diff options
| author | Darren Tucker <dtucker@cvs.openbsd.org> | 2022-01-06 21:46:57 +0000 |
|---|---|---|
| committer | Darren Tucker <dtucker@cvs.openbsd.org> | 2022-01-06 21:46:57 +0000 |
| commit | 04c65dec6f8d8c5f1afa2ef159707c2d775935db (patch) | |
| tree | 2b0c0ed74571c8d7bb2a201e4d10e6498b69846f /regress/usr.bin | |
| parent | 3c3a95956fd90e02064b5211b7b0392ca7dbc3b8 (diff) | |
Add test for hostbased auth. It requires some external setup (see
comments at the top) and thus is disabled unless TEST_SSH_HOSTBASED_AUTH
and SUDO are set.
Diffstat (limited to 'regress/usr.bin')
| -rw-r--r-- | regress/usr.bin/ssh/Makefile | 5 | ||||
| -rw-r--r-- | regress/usr.bin/ssh/hostbased.sh | 62 |
2 files changed, 65 insertions, 2 deletions
diff --git a/regress/usr.bin/ssh/Makefile b/regress/usr.bin/ssh/Makefile index 4bb2ae91447..fe9438d9043 100644 --- a/regress/usr.bin/ssh/Makefile +++ b/regress/usr.bin/ssh/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.119 2021/12/19 22:20:12 djm Exp $ +# $OpenBSD: Makefile,v 1.120 2022/01/06 21:46:56 dtucker Exp $ OPENSSL?= yes @@ -98,7 +98,8 @@ LTESTS= connect \ sshsig \ knownhosts \ knownhosts-command \ - agent-restrict + agent-restrict \ + hostbased INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers #INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp diff --git a/regress/usr.bin/ssh/hostbased.sh b/regress/usr.bin/ssh/hostbased.sh new file mode 100644 index 00000000000..f62d6f5f1b9 --- /dev/null +++ b/regress/usr.bin/ssh/hostbased.sh @@ -0,0 +1,62 @@ +# $OpenBSD: hostbased.sh,v 1.1 2022/01/06 21:46:56 dtucker Exp $ +# Placed in the Public Domain. + +# This test requires external setup and thus is skipped unless +# TEST_SSH_HOSTBASED_AUTH and SUDO are set to "yes". +# Since ssh-keysign has key paths hard coded, unlike the other tests it +# needs to use the real host keys. It requires: +# - ssh-keysign must be installed and setuid. +# - "EnableSSHKeysign yes" must be in the system ssh_config. +# - the system's own real FQDN the system-wide shosts.equiv. +# - the system's real public key fingerprints must me in global ssh_known_hosts. +# +tid="hostbased" + +if [ -z "${TEST_SSH_HOSTBASED_AUTH}" ]; then + skip "TEST_SSH_HOSTBASED_AUTH not set." +elif [ -z "${SUDO}" ]; then + skip "SUDO not set" +fi + +cat >>$OBJ/sshd_proxy <<EOD +HostbasedAuthentication yes +HostbasedAcceptedAlgorithms +ssh-rsa,ssh-dss +HostbasedUsesNameFromPacketOnly yes +HostKeyAlgorithms +ssh-rsa,ssh-dss +EOD + +cat >>$OBJ/ssh_proxy <<EOD +HostbasedAuthentication yes +HostKeyAlgorithms +ssh-rsa,ssh-dss +HostbasedAcceptedAlgorithms +ssh-rsa,ssh-dss +PreferredAuthentications hostbased +EOD + +algos="" +for key in `${SUDO} ${SSHD} -T | awk '$1=="hostkey"{print $2}'`; do + case "`$SSHKEYGEN -l -f ${key}.pub`" in + 256*ECDSA*) algos="$algos ecdsa-sha2-nistp256" ;; + 384*ECDSA*) algos="$algos ecdsa-sha2-nistp384" ;; + 521*ECDSA*) algos="$algos ecdsa-sha2-nistp521" ;; + *RSA*) algos="$algos ssh-rsa rsa-sha2-256 rsa-sha2-512" ;; + *ED25519*) algos="$algos ssh-ed25519" ;; + *DSA*) algos="$algos ssh-dss" ;; + *) warn "unknown host key type $key" ;; + esac +done + +for algo in $algos; do + trace "hostbased algo $algo" + opts="-F $OBJ/ssh_proxy" + if [ "x$algo" != "xdefault" ]; then + opts="$opts -oHostbasedAcceptedAlgorithms=$algo" + fi + SSH_CONNECTION=`${SSH} $opts localhost 'echo $SSH_CONNECTION'` + if [ $? -ne 0 ]; then + fail "connect failed, hostbased algo $algo" + fi + if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then + fail "hostbased algo $algo bad SSH_CONNECTION" \ + "$SSH_CONNECTION" + fi +done |