cert-userkey.sh (225825) | cert-userkey.sh (248613) |
---|---|
1# $OpenBSD: cert-userkey.sh,v 1.8 2011/05/17 07:13:31 djm Exp $ | 1# $OpenBSD: cert-userkey.sh,v 1.10 2013/01/18 00:45:29 djm Exp $ |
2# Placed in the Public Domain. 3 4tid="certified user keys" 5 6# used to disable ECC based tests on platforms without ECC 7ecdsa="" 8if test "x$TEST_SSH_ECC" = "xyes"; then 9 ecdsa=ecdsa --- 7 unchanged lines hidden (view full) --- 17 fail "ssh-keygen of user_ca_key failed" 18 19# Generate and sign user keys 20for ktype in rsa dsa $ecdsa ; do 21 verbose "$tid: sign user ${ktype} cert" 22 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 23 -f $OBJ/cert_user_key_${ktype} || \ 24 fail "ssh-keygen of cert_user_key_${ktype} failed" | 2# Placed in the Public Domain. 3 4tid="certified user keys" 5 6# used to disable ECC based tests on platforms without ECC 7ecdsa="" 8if test "x$TEST_SSH_ECC" = "xyes"; then 9 ecdsa=ecdsa --- 7 unchanged lines hidden (view full) --- 17 fail "ssh-keygen of user_ca_key failed" 18 19# Generate and sign user keys 20for ktype in rsa dsa $ecdsa ; do 21 verbose "$tid: sign user ${ktype} cert" 22 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 23 -f $OBJ/cert_user_key_${ktype} || \ 24 fail "ssh-keygen of cert_user_key_${ktype} failed" |
25 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \ 26 "regress user key for $USER" \ 27 -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || | 25 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ 26 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || |
28 fail "couldn't sign cert_user_key_${ktype}" 29 # v00 ecdsa certs do not exist 30 test "${ktype}" = "ecdsa" && continue 31 cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 32 cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub 33 ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ 34 "regress user key for $USER" \ 35 -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 || --- 144 unchanged lines hidden (view full) --- 180 fail "ssh cert connect failed" 181 fi 182 183 # Revoked keys 184 verbose "$tid: ${_prefix} revoked key" 185 ( 186 cat $OBJ/sshd_proxy_bak 187 echo "UsePrivilegeSeparation $privsep" | 27 fail "couldn't sign cert_user_key_${ktype}" 28 # v00 ecdsa certs do not exist 29 test "${ktype}" = "ecdsa" && continue 30 cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 31 cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub 32 ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ 33 "regress user key for $USER" \ 34 -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 || --- 144 unchanged lines hidden (view full) --- 179 fail "ssh cert connect failed" 180 fi 181 182 # Revoked keys 183 verbose "$tid: ${_prefix} revoked key" 184 ( 185 cat $OBJ/sshd_proxy_bak 186 echo "UsePrivilegeSeparation $privsep" |
188 echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub" | 187 echo "RevokedKeys $OBJ/cert_user_key_revoked" |
189 echo "$extra_sshd" 190 ) > $OBJ/sshd_proxy | 188 echo "$extra_sshd" 189 ) > $OBJ/sshd_proxy |
190 cp $OBJ/cert_user_key_${ktype}.pub \ 191 $OBJ/cert_user_key_revoked |
|
191 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 192 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 193 if [ $? -eq 0 ]; then 194 fail "ssh cert connect succeeded unexpecedly" 195 fi | 192 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 193 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 194 if [ $? -eq 0 ]; then 195 fail "ssh cert connect succeeded unexpecedly" 196 fi |
197 verbose "$tid: ${_prefix} revoked via KRL" 198 rm $OBJ/cert_user_key_revoked 199 ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \ 200 $OBJ/cert_user_key_${ktype}.pub 201 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 202 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 203 if [ $? -eq 0 ]; then 204 fail "ssh cert connect succeeded unexpecedly" 205 fi 206 verbose "$tid: ${_prefix} empty KRL" 207 ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked 208 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 209 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 210 if [ $? -ne 0 ]; then 211 fail "ssh cert connect failed" 212 fi |
|
196 done 197 198 # Revoked CA 199 verbose "$tid: ${ktype} $auth revoked CA key" 200 ( 201 cat $OBJ/sshd_proxy_bak 202 echo "RevokedKeys $OBJ/user_ca_key.pub" 203 echo "$extra_sshd" --- 135 unchanged lines hidden --- | 213 done 214 215 # Revoked CA 216 verbose "$tid: ${ktype} $auth revoked CA key" 217 ( 218 cat $OBJ/sshd_proxy_bak 219 echo "RevokedKeys $OBJ/user_ca_key.pub" 220 echo "$extra_sshd" --- 135 unchanged lines hidden --- |