diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2024-06-06 19:49:26 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2024-06-06 19:49:26 +0000 |
| commit | e047bcf82daede069fe3f06d090f4f58f2d9015c (patch) | |
| tree | 11aaeb7404d23791a1260369d51cc6e8651cef91 | |
| parent | 3d2c7a6eea6a9e1ca4d540a2b777c9d7b33c7f22 (diff) | |
regress test for PerSourcePenalties
| -rw-r--r-- | regress/usr.bin/ssh/Makefile | 5 | ||||
| -rw-r--r-- | regress/usr.bin/ssh/penalty.sh | 51 |
2 files changed, 54 insertions, 2 deletions
diff --git a/regress/usr.bin/ssh/Makefile b/regress/usr.bin/ssh/Makefile index 09870cd1a6e..27737c38a76 100644 --- a/regress/usr.bin/ssh/Makefile +++ b/regress/usr.bin/ssh/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.133 2024/01/11 04:50:28 djm Exp $ +# $OpenBSD: Makefile,v 1.134 2024/06/06 19:49:25 djm Exp $ OPENSSL?= yes @@ -102,7 +102,8 @@ LTESTS= connect \ connection-timeout \ match-subsystem \ agent-pkcs11-restrict \ - agent-pkcs11-cert + agent-pkcs11-cert \ + penalty INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers INTEROP_TESTS+= dropbear-ciphers dropbear-kex diff --git a/regress/usr.bin/ssh/penalty.sh b/regress/usr.bin/ssh/penalty.sh new file mode 100644 index 00000000000..5ac7ef67ecf --- /dev/null +++ b/regress/usr.bin/ssh/penalty.sh @@ -0,0 +1,51 @@ +# $OpenBSD +# Placed in the Public Domain. + +tid="penalties" + +grep -vi PerSourcePenalties $OBJ/sshd_config > $OBJ/sshd_config.bak +cp $OBJ/authorized_keys_${USER} $OBJ/authorized_keys_${USER}.bak + +conf() { + test -z "$PIDFILE" || stop_sshd + (cat $OBJ/sshd_config.bak ; + echo "PerSourcePenalties $@") > $OBJ/sshd_config + cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER} + start_sshd +} + +conf "noauth:10s authfail:6s grace-exceeded:10s min:8s max:20s" + +verbose "test connect" +${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed" + +verbose "penalty for authentication failure" + +# Fail authentication once +cat /dev/null > $OBJ/authorized_keys_${USER} +${SSH} -F $OBJ/ssh_config somehost true && fatal "noauth connect succeeded" +cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER} + +# Should be below penalty threshold +${SSH} -F $OBJ/ssh_config somehost true || fatal "authfail not expired" + +# Fail authentication again; penalty should activate +cat /dev/null > $OBJ/authorized_keys_${USER} +${SSH} -F $OBJ/ssh_config somehost true && fatal "noauth connect succeeded" +cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER} + +# These should be refused by the active penalty +${SSH} -F $OBJ/ssh_config somehost true && fail "authfail not rejected" +sleep 5 +${SSH} -F $OBJ/ssh_config somehost true && fail "repeat authfail not rejected" + +# Penalty should have expired, this should succeed. +sleep 8 +${SSH} -F $OBJ/ssh_config somehost true || fail "authfail not expired" + +verbose "penalty for no authentication" +${SSHKEYSCAN} -p $PORT 127.0.0.1 >/dev/null 2>&1 || fatal "keyscan failed" + +# Repeat attempt should be penalised +${SSHKEYSCAN} -p $PORT 127.0.0.1 >/dev/null 2>&1 && fail "keyscan not rejected" + |