1# $OpenBSD: hostkey-agent.sh,v 1.15 2024/12/04 10:51:13 dtucker Exp $ 2# Placed in the Public Domain. 3 4tid="hostkey agent" 5 6rm -f $OBJ/agent-key.* $OBJ/ssh_proxy.orig $OBJ/known_hosts.orig $OBJ/agent-ca* 7 8trace "start agent" 9eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null 10r=$? 11[ $r -ne 0 ] && fatal "could not start ssh-agent: exit code $r" 12 13grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig 14echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig 15 16trace "make CA key" 17 18${SSHKEYGEN} -qt ed25519 -f $OBJ/agent-ca -N '' || fatal "ssh-keygen CA" 19 20trace "load hostkeys" 21for k in $SSH_KEYTYPES ; do 22 ${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k" 23 ${SSHKEYGEN} -s $OBJ/agent-ca -qh -n localhost-with-alias \ 24 -I localhost-with-alias $OBJ/agent-key.$k.pub || \ 25 fatal "sign $k" 26 ${SSHADD} -k $OBJ/agent-key.$k >/dev/null 2>&1 || \ 27 fatal "couldn't load key $OBJ/agent-key.$k" 28 # Remove private key so the server can't use it. 29 rm $OBJ/agent-key.$k || fatal "couldn't rm $OBJ/agent-key.$k" 30done 31rm $OBJ/agent-ca # Don't need CA private any more either 32 33unset SSH_AUTH_SOCK 34 35for k in $SSH_KEYTYPES ; do 36 verbose "key type $k" 37 cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy 38 echo "HostKeyAlgorithms $k" >> $OBJ/sshd_proxy 39 echo "Hostkey $OBJ/agent-key.${k}" >> $OBJ/sshd_proxy 40 opts="-oHostKeyAlgorithms=$k -F $OBJ/ssh_proxy" 41 ( printf 'localhost-with-alias,127.0.0.1,::1 ' ; 42 cat $OBJ/agent-key.$k.pub) > $OBJ/known_hosts 43 SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'` 44 if [ $? -ne 0 ]; then 45 fail "keytype $k failed" 46 fi 47 if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then 48 fail "bad SSH_CONNECTION key type $k" 49 fi 50done 51 52SSH_CERTTYPES=`ssh -Q key-sig | grep 'cert-v01@openssh.com' | maybe_filter_sk` 53 54# Prepare sshd_proxy for certificates. 55cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy 56HOSTKEYALGS="" 57for k in $SSH_CERTTYPES ; do 58 test -z "$HOSTKEYALGS" || HOSTKEYALGS="${HOSTKEYALGS}," 59 HOSTKEYALGS="${HOSTKEYALGS}${k}" 60done 61for k in $SSH_KEYTYPES ; do 62 echo "Hostkey $OBJ/agent-key.${k}.pub" >> $OBJ/sshd_proxy 63 echo "HostCertificate $OBJ/agent-key.${k}-cert.pub" >> $OBJ/sshd_proxy 64 test -f $OBJ/agent-key.${k}.pub || fatal "no $k key" 65 test -f $OBJ/agent-key.${k}-cert.pub || fatal "no $k cert" 66done 67echo "HostKeyAlgorithms $HOSTKEYALGS" >> $OBJ/sshd_proxy 68 69# Add only CA trust anchor to known_hosts. 70( printf '@cert-authority localhost-with-alias ' ; 71 cat $OBJ/agent-ca.pub) > $OBJ/known_hosts 72 73for k in $SSH_CERTTYPES ; do 74 verbose "cert type $k" 75 opts="-oHostKeyAlgorithms=$k -F $OBJ/ssh_proxy" 76 SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'` 77 if [ $? -ne 0 ]; then 78 fail "cert type $k failed" 79 fi 80 if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then 81 fail "bad SSH_CONNECTION key type $k" 82 fi 83done 84 85verbose "multiple hostkeys" 86cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy 87cp $OBJ/ssh_proxy $OBJ/ssh_proxy.orig 88grep -vi 'globalknownhostsfile' $OBJ/ssh_proxy.orig > $OBJ/ssh_proxy 89echo "UpdateHostkeys=yes" >> $OBJ/ssh_proxy 90echo "GlobalKnownHostsFile=none" >> $OBJ/ssh_proxy 91 92for k in $SSH_KEYTYPES ; do 93 verbose "Addkey type $k" 94 echo "Hostkey $OBJ/agent-key.${k}" >> $OBJ/sshd_proxy 95 96 ( printf 'localhost-with-alias ' ; 97 cat $OBJ/agent-key.$k.pub) > $OBJ/known_hosts 98done 99 100opts="-oStrictHostKeyChecking=yes -F $OBJ/ssh_proxy" 101SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'` 102if [ $? -ne 0 ]; then 103 fail "connection to server with multiple hostkeys failed" 104fi 105if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then 106 fail "bad SSH_CONNECTION key while using multiple hostkeys" 107fi 108 109trace "kill agent" 110${SSHAGENT} -k > /dev/null 111 112