ne 0 ]; then
|
|
fail "ssh-add -l via agent path fwd failed (exit code $r)"
|
|
fi
|
|
${SSH} -A -F $OBJ/ssh_proxy somehost \
|
|
"${SSH} -F $OBJ/ssh_proxy somehost exit 52"
|
|
r=$?
|
|
if [ $r -ne 52 ]; then
|
|
fail "agent fwd failed (exit code $r)"
|
|
fi
|
|
|
|
trace "agent forwarding different agent"
|
|
${SSH} "-oForwardAgent=$FW_SSH_AUTH_SOCK" -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
|
|
r=$?
|
|
if [ $r -ne 0 ]; then
|
|
fail "ssh-add -l via agent path fwd of different agent failed (exit code $r)"
|
|
fi
|
|
${SSH} '-oForwardAgent=$FW_SSH_AUTH_SOCK' -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
|
|
r=$?
|
|
if [ $r -ne 0 ]; then
|
|
fail "ssh-add -l via agent path env fwd of different agent failed (exit code $r)"
|
|
fi
|
|
|
|
# Remove keys from forwarded agent, ssh-add on remote machine should now fail.
|
|
SSH_AUTH_SOCK=$FW_SSH_AUTH_SOCK ${SSHADD} -D > /dev/null 2>&1
|
|
r=$?
|
|
if [ $r -ne 0 ]; then
|
|
fail "ssh-add -D failed: exit code $r"
|
|
fi
|
|
${SSH} '-oForwardAgent=$FW_SSH_AUTH_SOCK' -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
|
|
r=$?
|
|
if [ $r -ne 1 ]; then
|
|
fail "ssh-add -l with different agent did not fail with exit code 1 (exit code $r)"
|
|
fi
|
|
|
|
(printf 'cert-authority,principals="estragon" '; cat $OBJ/user_ca_key.pub) \
|
|
> $OBJ/authorized_keys_$USER
|
|
for t in ${SSH_KEYTYPES}; do
|
|
if [ "$t" != "ssh-dss" ]; then
|
|
trace "connect via agent using $t key"
|
|
${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub \
|
|
-oCertificateFile=$OBJ/$t-agent-cert.pub \
|
|
-oIdentitiesOnly=yes somehost exit 52
|
|
r=$?
|
|
if [ $r -ne 52 ]; then
|
|
fail "ssh connect with failed (exit code $r)"
|
|
fi
|
|
fi
|
|
done
|
|
|
|
## Deletion tests.
|
|
|
|
trace "delete all agent keys"
|
|
${SSHADD} -D > /dev/null 2>&1
|
|
r=$?
|
|
if [ $r -ne 0 ]; then
|
|
fail "ssh-add -D failed: exit code $r"
|
|
fi
|
|
# make sure they're gone
|
|
${SSHADD} -l > /dev/null 2>&1
|
|
r=$?
|
|
if [ $r -ne 1 ]; then
|
|
fail "ssh-add -l returned unexpected exit code: $r"
|
|
fi
|
|
trace "readd keys"
|
|
# re-add keys/certs to agent
|
|
for t in ${SSH_KEYTYPES}; do
|
|
${SSHADD} $OBJ/$t-agent-private >/dev/null 2>&1 || \
|
|
fail "ssh-add failed exit code $?"
|
|
done
|
|
# make sure they are there
|
|
${SSHADD} -l > /dev/null 2>&1
|
|
r=$?
|
|
if [ $r -ne 0 ]; then
|
|
fail "ssh-add -l failed: exit code $r"
|
|
fi
|
|
|
|
check_key_absent() {
|
|
${SSHADD} -L | grep "^$1 " >/dev/null
|
|
if [ $? -eq 0 ]; then
|
|
fail "$1 key unexpectedly present"
|
|
fi
|
|
}
|
|
check_key_present() {
|
|
${SSHADD} -L | grep "^$1 " >/dev/null
|
|
if [ $? -ne 0 ]; then
|
|
fail "$1 key missing from agent"
|
|
fi
|
|
}
|
|
|
|
# delete the ed25519 key
|
|
trace "delete single key by file"
|
|
${SSHADD} -qdk $OBJ/ssh-ed25519-agent || fail "ssh-add -d ed25519 failed"
|
|
check_key_absent ssh-ed25519
|
|
check_key_present ssh-ed25519-cert-v01@openssh.com
|
|
# Put key/cert back.
|
|
${SSHADD} $OBJ/ssh-ed25519-agent-private >/dev/null 2>&1 || \
|
|
fail "ssh-add failed exit code $?"
|
|
check_key_present ssh-ed25519
|
|
# Delete both key and certificate.
|
|
trace "delete key/cert by file"
|
|
${SSHADD} -qd $OBJ/ssh-ed25519-agent || fail "ssh-add -d ed25519 failed"
|
|
check_key_absent ssh-ed25519
|
|
check_key_absent ssh-ed25519-cert-v01@openssh.com
|
|
# Put key/cert back.
|
|
${SSHADD} $OBJ/ssh-ed25519-agent-private >/dev/null 2>&1 || \
|
|
fail "ssh-add failed exit code $?"
|
|
check_key_present ssh-ed25519
|
|
# Delete certificate via stdin
|
|
${SSHADD} -qd - < $OBJ/ssh-ed25519-agent-cert.pub || fail "ssh-add -d - failed"
|
|
check_key_present ssh-ed25519
|
|
check_key_absent ssh-ed25519-cert-v01@openssh.com
|
|
# Delete key via stdin
|
|
${SSHADD} -qd - < $OBJ/ssh-ed25519-agent.pub || fail "ssh-add -d - failed"
|
|
check_key_absent ssh-ed25519
|
|
check_key_absent ssh-ed25519-cert-v01@openssh.com
|
|
|
|
trace "kill agent"
|
|
${SSHAGENT} -k > /dev/null
|
|
SSH_AGENT_PID=$FW_SSH_AGENT_PID ${SSHAGENT} -k > /dev/null
|