1 # $OpenBSD: keygen-knownhosts.sh,v 1.2 2015/01/27 12:01:36 djm Exp $
2 # Placed in the Public Domain.
4 tid="ssh-keygen known_hosts"
8 # Generate some keys for testing (just ed25519 for speed) and make a hosts file.
9 for x in host-a host-b host-c host-d host-e host-f host-a2 host-b2; do
10 ${SSHKEYGEN} -qt ed25519 -f $OBJ/kh.$x -C "$x" -N "" || \
11 fatal "ssh-keygen failed"
12 # Add a comment that we expect should be preserved.
13 echo "# $x" >> $OBJ/kh.hosts
16 host-a|host-b) printf "$x " ;;
17 host-c) printf "@cert-authority $x " ;;
18 host-d) printf "@revoked $x " ;;
19 host-e) printf "host-e* " ;;
20 host-f) printf "host-f,host-g,host-h " ;;
21 host-a2) printf "host-a " ;;
22 host-b2) printf "host-b " ;;
25 # Blank line should be preserved.
26 echo "" >> $OBJ/kh.hosts
30 # Generate a variant with an invalid line. We'll use this for most tests,
31 # because keygen should be able to cope and it should be preserved in any
33 cat $OBJ/kh.hosts >> $OBJ/kh.invalid
34 echo "host-i " >> $OBJ/kh.invalid
36 cp $OBJ/kh.invalid $OBJ/kh.invalid.orig
37 cp $OBJ/kh.hosts $OBJ/kh.hosts.orig
46 test "x$_mark" = "xCA" && _marker="@cert-authority "
47 test "x$_mark" = "xREVOKED" && _marker="@revoked "
48 test "x$_line" != "x" &&
49 echo "# Host $_host found: line $_line $_mark" >> $OBJ/kh.expect
50 printf "${_marker}$_hosts " >> $OBJ/kh.expect
51 cat $OBJ/kh.${_key}.pub >> $OBJ/kh.expect ||
52 fatal "${_key}.pub missing"
59 ${SSHKEYGEN} $_keygenopt -f $OBJ/kh.invalid -F $_host > $OBJ/kh.result
60 if ! diff -uw $OBJ/kh.expect $OBJ/kh.result ; then
61 fail "didn't find $_name"
67 expect_key host-a host-a host-a 2
68 expect_key host-a host-a host-a2 20
69 check_find host-a "simple find"
73 expect_key host-c host-c host-c 8 CA
74 check_find host-c "find CA key"
78 expect_key host-d host-d host-d 11 REVOKED
79 check_find host-d "find revoked key"
81 # find key with wildcard
83 expect_key host-e.somedomain "host-e*" host-e 14
84 check_find host-e.somedomain "find wildcard key"
86 # find key among multiple hosts
88 expect_key host-h "host-f,host-g,host-h " host-f 17
89 check_find host-h "find multiple hosts"
95 test "x$_file" = "x" && _file=$OBJ/kh.invalid
96 ${SSHKEYGEN} -f $_file -HF $_host | grep '|1|' | \
97 sed "s/^[^ ]*/$_host/" > $OBJ/kh.result
98 if ! diff -uw $OBJ/kh.expect $OBJ/kh.result ; then
99 fail "didn't find $_name"
105 expect_key host-a host-a host-a
106 expect_key host-a host-a host-a2
107 check_hashed_find host-a "find simple and hash"
109 # Find CA key and hash
111 expect_key host-c host-c host-c "" CA
112 # CA key output is not hashed.
113 check_find host-c "find simple and hash" -H
115 # Find revoked key and hash
117 expect_key host-d host-d host-d "" REVOKED
118 # Revoked key output is not hashed.
119 check_find host-d "find simple and hash" -H
121 # find key with wildcard and hash
123 expect_key host-e "host-e*" host-e ""
124 # Key with wildcard hostname should not be hashed.
125 check_find host-e "find wildcard key" -H
127 # find key among multiple hosts
129 # Comma-separated hostnames should be expanded and hashed.
130 expect_key host-f "host-h " host-f
131 expect_key host-g "host-h " host-f
132 expect_key host-h "host-h " host-f
133 check_hashed_find host-h "find multiple hosts"
135 # Attempt remove key on invalid file.
136 cp $OBJ/kh.invalid.orig $OBJ/kh.invalid
137 ${SSHKEYGEN} -qf $OBJ/kh.invalid -R host-a 2>/dev/null
138 diff -u $OBJ/kh.invalid $OBJ/kh.invalid.orig || fail "remove on invalid succeeded"
141 cp $OBJ/kh.hosts.orig $OBJ/kh.hosts
142 ${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-a 2>/dev/null
143 grep -v "^host-a " $OBJ/kh.hosts.orig > $OBJ/kh.expect
144 diff -u $OBJ/kh.hosts $OBJ/kh.expect || fail "remove simple"
147 cp $OBJ/kh.hosts.orig $OBJ/kh.hosts
148 ${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-c 2>/dev/null
149 # CA key should not be removed.
150 diff -u $OBJ/kh.hosts $OBJ/kh.hosts.orig || fail "remove CA"
153 cp $OBJ/kh.hosts.orig $OBJ/kh.hosts
154 ${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-d 2>/dev/null
155 # revoked key should not be removed.
156 diff -u $OBJ/kh.hosts $OBJ/kh.hosts.orig || fail "remove revoked"
159 cp $OBJ/kh.hosts.orig $OBJ/kh.hosts
160 ${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-e.blahblah 2>/dev/null
161 grep -v "^host-e[*] " $OBJ/kh.hosts.orig > $OBJ/kh.expect
162 diff -u $OBJ/kh.hosts $OBJ/kh.expect || fail "remove wildcard"
165 cp $OBJ/kh.hosts.orig $OBJ/kh.hosts
166 ${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-h 2>/dev/null
167 grep -v "^host-f," $OBJ/kh.hosts.orig > $OBJ/kh.expect
168 diff -u $OBJ/kh.hosts $OBJ/kh.expect || fail "remove wildcard"
170 # Attempt hash on invalid file
171 cp $OBJ/kh.invalid.orig $OBJ/kh.invalid
172 ${SSHKEYGEN} -qf $OBJ/kh.invalid -H 2>/dev/null && fail "hash invalid succeeded"
173 diff -u $OBJ/kh.invalid $OBJ/kh.invalid.orig || fail "invalid file modified"
176 cp $OBJ/kh.hosts.orig $OBJ/kh.hosts
177 ${SSHKEYGEN} -qf $OBJ/kh.hosts -H 2>/dev/null || fail "hash failed"
178 diff -u $OBJ/kh.hosts.old $OBJ/kh.hosts.orig || fail "backup differs"
179 grep "^host-[abfgh]" $OBJ/kh.hosts && fail "original hostnames persist"
181 cp $OBJ/kh.hosts $OBJ/kh.hashed.orig
185 expect_key host-a host-a host-a
186 expect_key host-a host-a host-a2
187 check_hashed_find host-a "find simple in hashed" $OBJ/kh.hosts
189 # Test multiple expanded
191 expect_key host-h host-h host-f
192 check_hashed_find host-h "find simple in hashed" $OBJ/kh.hosts
195 cp $OBJ/kh.hashed.orig $OBJ/kh.hashed
196 ${SSHKEYGEN} -qf $OBJ/kh.hashed -R host-a 2>/dev/null
197 ${SSHKEYGEN} -qf $OBJ/kh.hashed -F host-a && fail "found key after hashed remove"