src - OpenBSD base system

diff options


context:
space:
mode:

author	Damien Miller <djm@cvs.openbsd.org>	2024-06-14 04:43:12 +0000
committer	Damien Miller <djm@cvs.openbsd.org>	2024-06-14 04:43:12 +0000
commit	04aca1825b200f418c46bd819cdb960c3b6ee138 (patch)
tree	686150d909cdbe93afb61f3ac01e62622b7f5029 /regress/usr.bin
parent	89e17d1b26df6d14dc0501d67d0544758b41890c (diff)

split the PerSourcePenalties test in two: one tests penalty enforcement

but not penalty expiry, the other tests penalty expiry. This lets us disable the expiry testing in certain CI test environments.

Diffstat (limited to 'regress/usr.bin')

-rw-r--r--

regress/usr.bin/ssh/Makefile

-rw-r--r--

regress/usr.bin/ssh/penalty-expire.sh

-rw-r--r--

regress/usr.bin/ssh/penalty.sh

3 files changed, 40 insertions, 8 deletions

diff --git a/regress/usr.bin/ssh/Makefile b/regress/usr.bin/ssh/Makefile
index 27737c38a76..820ac68e497 100644
--- a/regress/usr.bin/ssh/Makefile
+++ b/regress/usr.bin/ssh/Makefile

@@ -1,4 +1,4 @@

-# $OpenBSD: Makefile,v 1.134 2024/06/06 19:49:25 djm Exp $

+# $OpenBSD: Makefile,v 1.135 2024/06/14 04:43:11 djm Exp $

OPENSSL?= yes

@@ -103,7 +103,8 @@ LTESTS= connect \

match-subsystem \

agent-pkcs11-restrict \

agent-pkcs11-cert \

- penalty

+ penalty \

+ penalty-expire

INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers

INTEROP_TESTS+= dropbear-ciphers dropbear-kex

diff --git a/regress/usr.bin/ssh/penalty-expire.sh b/regress/usr.bin/ssh/penalty-expire.sh
new file mode 100644
index 00000000000..30b7bd45db1
--- /dev/null
+++ b/regress/usr.bin/ssh/penalty-expire.sh

@@ -0,0 +1,34 @@

+# $OpenBSD

+# Placed in the Public Domain.

+tid="penalties"

+grep -vi PerSourcePenalties $OBJ/sshd_config > $OBJ/sshd_config.bak

+cp $OBJ/authorized_keys_${USER} $OBJ/authorized_keys_${USER}.bak

+conf() {

+ test -z "$PIDFILE" || stop_sshd

+ (cat $OBJ/sshd_config.bak ;

+ echo "PerSourcePenalties $@") > $OBJ/sshd_config

+ cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}

+ start_sshd

+conf "noauth:10s authfail:10s max:20s min:1s"

+verbose "test connect"

+${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed"

+verbose "penalty expiry"

+# Incur a penalty

+cat /dev/null > $OBJ/authorized_keys_${USER}

+${SSH} -F $OBJ/ssh_config somehost true && fatal "authfail connect succeeded"

+# Check denied

+cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}

+${SSH} -F $OBJ/ssh_config somehost true && fatal "authfail not rejected"

+# Let it expire and try again.

+sleep 11

+${SSH} -F $OBJ/ssh_config somehost true || fail "authfail not expired"

diff --git a/regress/usr.bin/ssh/penalty.sh b/regress/usr.bin/ssh/penalty.sh
index 0285f003696..4308e0b82a2 100644
--- a/regress/usr.bin/ssh/penalty.sh
+++ b/regress/usr.bin/ssh/penalty.sh

@@ -14,7 +14,7 @@ conf() {

start_sshd

}

-conf "noauth:10s authfail:6s grace-exceeded:10s min:8s max:20s"

+conf "authfail:30s min:50s max:200s"

verbose "test connect"

${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed"

@@ -36,13 +36,10 @@ cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}

# These should be refused by the active penalty

${SSH} -F $OBJ/ssh_config somehost true && fail "authfail not rejected"

-sleep 5

${SSH} -F $OBJ/ssh_config somehost true && fail "repeat authfail not rejected"

-# Penalty should have expired, this should succeed.

-sleep 8

-${SSH} -F $OBJ/ssh_config somehost true || fail "authfail not expired"

+conf "noauth:100s"

+${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed"

verbose "penalty for no authentication"

${SSHKEYSCAN} -t ssh-ed25519 -p $PORT 127.0.0.1 >/dev/null || fatal "keyscan failed"