diff options
| author |   djm <djm@openbsd.org> | 2018-03-12 00:52:57 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2018-03-12 00:52:57 +0000 |
| commit | 9df3914d034120d770ce01ec2f877f58fb43f8f2 (patch) | |
| tree | 06c32664f1a4ba6beb121c109b842ad5923fdd5d | |
| parent | add valid-before="[time]" authorized_keys option. A simple way of (diff) | |
| download | wireguard-openbsd-9df3914d034120d770ce01ec2f877f58fb43f8f2.tar.xz wireguard-openbsd-9df3914d034120d770ce01ec2f877f58fb43f8f2.zip | |
exlicitly include RSA/SHA-2 keytypes in PubkeyAcceptedKeyTypes here
| -rw-r--r-- | regress/usr.bin/ssh/limit-keytype.sh | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/regress/usr.bin/ssh/limit-keytype.sh b/regress/usr.bin/ssh/limit-keytype.sh index c0cf2fed6d8..04f11977e14 100644 --- a/regress/usr.bin/ssh/limit-keytype.sh +++ b/regress/usr.bin/ssh/limit-keytype.sh @@ -1,4 +1,4 @@ -# $OpenBSD: limit-keytype.sh,v 1.4 2015/10/29 08:05:17 djm Exp $ +# $OpenBSD: limit-keytype.sh,v 1.5 2018/03/12 00:52:57 djm Exp $ # Placed in the Public Domain. tid="restrict pubkey type" @@ -60,7 +60,8 @@ ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" # Allow plain Ed25519 and RSA. The certificate should fail. verbose "allow rsa,ed25519" -prepare_config "PubkeyAcceptedKeyTypes ssh-rsa,ssh-ed25519" +prepare_config \ + "PubkeyAcceptedKeyTypes rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-ed25519" ${SSH} $certopts proxy true && fatal "cert succeeded" ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" @@ -74,14 +75,14 @@ ${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded" # Allow all certs. Plain keys should fail. verbose "allow cert only" -prepare_config "PubkeyAcceptedKeyTypes ssh-*-cert-v01@openssh.com" +prepare_config "PubkeyAcceptedKeyTypes *-cert-v01@openssh.com" ${SSH} $certopts proxy true || fatal "cert failed" ${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded" ${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded" # Allow RSA in main config, Ed25519 for non-existent user. verbose "match w/ no match" -prepare_config "PubkeyAcceptedKeyTypes ssh-rsa" \ +prepare_config "PubkeyAcceptedKeyTypes rsa-sha2-256,rsa-sha2-512,ssh-rsa" \ "Match user x$USER" "PubkeyAcceptedKeyTypes +ssh-ed25519" ${SSH} $certopts proxy true && fatal "cert succeeded" ${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded" |