openssh/regress/hostkey-rotate.sh

144518Sdavidxu#	$OpenBSD: hostkey-rotate.sh,v 1.2 2015/03/03 17:53:40 djm Exp $
144518Sdavidxu#	Placed in the Public Domain.
144518Sdavidxu
144518Sdavidxutid="hostkey rotate"
144518Sdavidxu
144518Sdavidxu# Need full names here since they are used in HostKeyAlgorithms
144518SdavidxuHOSTKEY_TYPES="ecdsa-sha2-nistp256 ssh-ed25519 ssh-rsa ssh-dss"
144518Sdavidxu
144518Sdavidxurm -f $OBJ/hkr.* $OBJ/ssh_proxy.orig
144518Sdavidxu
144518Sdavidxugrep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig
144518Sdavidxuecho "UpdateHostkeys=yes" >> $OBJ/ssh_proxy
144518Sdavidxurm $OBJ/known_hosts
144518Sdavidxu
144518Sdavidxutrace "prepare hostkeys"
144518Sdavidxunkeys=0
144518Sdavidxuall_algs=""
144518Sdavidxufor k in `ssh -Q key-plain` ; do
144518Sdavidxu	${SSHKEYGEN} -qt $k -f $OBJ/hkr.$k -N '' || fatal "ssh-keygen $k"
144518Sdavidxu	echo "Hostkey $OBJ/hkr.${k}" >> $OBJ/sshd_proxy.orig
144518Sdavidxu	nkeys=`expr $nkeys + 1`
144518Sdavidxu	test "x$all_algs" = "x" || all_algs="${all_algs},"
144518Sdavidxu	all_algs="${all_algs}$k"
144518Sdavidxudone
144518Sdavidxu
144518Sdavidxudossh() {
144518Sdavidxu	# All ssh should succeed in this test
144518Sdavidxu	${SSH} -F $OBJ/ssh_proxy "$@" x true || fail "ssh $@ failed"
144518Sdavidxu}
144518Sdavidxu
144518Sdavidxuexpect_nkeys() {
162061Sdavidxu	_expected=$1
144518Sdavidxu	_message=$2
144518Sdavidxu	_n=`wc -l $OBJ/known_hosts | awk '{ print $1 }'` || fatal "wc failed"
212077Sdavidxu	[ "x$_n" = "x$_expected" ] || fail "$_message (got $_n wanted $_expected)"
212077Sdavidxu}
162061Sdavidxu
234372Sdavidxucheck_key_present() {
179970Sdavidxu	_type=$1
216641Sdavidxu	_kfile=$2
179970Sdavidxu	test "x$_kfile" = "x" && _kfile="$OBJ/hkr.${_type}.pub"
161680Sdavidxu	_kpub=`awk "/$_type /"' { print $2 }' < $_kfile` || \
179970Sdavidxu		fatal "awk failed"
163334Sdavidxu	fgrep "$_kpub" $OBJ/known_hosts > /dev/null
161680Sdavidxu}
161680Sdavidxu
161680Sdavidxucp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
163334Sdavidxu
212077Sdavidxu# Connect to sshd with StrictHostkeyChecking=no
212077Sdavidxuverbose "learn hostkey with StrictHostKeyChecking=no"
173801Sdavidxu>$OBJ/known_hosts
162061Sdavidxudossh -oHostKeyAlgorithms=ssh-ed25519 -oStrictHostKeyChecking=no
173801Sdavidxu# Verify no additional keys learned
178647Sdavidxuexpect_nkeys 1 "unstrict connect keys"
216641Sdavidxucheck_key_present ssh-ed25519 || fail "unstrict didn't learn key"
216641Sdavidxu
178647Sdavidxu# Connect to sshd as usual
164877Sdavidxuverbose "learn additional hostkeys"
164902Sdavidxudossh -oStrictHostKeyChecking=yes
164902Sdavidxu# Check that other keys learned
164902Sdavidxuexpect_nkeys $nkeys "learn hostkeys"
164902Sdavidxucheck_key_present ssh-rsa || fail "didn't learn keys"
162061Sdavidxu
177850Sdavidxu# Check each key type
177850Sdavidxufor k in `ssh -Q key-plain` ; do
177850Sdavidxu	verbose "learn additional hostkeys, type=$k"
177850Sdavidxu	dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$k,$all_algs
212076Sdavidxu	expect_nkeys $nkeys "learn hostkeys $k"
212076Sdavidxu	check_key_present $k || fail "didn't learn $k"
212076Sdavidxudone
212076Sdavidxu
212076Sdavidxu# Change one hostkey (non primary) and relearn
144518Sdavidxuverbose "learn changed non-primary hostkey"
161680Sdavidxumv $OBJ/hkr.ssh-rsa.pub $OBJ/hkr.ssh-rsa.pub.old
161680Sdavidxurm -f $OBJ/hkr.ssh-rsa
161680Sdavidxu${SSHKEYGEN} -qt ssh-rsa -f $OBJ/hkr.ssh-rsa -N '' || fatal "ssh-keygen $k"
161680Sdavidxudossh -oStrictHostKeyChecking=yes
161680Sdavidxu# Check that the key was replaced
161680Sdavidxuexpect_nkeys $nkeys "learn hostkeys"
163334Sdavidxucheck_key_present ssh-rsa $OBJ/hkr.ssh-rsa.pub.old && fail "old key present"
161680Sdavidxucheck_key_present ssh-rsa || fail "didn't learn changed key"
161680Sdavidxu
161680Sdavidxu# Add new hostkey (primary type) to sshd and connect
165206Sdavidxuverbose "learn new primary hostkey"
165206Sdavidxu${SSHKEYGEN} -qt ssh-rsa -f $OBJ/hkr.ssh-rsa-new -N '' || fatal "ssh-keygen $k"
179970Sdavidxu( cat $OBJ/sshd_proxy.orig ; echo HostKey $OBJ/hkr.ssh-rsa-new ) \
165206Sdavidxu    > $OBJ/sshd_proxy
179970Sdavidxu# Check new hostkey added
179970Sdavidxudossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa,$all_algs
179970Sdavidxuexpect_nkeys `expr $nkeys + 1` "learn hostkeys"
179970Sdavidxucheck_key_present ssh-rsa || fail "current key missing"
165206Sdavidxucheck_key_present ssh-rsa $OBJ/hkr.ssh-rsa-new.pub || fail "new key missing"
165206Sdavidxu
165206Sdavidxu# Remove old hostkey (primary type) from sshd
165206Sdavidxuverbose "rotate primary hostkey"
161680Sdavidxucp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
161680Sdavidxumv $OBJ/hkr.ssh-rsa.pub $OBJ/hkr.ssh-rsa.pub.old
179970Sdavidxumv $OBJ/hkr.ssh-rsa-new.pub $OBJ/hkr.ssh-rsa.pub
161680Sdavidxumv $OBJ/hkr.ssh-rsa-new $OBJ/hkr.ssh-rsa
179970Sdavidxu# Check old hostkey removed
161680Sdavidxudossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa,$all_algs
161680Sdavidxuexpect_nkeys $nkeys "learn hostkeys"
161680Sdavidxucheck_key_present ssh-rsa $OBJ/hkr.ssh-rsa.pub.old && fail "old key present"
216641Sdavidxucheck_key_present ssh-rsa || fail "didn't learn changed key"
216641Sdavidxu
216641Sdavidxu# Connect again, forcing rotated key
216641Sdavidxuverbose "check rotate primary hostkey"
216641Sdavidxudossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa
216641Sdavidxuexpect_nkeys 1 "learn hostkeys"
216641Sdavidxucheck_key_present ssh-rsa || fail "didn't learn changed key"
216641Sdavidxu
161680Sdavidxu#	$OpenBSD: hostkey-rotate.sh,v 1.2 2015/03/03 17:53:40 djm Exp $
161680Sdavidxu#	Placed in the Public Domain.
161680Sdavidxu
179970Sdavidxutid="hostkey rotate"
161680Sdavidxu
179970Sdavidxu# Prepare hostkeys file with one key
161680Sdavidxu
161680Sdavidxu# Connect to sshd
161680Sdavidxu
161680Sdavidxu# Check that other keys learned
161680Sdavidxu
234372Sdavidxu# Change one hostkey (non primary)
234372Sdavidxu
234372Sdavidxu# Connect to sshd
161680Sdavidxu
161680Sdavidxu# Check that the key was replaced
177850Sdavidxu
177850Sdavidxu