1*e9e8876aSEd Maste# $OpenBSD: sshfp-connect.sh,v 1.4 2021/09/01 00:50:27 dtucker Exp $ 219261079SEd Maste# Placed in the Public Domain. 319261079SEd Maste 419261079SEd Maste# This test requires external setup and thus is skipped unless 519261079SEd Maste# TEST_SSH_SSHFP_DOMAIN is set. It requires: 619261079SEd Maste# 1) A DNSSEC-enabled domain, which TEST_SSH_SSHFP_DOMAIN points to. 719261079SEd Maste# 2) A DNSSEC-validating resolver such as unwind(8). 819261079SEd Maste# 3) The following SSHFP records with fingerprints from rsa_openssh.pub 919261079SEd Maste# in that domain that are expected to succeed: 1019261079SEd Maste# sshtest: valid sha1 and sha256 fingerprints. 1119261079SEd Maste# sshtest-sha{1,256}, : valid fingerprints for that type only. 1219261079SEd Maste# and the following records that are expected to fail: 1319261079SEd Maste# sshtest-bad: invalid sha1 fingerprint and good sha256 fingerprint 1419261079SEd Maste# sshtest-sha{1,256}-bad: invalid fingerprints for that type only. 1519261079SEd Maste# 1619261079SEd Maste# sshtest IN SSHFP 1 1 99C79CC09F5F81069CC017CDF9552CFC94B3B929 1719261079SEd Maste# sshtest IN SSHFP 1 2 E30D6B9EB7A4DE495324E4D5870B8220577993EA6AF417E8E4A4F1C5 BF01A9B6 1819261079SEd Maste# sshtest-sha1 IN SSHFP 1 1 99C79CC09F5F81069CC017CDF9552CFC94B3B929 1919261079SEd Maste# sshtest-sha256 IN SSHFP 1 2 E30D6B9EB7A4DE495324E4D5870B8220577993EA6AF417E8E4A4F1C5 BF01A9B6 2019261079SEd Maste# sshtest-bad IN SSHFP 1 2 E30D6B9EB7A4DE495324E4D5870B8220577993EA6AF417E8E4A4F1C5 BF01A9B6 2119261079SEd Maste# sshtest-bad IN SSHFP 1 1 99C79CC09F5F81069CC017CDF9552CFC94B3B928 2219261079SEd Maste# sshtest-sha1-bad IN SSHFP 1 1 99D79CC09F5F81069CC017CDF9552CFC94B3B929 2319261079SEd Maste# sshtest-sha256-bad IN SSHFP 1 2 E30D6B9EB7A4DE495324E4D5870B8220577993EA6AF417E8E4A4F1C5 BF01A9B5 2419261079SEd Maste 2519261079SEd Mastetid="sshfp connect" 2619261079SEd Maste 27*e9e8876aSEd Masteif ! $SSH -Q key-plain | grep ssh-rsa >/dev/null; then 28*e9e8876aSEd Maste skip "RSA keys not supported." 29*e9e8876aSEd Masteelif [ -z "${TEST_SSH_SSHFP_DOMAIN}" ]; then 30*e9e8876aSEd Maste skip "TEST_SSH_SSHFP_DOMAIN not set." 31*e9e8876aSEd Masteelse 3219261079SEd Maste # Set RSA host key to match fingerprints above. 3319261079SEd Maste mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig 3419261079SEd Maste $SUDO cp $SRC/rsa_openssh.prv $OBJ/host.ssh-rsa 3519261079SEd Maste $SUDO chmod 600 $OBJ/host.ssh-rsa 3619261079SEd Maste sed -e "s|$OBJ/ssh-rsa|$OBJ/host.ssh-rsa|" \ 3719261079SEd Maste $OBJ/sshd_proxy.orig > $OBJ/sshd_proxy 3819261079SEd Maste 3919261079SEd Maste # Zero out known hosts and key aliases to force use of SSHFP records. 4019261079SEd Maste > $OBJ/known_hosts 4119261079SEd Maste mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig 4219261079SEd Maste sed -e "/HostKeyAlias.*localhost-with-alias/d" \ 4319261079SEd Maste -e "/Hostname.*127.0.0.1/d" \ 4419261079SEd Maste $OBJ/ssh_proxy.orig > $OBJ/ssh_proxy 4519261079SEd Maste 4619261079SEd Maste for n in sshtest sshtest-sha1 sshtest-sha256; do 4719261079SEd Maste trace "sshfp connect $n good fingerprint" 4819261079SEd Maste host="${n}.dtucker.net" 4919261079SEd Maste opts="-F $OBJ/ssh_proxy -o VerifyHostKeyDNS=yes " 50*e9e8876aSEd Maste opts="$opts -o HostKeyAlgorithms=rsa-sha2-512,rsa-sha2-256" 5119261079SEd Maste host="${n}.${TEST_SSH_SSHFP_DOMAIN}" 5219261079SEd Maste SSH_CONNECTION=`${SSH} $opts $host 'echo $SSH_CONNECTION'` 5319261079SEd Maste if [ $? -ne 0 ]; then 5419261079SEd Maste fail "ssh sshfp connect failed" 5519261079SEd Maste fi 5619261079SEd Maste if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then 5719261079SEd Maste fail "bad SSH_CONNECTION: $SSH_CONNECTION" 5819261079SEd Maste fi 5919261079SEd Maste 6019261079SEd Maste trace "sshfp connect $n bad fingerprint" 6119261079SEd Maste host="${n}-bad.${TEST_SSH_SSHFP_DOMAIN}" 6219261079SEd Maste if ${SSH} $opts ${host} true; then 6319261079SEd Maste fail "sshfp-connect succeeded with bad SSHFP record" 6419261079SEd Maste fi 6519261079SEd Maste done 6619261079SEd Mastefi 67