Merge pull request #12 from github/critical-options

Support for force-command and source-address critical options

Author: mastahyeti

lib/ssh_data/certificate.rb

@@ -1,4 +1,5 @@
 require "securerandom"
+require "ipaddr"
 
 module SSHData
   class Certificate
@@ -23,6 +24,9 @@ class Certificate
       ALGO_ED25519
     ]
 
+    CRITICAL_OPTION_FORCE_COMMAND  = "force-command"
+    CRITICAL_OPTION_SOURCE_ADDRESS = "source-address"
+
     attr_reader :algo, :nonce, :public_key, :serial, :type, :key_id,
                 :valid_principals, :valid_after, :valid_before,
                 :critical_options, :extensions, :reserved, :ca_key, :signature
@@ -163,6 +167,55 @@ def verify
       ca_key.verify(signed_data, signature)
     end
 
+    # The force-command critical option, if present.
+    #
+    # Returns a String or nil.
+    def force_command
+      case value = critical_options[CRITICAL_OPTION_FORCE_COMMAND]
+      when String, NilClass
+        value
+      else
+        raise DecodeError, "bad force-request"
+      end
+    end
+
+    # The source-address critical option, if present.
+    #
+    # Returns an Array of IPAddr instances or nil.
+    def source_address
+      return @source_address if defined?(@source_address)
+
+      value = critical_options[CRITICAL_OPTION_SOURCE_ADDRESS]
+
+      @source_address = case value
+      when String
+        value.split(",").map do |str_addr|
+          begin
+            IPAddr.new(str_addr.strip)
+          rescue IPAddr::InvalidAddressError => e
+            raise DecodeError, "bad source-address: #{e.message}"
+          end
+        end
+      when NilClass
+        nil
+      else
+        raise DecodeError, "bad source-address"
+      end
+    end
+
+    # Check if the given IP address is allowed for use with this certificate.
+    #
+    # address - A String IP address.
+    #
+    # Returns boolean.
+    def allowed_source_address?(address)
+      return true if source_address.nil?
+      parsed_addr = IPAddr.new(address)
+      source_address.any? { |a| a.include?(parsed_addr) }
+    rescue IPAddr::InvalidAddressError
+      return false
+    end
+
     private
 
     # The portion of the certificate over which the signature is calculated.

spec/certificate_spec.rb

@@ -56,6 +56,110 @@
     }.not_to raise_error
   end
 
+  describe "#force_command" do
+    it "parses valid option" do
+      parsed = described_class.parse_openssh(fixture("valid_force_command-cert.pub"))
+      expect(parsed.force_command).to eq("asdf")
+    end
+
+    it "raises on invalid option" do
+      parsed = described_class.parse_openssh(fixture("invalid_force_command-cert.pub"))
+
+      expect {
+        parsed.force_command
+      }.to raise_error(SSHData::DecodeError)
+    end
+  end
+
+  describe "#source_address" do
+    it "is without option" do
+      parsed = described_class.parse_openssh(fixture("rsa_leaf_for_rsa_ca-cert.pub"))
+      expect(parsed.source_address).to be_nil
+    end
+
+    it "parses single address" do
+      parsed = described_class.parse_openssh(fixture("single_source_address-cert.pub"))
+      expect(parsed.source_address).to eq([IPAddr.new("1.1.1.1")])
+    end
+
+    it "parses single CIDR range" do
+      parsed = described_class.parse_openssh(fixture("single_cidr_source_address-cert.pub"))
+      expect(parsed.source_address).to eq([IPAddr.new("1.1.1.0/24")])
+    end
+
+    it "parses multiple CIDR range" do
+      parsed = described_class.parse_openssh(fixture("multiple_cidr_source_address-cert.pub"))
+      expect(parsed.source_address).to eq([IPAddr.new("1.1.1.0/24"), IPAddr.new("2.2.2.0/24")])
+    end
+
+    it "parses option with spaces" do
+      parsed = described_class.parse_openssh(fixture("spaces_source_address-cert.pub"))
+      expect(parsed.source_address).to eq([IPAddr.new("1.1.1.1"), IPAddr.new("2.2.2.2")])
+    end
+
+    it "raises on invalid option" do
+      parsed = described_class.parse_openssh(fixture("invalid_source_address_flag-cert.pub"))
+
+      expect {
+        parsed.source_address
+      }.to raise_error(SSHData::DecodeError)
+    end
+
+    it "raises on invalid IP address in option" do
+      parsed = described_class.parse_openssh(fixture("invalid_source_address_bad_ip-cert.pub"))
+
+      expect {
+        parsed.source_address
+      }.to raise_error(SSHData::DecodeError)
+    end
+  end
+
+  describe "#allowed_source_address?" do
+    let(:public_key) { SSHData::PrivateKey::ED25519.generate.public_key }
+    let(:key_id)     { "some-id" }
+
+    subject {
+      described_class.new(public_key: public_key, key_id: key_id)
+    }
+
+    it "checks single address" do
+      subject.critical_options["source-address"] = "1.1.1.1"
+      expect(subject.allowed_source_address?("1.1.1.1")).to be(true)
+      expect(subject.allowed_source_address?("2.2.2.2")).to be(false)
+    end
+
+    it "checks multiple addresses" do
+      subject.critical_options["source-address"] = "1.1.1.1,2.2.2.2"
+      expect(subject.allowed_source_address?("1.1.1.1")).to be(true)
+      expect(subject.allowed_source_address?("2.2.2.2")).to be(true)
+      expect(subject.allowed_source_address?("3.3.3.3")).to be(false)
+    end
+
+    it "checks single CIDR range" do
+      subject.critical_options["source-address"] = "1.1.1.0/24"
+      expect(subject.allowed_source_address?("1.1.1.1")).to be(true)
+      expect(subject.allowed_source_address?("1.1.1.2")).to be(true)
+      expect(subject.allowed_source_address?("2.2.2.2")).to be(false)
+      expect(subject.allowed_source_address?("1.1.2.1")).to be(false)
+    end
+
+    it "checks multiple CIDR ranges" do
+      subject.critical_options["source-address"] = "1.1.1.0/24,2.2.2.0/24"
+      expect(subject.allowed_source_address?("1.1.1.1")).to be(true)
+      expect(subject.allowed_source_address?("2.2.2.2")).to be(true)
+      expect(subject.allowed_source_address?("3.3.3.3")).to be(false)
+    end
+
+    it "returns false for bad addresses" do
+      subject.critical_options["source-address"] = "1.1.1.1"
+      expect(subject.allowed_source_address?("foo")).to be(false)
+    end
+
+    it "allows any address if option is missing" do
+      expect(subject.allowed_source_address?("1.1.1.1")).to be(true)
+    end
+  end
+
   test_cases = []
 
   test_cases << [

spec/fixtures/gen.sh

@@ -34,6 +34,24 @@ ssh-keygen -s rsa_ca -z 123 -n p1,p2 -O clear -I my-ident -O critical:foo=bar -O
 ssh-keygen -ted25519 -N "" -f ./ed25519_leaf_for_rsa_ca
 ssh-keygen -s rsa_ca -z 123 -n p1,p2 -O clear -I my-ident -O critical:foo=bar -O extension:baz=qwer -O permit-X11-forwarding ed25519_leaf_for_rsa_ca.pub
 
+# critical opts
+ssh-keygen -trsa -N "" -f ./valid_force_command
+ssh-keygen -s rsa_ca -z 123 -O clear -I my-ident -O force-command=asdf valid_force_command.pub
+ssh-keygen -trsa -N "" -f ./invalid_force_command
+ssh-keygen -s rsa_ca -z 123 -O clear -I my-ident -O critical:force-command invalid_force_command.pub
+ssh-keygen -trsa -N "" -f ./single_source_address
+ssh-keygen -s rsa_ca -z 123 -O clear -I my-ident -O source-address=1.1.1.1 single_source_address.pub
+ssh-keygen -trsa -N "" -f ./single_cidr_source_address
+ssh-keygen -s rsa_ca -z 123 -O clear -I my-ident -O source-address=1.1.1.0/24 single_cidr_source_address.pub
+ssh-keygen -trsa -N "" -f ./multiple_cidr_source_address
+ssh-keygen -s rsa_ca -z 123 -O clear -I my-ident -O source-address=1.1.1.0/24,2.2.2.0/24 multiple_cidr_source_address.pub
+ssh-keygen -trsa -N "" -f ./spaces_source_address
+ssh-keygen -s rsa_ca -z 123 -O clear -I my-ident -O critical:source-address="1.1.1.1, 2.2.2.2" spaces_source_address.pub
+ssh-keygen -trsa -N "" -f ./invalid_source_address_flag
+ssh-keygen -s rsa_ca -z 123 -O clear -I my-ident -O critical:source-address invalid_source_address_flag.pub
+ssh-keygen -trsa -N "" -f ./invalid_source_address_bad_ip
+ssh-keygen -s rsa_ca -z 123 -O clear -I my-ident -O critical:source-address=foo invalid_source_address_bad_ip.pub
+
 # pem encoded keys
 openssl genrsa -out rsa.plaintext.pem 2048
 openssl rsa -aes-128-cbc -passout pass:mypass -in rsa.plaintext.pem -out rsa.encrypted.pem

spec/fixtures/invalid_force_command

@@ -0,0 +1,28 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAQEAqywAJgqnv8oeuuqr4Ta7ZDixyePRBnO4wjwP3hH+RD+U7POSTmIH
++LmvAN3M+id9pCmbpiuEFvksuXHISW5+qJHazWuZ7e5NWYwM1qS6sX608/wsce/8/IOZGC
+A/7f0fz9KXgSH52IYenHglL7KalwBrwzCUMKoAOFe7kWb/Hb9KrYFzpSfbKN6fkIMP103N
+Yiwj6YL+HyJ23Y84u1mH9oNZWtLw+UUk3Z7MnxiFFqAgjXquXKGOkcB4veNDf8QEq7+Q7T
+4iTUA94hfCkLOuV1Dwlew1CQbt+nhbZoEh4huYY1TKphyqc6Xr+dkF5ANqizToXWh9WoNO
+PVz+UpGgBQAAA+CicMu7onDLuwAAAAdzc2gtcnNhAAABAQCrLAAmCqe/yh666qvhNrtkOL
+HJ49EGc7jCPA/eEf5EP5Ts85JOYgf4ua8A3cz6J32kKZumK4QW+Sy5cchJbn6okdrNa5nt
+7k1ZjAzWpLqxfrTz/Cxx7/z8g5kYID/t/R/P0peBIfnYhh6ceCUvspqXAGvDMJQwqgA4V7
+uRZv8dv0qtgXOlJ9so3p+Qgw/XTc1iLCPpgv4fInbdjzi7WYf2g1la0vD5RSTdnsyfGIUW
+oCCNeq5coY6RwHi940N/xASrv5DtPiJNQD3iF8KQs65XUPCV7DUJBu36eFtmgSHiG5hjVM
+qmHKpzpev52QXkA2qLNOhdaH1ag049XP5SkaAFAAAAAwEAAQAAAQBNnQHkPeiaGfedIVMW
+J08Ivnw+4sGgf1BDIiC/vMDiCUJpvneUevbKXMdxSSDsPIPHr+YXjpuyHwGchG8gfK2Jmb
+jwc92z+N2xwMMBgGf2m1FJYAp3Dy5TAQil29mg+6k0/nQb5V/4QbgXkpKp8f4Oge5a7ugC
+uNKouX8fCuiaf6fYWg8Cbnmz0SuOGfu8KR6vlfFQmw+0QNpHGN1gePjWUm3Gy4kWEhcNwu
+t03Fc6qs7/+Yjktnabme4QHFCcFygYkTlC8Jv8WSGvRk4ZEAnNlbtiEhBylxxRu91Xzo1o
+OvP+pDD0vjvlpj1DP28j4GkMa92SUF9Y9dgYhSr5V7XxAAAAgQCKCCoZWUnVb05hhi10Si
+JRf7WEIz6FG38CFWlAC5B6eHbRtRzYF7wl1MQ5aqoPf3DA95qJ9n1Ty5eiKslGneP3nIFQ
+v7dwaj9fhB5xYyAJGKElydZP7GaHZGEzkJX7Ww3YmiIFvDytUZougbB8v0QkCbXUMPAlfr
+uohz1KPCSkNgAAAIEA4rY5PlGDCTYjlokNunuPPyYsFVH6+MfL7KNp6WjwV0GJERSQip3l
+TTjSlapDZ0a4xCULnhC7wWcZ0HX5xAuw549ZrzZdLVQvXkuF6CoyBx9ZSzUzu3DJsxqzkQ
+wnrDe0sc6mtFvRQI+6yGJOQjd2sVv7e7pH6aIrg9VpZXtMrM8AAACBAMFI+CE7izcrquEP
+9OMJnrDBu3mITAYskaaWeGNDMaomAuV3538emEcEroADNDCIPqrHiZ/evD/C43+isUnDDt
+bQ2ez7MicjROycQXJ50eKCcD8ADJGtIB79MhHTKmCfD8j3Xt43avBIl0YbjPL+MDEHEjE1
+zgg3YpFAczSB7KLrAAAAJm1hc3RhaHlldGlAQmVuamFtaW5zLU1hY0Jvb2stUHJvLmxvY2
+FsAQIDBA==
+-----END OPENSSH PRIVATE KEY-----

spec/fixtures/invalid_force_command-cert.pub

@@ -0,0 +1 @@
+[email protected] AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg/uUd7j9dIZaug62kubG3uLaEZaH5SepUWhr53g/1wL8AAAADAQABAAABAQCrLAAmCqe/yh666qvhNrtkOLHJ49EGc7jCPA/eEf5EP5Ts85JOYgf4ua8A3cz6J32kKZumK4QW+Sy5cchJbn6okdrNa5nt7k1ZjAzWpLqxfrTz/Cxx7/z8g5kYID/t/R/P0peBIfnYhh6ceCUvspqXAGvDMJQwqgA4V7uRZv8dv0qtgXOlJ9so3p+Qgw/XTc1iLCPpgv4fInbdjzi7WYf2g1la0vD5RSTdnsyfGIUWoCCNeq5coY6RwHi940N/xASrv5DtPiJNQD3iF8KQs65XUPCV7DUJBu36eFtmgSHiG5hjVMqmHKpzpev52QXkA2qLNOhdaH1ag049XP5SkaAFAAAAAAAAAHsAAAABAAAACG15LWlkZW50AAAAAAAAAAAAAAAA//////////8AAAAVAAAADWZvcmNlLWNvbW1hbmQAAAAAAAAAAAAAAAAAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDPB20SS4Ry0ahVJGIf5aYRU81PwtUiDLj2ChUnMfYtCYemucIRjkfTUquHzePbecUaWx/NHX0GHRv7c4NO+TYx/UPDC6e2ZmRhDRy/pc5qtyRu7fqBSsrhBAvAdv13F5LzMlRv+oZXIEBeNM8Zd3NIgapztMdxkBF+LsNksbisg9ixTJcOb3iSZVzQP4vmQH1wviO0/WFYj+rS3TroT6gPxUuafzThcXFtxLWAXAM+f9bLP9cJHW3AAGfohylRKTcVsxS7x7YljrK0EwfAh4KvjTAnk5gpbdLHaPweRrN62eYfIRZxCubdedDVuZ3PVlUmQWAhntHUkInB+mlkP/HvAAABDwAAAAdzc2gtcnNhAAABAKVT5p0dl5tYjbf4KC3Li7/GJragrAT+JFCKTCIlusetinvveUN/v01f31xXKqGK3JbUXdZcFrjjt/XyhAEGIUoaY2+GRZk5OSrvHB95xmFgbUUP53xzY1+DbHX9H9TmeHhTioIOXta23tUSHmfoYNW55ETxgxX4ZydRHrnbX3Qk5TlvXFYwztLKpq6NqBBu4bIQ+EKBy6x2dBEu8D9j4Wg3JOYYFUpLmDg/Q8rq5LQD0FEnIcEgoycl7S+B4UCNSJBPcccySfmjuwwcsTuWSp5CNoa0UCLd6qso7g8ZtnPVJJRD9ZdfuWzpaz8RujEnc1Dmnjw+Afp/2O9/3KIo0Lc= [email protected]

spec/fixtures/invalid_force_command.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrLAAmCqe/yh666qvhNrtkOLHJ49EGc7jCPA/eEf5EP5Ts85JOYgf4ua8A3cz6J32kKZumK4QW+Sy5cchJbn6okdrNa5nt7k1ZjAzWpLqxfrTz/Cxx7/z8g5kYID/t/R/P0peBIfnYhh6ceCUvspqXAGvDMJQwqgA4V7uRZv8dv0qtgXOlJ9so3p+Qgw/XTc1iLCPpgv4fInbdjzi7WYf2g1la0vD5RSTdnsyfGIUWoCCNeq5coY6RwHi940N/xASrv5DtPiJNQD3iF8KQs65XUPCV7DUJBu36eFtmgSHiG5hjVMqmHKpzpev52QXkA2qLNOhdaH1ag049XP5SkaAF [email protected]

spec/fixtures/invalid_source_address_bad_ip

@@ -0,0 +1,28 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAQEA7G8r4vhsINJH6uq3mZwZrPwbObo/fUHynwgIAE7ROX/icXwlUy/V
+1VnfNNSinhRcm41QB+057eT0NB7TE7VK6YjIXCppRRz5I7WShoQmV4bhqKP8eTw8FbEcoH
+YFGGiFgnaNr84Vfisl8J7DO5t3ZUwcI81lhSGNn66lEOdhvt/sPJN4xDSLNMa4Th92rrzE
+wkNvQ41JF3jlDUH94JoH5ZW5lhFJBbHUSk/S1qbAxeNyFlFMUcxrPWmsUUDF0fSem4zWqU
+2yxSa9yqbrY9H2zY26j1Iyd5PtsOUiUYg5fmI24zlh76oniPM92Hv/fp6JJ6oSFqqUtila
+ad6UkQporwAAA+Bqvtp5ar7aeQAAAAdzc2gtcnNhAAABAQDsbyvi+Gwg0kfq6reZnBms/B
+s5uj99QfKfCAgATtE5f+JxfCVTL9XVWd801KKeFFybjVAH7Tnt5PQ0HtMTtUrpiMhcKmlF
+HPkjtZKGhCZXhuGoo/x5PDwVsRygdgUYaIWCdo2vzhV+KyXwnsM7m3dlTBwjzWWFIY2frq
+UQ52G+3+w8k3jENIs0xrhOH3auvMTCQ29DjUkXeOUNQf3gmgfllbmWEUkFsdRKT9LWpsDF
+43IWUUxRzGs9aaxRQMXR9J6bjNapTbLFJr3Kputj0fbNjbqPUjJ3k+2w5SJRiDl+YjbjOW
+HvqieI8z3Ye/9+noknqhIWqpS2KVpp3pSRCmivAAAAAwEAAQAAAQBeXXypqTcW3na/xxCi
+aZBB35lKMBDZAHJCkOUIomyVQ3pwivkmu4fgEG+q2VdSOpQ/rWYM09z0GxZwmwDp88jDbs
+lxJ6g+YnL5kqW5tJLNClOUiGbjSGw+yCLB1HjyJf1rdb/VNC6V3cjVwbfwWXuM3ZS5oWfs
+e9jXq8/L8F2t3VM6WLFANrjfBNVgi/L+jXvyeYCxBaEjwzMpC4Vi4sQyOTC8cHg0/CR71R
+PLf3ObgEI9OybVnLnguzTQlpJSL0DSq36qDzeRX1OU7oMOgHtyr2AIyLe20wEfGzwltsPu
+kkDPTohIvGZEEdbhfDF/AU4mdojczbfJM17x1kFTaeWhAAAAgQDe0kkXTLHO49VCHlFrsv
+Tuaiq9/YsJxDTEG4uP8PdJ/dZEOwz/yjwGjuawhKqIlMoi9LljSqidnP8LeLMMqJvpX9uq
+DF5YucDhKPGt1MuoTlozskM3XLlfxk1oKISxsuLUX6g55R3gVLcIXPJPcu5JUiE99pqnHV
+v6A1xjVXoUxQAAAIEA+CbKBKlrEPHNeOWX/+2hjSkIJoWUPsLgqdnhHIFiOQXqiKAN62oz
+ARSGvLJqS/2AEkXpuF7u0kq7xjwpXx0J0Kk/9CAUFJ2wWPgOCZPUrmJ3/PAae3L4Wq8VVo
+pkCvFO6lPUAseYKVIyV/2aTf4uxmDDTAF8WLlZ9pQE1jJMVZ8AAACBAPPpgtWGoX8jWsMU
+YvtzvCaPSJVIEKUoZxxb+m9eS+jvzcTx5ApuvFyIUvNaTCTQLhOWc52IU/oUe6MLBssf0M
+pYeV0iD5YGbqSXsqHGjyZPC/dYLQNF/26eIwhNMgs06+wI455yYG+uLxS92jxeSByp3ck7
+GYnpschgMEn503LxAAAAJm1hc3RhaHlldGlAQmVuamFtaW5zLU1hY0Jvb2stUHJvLmxvY2
+FsAQIDBA==
+-----END OPENSSH PRIVATE KEY-----

spec/fixtures/invalid_source_address_bad_ip-cert.pub

@@ -0,0 +1 @@
+[email protected] AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgCLml2Sct3oQ3IB7gYfDY9lAxCO7C0NWGNS8qn+ZEZ50AAAADAQABAAABAQDsbyvi+Gwg0kfq6reZnBms/Bs5uj99QfKfCAgATtE5f+JxfCVTL9XVWd801KKeFFybjVAH7Tnt5PQ0HtMTtUrpiMhcKmlFHPkjtZKGhCZXhuGoo/x5PDwVsRygdgUYaIWCdo2vzhV+KyXwnsM7m3dlTBwjzWWFIY2frqUQ52G+3+w8k3jENIs0xrhOH3auvMTCQ29DjUkXeOUNQf3gmgfllbmWEUkFsdRKT9LWpsDF43IWUUxRzGs9aaxRQMXR9J6bjNapTbLFJr3Kputj0fbNjbqPUjJ3k+2w5SJRiDl+YjbjOWHvqieI8z3Ye/9+noknqhIWqpS2KVpp3pSRCmivAAAAAAAAAHsAAAABAAAACG15LWlkZW50AAAAAAAAAAAAAAAA//////////8AAAAdAAAADnNvdXJjZS1hZGRyZXNzAAAABwAAAANmb28AAAAAAAAAAAAAARcAAAAHc3NoLXJzYQAAAAMBAAEAAAEBAM8HbRJLhHLRqFUkYh/lphFTzU/C1SIMuPYKFScx9i0Jh6a5whGOR9NSq4fN49t5xRpbH80dfQYdG/tzg075NjH9Q8MLp7ZmZGENHL+lzmq3JG7t+oFKyuEEC8B2/XcXkvMyVG/6hlcgQF40zxl3c0iBqnO0x3GQEX4uw2SxuKyD2LFMlw5veJJlXNA/i+ZAfXC+I7T9YViP6tLdOuhPqA/FS5p/NOFxcW3EtYBcAz5/1ss/1wkdbcAAZ+iHKVEpNxWzFLvHtiWOsrQTB8CHgq+NMCeTmClt0sdo/B5Gs3rZ5h8hFnEK5t150NW5nc9WVSZBYCGe0dSQicH6aWQ/8e8AAAEPAAAAB3NzaC1yc2EAAAEAygVdwy80/K65d28IZJfbTGf/5L+GVAvdQFW3vPLCmzoCPz1NzueLv8pwkAkQyvyK50puOpKFn0pPNfdGo3gDQboOzBQ5Cw2m+A8OtlbyVUv5yXsnUjJPM6mi3yacerwWy6cur4yZZ/4fRir6vhC9AGt8+Pk1Lby41Ujdp33x+SiuhrRG2Ma/p+KnsFma8qsTlOT6knKvhQhb9ygYVV6giR7S8lnXrmhqlW026wy3u/JgCgSTRox4Ljf2HJu1B5XnS2xH5XNzO8Zfjsf+UXZ0tnvndwtXqNAd+LEjg5H/S8Mted8L8xzVDfFjeuBBhEhmwzOe4lbUbfFmKP/fzwNZqg== [email protected]

spec/fixtures/invalid_source_address_bad_ip.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDsbyvi+Gwg0kfq6reZnBms/Bs5uj99QfKfCAgATtE5f+JxfCVTL9XVWd801KKeFFybjVAH7Tnt5PQ0HtMTtUrpiMhcKmlFHPkjtZKGhCZXhuGoo/x5PDwVsRygdgUYaIWCdo2vzhV+KyXwnsM7m3dlTBwjzWWFIY2frqUQ52G+3+w8k3jENIs0xrhOH3auvMTCQ29DjUkXeOUNQf3gmgfllbmWEUkFsdRKT9LWpsDF43IWUUxRzGs9aaxRQMXR9J6bjNapTbLFJr3Kputj0fbNjbqPUjJ3k+2w5SJRiDl+YjbjOWHvqieI8z3Ye/9+noknqhIWqpS2KVpp3pSRCmiv [email protected]

spec/fixtures/invalid_source_address_flag

@@ -0,0 +1,28 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAQEAwNePR8FplXpACjGterqAbAcu0Agef+Qo4fUPE34JPIjg59qn/wNX
+sAFqcAt6PBxVtSa9h46JNndpXJTsGGy34CTtTe0e8Ju3fzUsgOIbnog+V9PGQoy7VrK/2V
+h2z1OOPB+7PjFC1CosjmBT0XUfpj4XN2n7WXixvoGEwU6BmrzVMQuRfGoSe+JUkN18uTJu
+eaMce7MqdfGj3Q0c5ZBnfz4eczgY9LkF/sjEE/oWoHynXt+DPf3FP0wNkg9EWCl2XSKE0s
+3xCL2oAd27ZC5Ui+VrTA8hPXlEJvSFAY1aSimwDtOoA+6+MTCsSIXQAm1JQXKFlPUdaEE/
+pPdqoybxtwAAA+AM4Do1DOA6NQAAAAdzc2gtcnNhAAABAQDA149HwWmVekAKMa16uoBsBy
+7QCB5/5Cjh9Q8Tfgk8iODn2qf/A1ewAWpwC3o8HFW1Jr2Hjok2d2lclOwYbLfgJO1N7R7w
+m7d/NSyA4hueiD5X08ZCjLtWsr/ZWHbPU448H7s+MULUKiyOYFPRdR+mPhc3aftZeLG+gY
+TBToGavNUxC5F8ahJ74lSQ3Xy5Mm55oxx7syp18aPdDRzlkGd/Ph5zOBj0uQX+yMQT+hag
+fKde34M9/cU/TA2SD0RYKXZdIoTSzfEIvagB3btkLlSL5WtMDyE9eUQm9IUBjVpKKbAO06
+gD7r4xMKxIhdACbUlBcoWU9R1oQT+k92qjJvG3AAAAAwEAAQAAAQAuk6Hqrd9nmBhhnfAN
+pYAhF3cKDfv33c62DK9wgM+QTGst9NUAtfj27NCdcVg7rohQ8aNzW0zu19ad4uZHW/Lpc2
+HRoYUIjkO6uMgf9PzAxJ1yLxdCuaUB4riNsV045DCFexCJi/JdNjZ+yOtVutlDGNoYq0Nn
+L8yWe8fpvKF3EttqJOIvB55ErkwzE1lutjIXyWOhotsnkZPejt5gW2H3a2k3N84CPoFtDh
+e0DFZ7WNwGy3utk+MMdbfqaXFLAOagKO2FusX/uiu7Pr+8tE+lr8QG1HLALte0VTRE3jkP
+hExxfJc6aw3j67abh4GnfrHddqwAc6zw3jvFMcgUWW0JAAAAgQCQOZ4jOLODAXJ34eobN3
+NU90WrzggR7WdvKD2rFkChQCgCnqR9uo2BeZIByTPGtUc80tWWcA/5QqU9weeA+tmuWpgt
+UVsO8WDwR3qyexF1vfbCwK9HDvKEoH5p7phs5Xi63CLKAiYzjaCHJk9u63g9sik4PWTHfm
+HH7xPyUW43agAAAIEA579mfbzJJyAzv8gvdQnsmsUS9iQzGKgt/mwv227MVTeq8JizVwga
+4ddbM+DVdn5/zVnWHMaeJeKJIsREwCssUb/wE0hVlW6o/SV+4mItknomt8LwNlV9RDaI2R
+hA1rODoA253pXJgKPQCH2JN8mH15Fl9VylKr3iXkOaWN/ON6UAAACBANUF3TlV7RKOaDLq
+fQSgg1G9mI2KUtqIxnQH15BeGzB2GRzDz8N1vS6oRMd+Ejp5sAImbOd1v0IzffdeOZigjo
+8gn/R7WAAWesJabhlWCUqqS/WoIfLeg39pIt4owNBp6KWTAvi4MkVQzOiSdfPj0kokfCHe
+4bUaVRoG4jtwOeUrAAAAJm1hc3RhaHlldGlAQmVuamFtaW5zLU1hY0Jvb2stUHJvLmxvY2
+FsAQIDBA==
+-----END OPENSSH PRIVATE KEY-----