1 # $OpenBSD: keygen-knownhosts.sh,v 1.3 2015/07/17 03:34:27 djm Exp $ 2 # Placed in the Public Domain. 3 4 tid="ssh-keygen known_hosts" 5 6 rm -f $OBJ/kh.* 7 8 # Generate some keys for testing (just ed25519 for speed) and make a hosts file. 9 for x in host-a host-b host-c host-d host-e host-f host-a2 host-b2; do 10 ${SSHKEYGEN} -qt ed25519 -f $OBJ/kh.$x -C "$x" -N "" || \ 11 fatal "ssh-keygen failed" 12 # Add a comment that we expect should be preserved. 13 echo "# $x" >> $OBJ/kh.hosts 14 ( 15 case "$x" in 16 host-a|host-b) printf "$x " ;; 17 host-c) printf "@cert-authority $x " ;; 18 host-d) printf "@revoked $x " ;; 19 host-e) printf "host-e* " ;; 20 host-f) printf "host-f,host-g,host-h " ;; 21 host-a2) printf "host-a " ;; 22 host-b2) printf "host-b " ;; 23 esac 24 cat $OBJ/kh.${x}.pub 25 # Blank line should be preserved. 26 echo "" >> $OBJ/kh.hosts 27 ) >> $OBJ/kh.hosts 28 done 29 30 # Generate a variant with an invalid line. We'll use this for most tests, 31 # because keygen should be able to cope and it should be preserved in any 32 # output file. 33 cat $OBJ/kh.hosts >> $OBJ/kh.invalid 34 echo "host-i " >> $OBJ/kh.invalid 35 36 cp $OBJ/kh.invalid $OBJ/kh.invalid.orig 37 cp $OBJ/kh.hosts $OBJ/kh.hosts.orig 38 39 expect_key() { 40 _host=$1 41 _hosts=$2 42 _key=$3 43 _line=$4 44 _mark=$5 45 _marker="" 46 test "x$_mark" = "xCA" && _marker="@cert-authority " 47 test "x$_mark" = "xREVOKED" && _marker="@revoked " 48 test "x$_line" != "x" && 49 echo "# Host $_host found: line $_line $_mark" >> $OBJ/kh.expect 50 printf "${_marker}$_hosts " >> $OBJ/kh.expect 51 cat $OBJ/kh.${_key}.pub >> $OBJ/kh.expect || 52 fatal "${_key}.pub missing" 53 } 54 55 check_find() { 56 _host=$1 57 _name=$2 58 _keygenopt=$3 59 ${SSHKEYGEN} $_keygenopt -f $OBJ/kh.invalid -F $_host > $OBJ/kh.result 60 if ! diff -w $OBJ/kh.expect $OBJ/kh.result ; then 61 fail "didn't find $_name" 62 fi 63 } 64 65 # Find key 66 rm -f $OBJ/kh.expect 67 expect_key host-a host-a host-a 2 68 expect_key host-a host-a host-a2 20 69 check_find host-a "simple find" 70 71 # find CA key 72 rm -f $OBJ/kh.expect 73 expect_key host-c host-c host-c 8 CA 74 check_find host-c "find CA key" 75 76 # find revoked key 77 rm -f $OBJ/kh.expect 78 expect_key host-d host-d host-d 11 REVOKED 79 check_find host-d "find revoked key" 80 81 # find key with wildcard 82 rm -f $OBJ/kh.expect 83 expect_key host-e.somedomain "host-e*" host-e 14 84 check_find host-e.somedomain "find wildcard key" 85 86 # find key among multiple hosts 87 rm -f $OBJ/kh.expect 88 expect_key host-h "host-f,host-g,host-h " host-f 17 89 check_find host-h "find multiple hosts" 90 91 check_hashed_find() { 92 _host=$1 93 _name=$2 94 _file=$3 95 test "x$_file" = "x" && _file=$OBJ/kh.invalid 96 ${SSHKEYGEN} -f $_file -HF $_host | grep '|1|' | \ 97 sed "s/^[^ ]*/$_host/" > $OBJ/kh.result 98 if ! diff -w $OBJ/kh.expect $OBJ/kh.result ; then 99 fail "didn't find $_name" 100 fi 101 } 102 103 # Find key and hash 104 rm -f $OBJ/kh.expect 105 expect_key host-a host-a host-a 106 expect_key host-a host-a host-a2 107 check_hashed_find host-a "find simple and hash" 108 109 # Find CA key and hash 110 rm -f $OBJ/kh.expect 111 expect_key host-c host-c host-c "" CA 112 # CA key output is not hashed. 113 check_find host-c "find simple and hash" -H 114 115 # Find revoked key and hash 116 rm -f $OBJ/kh.expect 117 expect_key host-d host-d host-d "" REVOKED 118 # Revoked key output is not hashed. 119 check_find host-d "find simple and hash" -H 120 121 # find key with wildcard and hash 122 rm -f $OBJ/kh.expect 123 expect_key host-e "host-e*" host-e "" 124 # Key with wildcard hostname should not be hashed. 125 check_find host-e "find wildcard key" -H 126 127 # find key among multiple hosts 128 rm -f $OBJ/kh.expect 129 # Comma-separated hostnames should be expanded and hashed. 130 expect_key host-f "host-h " host-f 131 expect_key host-g "host-h " host-f 132 expect_key host-h "host-h " host-f 133 check_hashed_find host-h "find multiple hosts" 134 135 # Attempt remove key on invalid file. 136 cp $OBJ/kh.invalid.orig $OBJ/kh.invalid 137 ${SSHKEYGEN} -qf $OBJ/kh.invalid -R host-a 2>/dev/null 138 diff $OBJ/kh.invalid $OBJ/kh.invalid.orig || fail "remove on invalid succeeded" 139 140 # Remove key 141 cp $OBJ/kh.hosts.orig $OBJ/kh.hosts 142 ${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-a 2>/dev/null 143 grep -v "^host-a " $OBJ/kh.hosts.orig > $OBJ/kh.expect 144 diff $OBJ/kh.hosts $OBJ/kh.expect || fail "remove simple" 145 146 # Remove CA key 147 cp $OBJ/kh.hosts.orig $OBJ/kh.hosts 148 ${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-c 2>/dev/null 149 # CA key should not be removed. 150 diff $OBJ/kh.hosts $OBJ/kh.hosts.orig || fail "remove CA" 151 152 # Remove revoked key 153 cp $OBJ/kh.hosts.orig $OBJ/kh.hosts 154 ${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-d 2>/dev/null 155 # revoked key should not be removed. 156 diff $OBJ/kh.hosts $OBJ/kh.hosts.orig || fail "remove revoked" 157 158 # Remove wildcard 159 cp $OBJ/kh.hosts.orig $OBJ/kh.hosts 160 ${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-e.blahblah 2>/dev/null 161 grep -v "^host-e[*] " $OBJ/kh.hosts.orig > $OBJ/kh.expect 162 diff $OBJ/kh.hosts $OBJ/kh.expect || fail "remove wildcard" 163 164 # Remove multiple 165 cp $OBJ/kh.hosts.orig $OBJ/kh.hosts 166 ${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-h 2>/dev/null 167 grep -v "^host-f," $OBJ/kh.hosts.orig > $OBJ/kh.expect 168 diff $OBJ/kh.hosts $OBJ/kh.expect || fail "remove wildcard" 169 170 # Attempt hash on invalid file 171 cp $OBJ/kh.invalid.orig $OBJ/kh.invalid 172 ${SSHKEYGEN} -qf $OBJ/kh.invalid -H 2>/dev/null && fail "hash invalid succeeded" 173 diff $OBJ/kh.invalid $OBJ/kh.invalid.orig || fail "invalid file modified" 174 175 # Hash valid file 176 cp $OBJ/kh.hosts.orig $OBJ/kh.hosts 177 ${SSHKEYGEN} -qf $OBJ/kh.hosts -H 2>/dev/null || fail "hash failed" 178 diff $OBJ/kh.hosts.old $OBJ/kh.hosts.orig || fail "backup differs" 179 grep "^host-[abfgh]" $OBJ/kh.hosts && fail "original hostnames persist" 180 181 cp $OBJ/kh.hosts $OBJ/kh.hashed.orig 182 183 # Test lookup 184 rm -f $OBJ/kh.expect 185 expect_key host-a host-a host-a 186 expect_key host-a host-a host-a2 187 check_hashed_find host-a "find simple in hashed" $OBJ/kh.hosts 188 189 # Test multiple expanded 190 rm -f $OBJ/kh.expect 191 expect_key host-h host-h host-f 192 check_hashed_find host-h "find simple in hashed" $OBJ/kh.hosts 193 194 # Test remove 195 cp $OBJ/kh.hashed.orig $OBJ/kh.hashed 196 ${SSHKEYGEN} -qf $OBJ/kh.hashed -R host-a 2>/dev/null 197 ${SSHKEYGEN} -qf $OBJ/kh.hashed -F host-a && fail "found key after hashed remove" 198