diff options
| -rw-r--r-- | regress/usr.bin/ssh/Makefile | 5 | ||||
| -rw-r--r-- | regress/usr.bin/ssh/penalty-expire.sh | 34 | ||||
| -rw-r--r-- | regress/usr.bin/ssh/penalty.sh | 9 |
3 files changed, 40 insertions, 8 deletions
diff --git a/regress/usr.bin/ssh/Makefile b/regress/usr.bin/ssh/Makefile index 27737c38a76..820ac68e497 100644 --- a/regress/usr.bin/ssh/Makefile +++ b/regress/usr.bin/ssh/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.134 2024/06/06 19:49:25 djm Exp $ +# $OpenBSD: Makefile,v 1.135 2024/06/14 04:43:11 djm Exp $ OPENSSL?= yes @@ -103,7 +103,8 @@ LTESTS= connect \ match-subsystem \ agent-pkcs11-restrict \ agent-pkcs11-cert \ - penalty + penalty \ + penalty-expire INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers INTEROP_TESTS+= dropbear-ciphers dropbear-kex diff --git a/regress/usr.bin/ssh/penalty-expire.sh b/regress/usr.bin/ssh/penalty-expire.sh new file mode 100644 index 00000000000..30b7bd45db1 --- /dev/null +++ b/regress/usr.bin/ssh/penalty-expire.sh @@ -0,0 +1,34 @@ +# $OpenBSD +# Placed in the Public Domain. + +tid="penalties" + +grep -vi PerSourcePenalties $OBJ/sshd_config > $OBJ/sshd_config.bak +cp $OBJ/authorized_keys_${USER} $OBJ/authorized_keys_${USER}.bak + +conf() { + test -z "$PIDFILE" || stop_sshd + (cat $OBJ/sshd_config.bak ; + echo "PerSourcePenalties $@") > $OBJ/sshd_config + cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER} + start_sshd +} + +conf "noauth:10s authfail:10s max:20s min:1s" + +verbose "test connect" +${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed" + +verbose "penalty expiry" + +# Incur a penalty +cat /dev/null > $OBJ/authorized_keys_${USER} +${SSH} -F $OBJ/ssh_config somehost true && fatal "authfail connect succeeded" + +# Check denied +cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER} +${SSH} -F $OBJ/ssh_config somehost true && fatal "authfail not rejected" + +# Let it expire and try again. +sleep 11 +${SSH} -F $OBJ/ssh_config somehost true || fail "authfail not expired" diff --git a/regress/usr.bin/ssh/penalty.sh b/regress/usr.bin/ssh/penalty.sh index 0285f003696..4308e0b82a2 100644 --- a/regress/usr.bin/ssh/penalty.sh +++ b/regress/usr.bin/ssh/penalty.sh @@ -14,7 +14,7 @@ conf() { start_sshd } -conf "noauth:10s authfail:6s grace-exceeded:10s min:8s max:20s" +conf "authfail:30s min:50s max:200s" verbose "test connect" ${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed" @@ -36,13 +36,10 @@ cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER} # These should be refused by the active penalty ${SSH} -F $OBJ/ssh_config somehost true && fail "authfail not rejected" -sleep 5 ${SSH} -F $OBJ/ssh_config somehost true && fail "repeat authfail not rejected" -# Penalty should have expired, this should succeed. -sleep 8 -${SSH} -F $OBJ/ssh_config somehost true || fail "authfail not expired" - +conf "noauth:100s" +${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed" verbose "penalty for no authentication" ${SSHKEYSCAN} -t ssh-ed25519 -p $PORT 127.0.0.1 >/dev/null || fatal "keyscan failed" |