diff options
| author | dtucker@openbsd.org <dtucker@openbsd.org> | 2022-01-06 22:46:56 +0100 |
|---|---|---|
| committer | Darren Tucker <dtucker@dtucker.net> | 2022-01-06 23:50:07 +0100 |
| commit | e12d912ddf1c873cb72e5de9a197afbe0b6622d2 (patch) | |
| tree | 689c496e9276571469f8aa99b7d2e3c2ef9e9c3a /regress/hostbased.sh | |
| parent | depend (diff) | |
| download | openssh-e12d912ddf1c873cb72e5de9a197afbe0b6622d2.tar.xz openssh-e12d912ddf1c873cb72e5de9a197afbe0b6622d2.zip | |
upstream: Add test for hostbased auth. It requires some external
setup (see comments at the top) and thus is disabled unless
TEST_SSH_HOSTBASED_AUTH and SUDO are set.
OpenBSD-Regress-ID: 3ec8ba3750c5b595fc63e7845d13483065a4827a
Diffstat (limited to 'regress/hostbased.sh')
| -rw-r--r-- | regress/hostbased.sh | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/regress/hostbased.sh b/regress/hostbased.sh new file mode 100644 index 000000000..f62d6f5f1 --- /dev/null +++ b/regress/hostbased.sh @@ -0,0 +1,62 @@ +# $OpenBSD: hostbased.sh,v 1.1 2022/01/06 21:46:56 dtucker Exp $ +# Placed in the Public Domain. + +# This test requires external setup and thus is skipped unless +# TEST_SSH_HOSTBASED_AUTH and SUDO are set to "yes". +# Since ssh-keysign has key paths hard coded, unlike the other tests it +# needs to use the real host keys. It requires: +# - ssh-keysign must be installed and setuid. +# - "EnableSSHKeysign yes" must be in the system ssh_config. +# - the system's own real FQDN the system-wide shosts.equiv. +# - the system's real public key fingerprints must me in global ssh_known_hosts. +# +tid="hostbased" + +if [ -z "${TEST_SSH_HOSTBASED_AUTH}" ]; then + skip "TEST_SSH_HOSTBASED_AUTH not set." +elif [ -z "${SUDO}" ]; then + skip "SUDO not set" +fi + +cat >>$OBJ/sshd_proxy <<EOD +HostbasedAuthentication yes +HostbasedAcceptedAlgorithms +ssh-rsa,ssh-dss +HostbasedUsesNameFromPacketOnly yes +HostKeyAlgorithms +ssh-rsa,ssh-dss +EOD + +cat >>$OBJ/ssh_proxy <<EOD +HostbasedAuthentication yes +HostKeyAlgorithms +ssh-rsa,ssh-dss +HostbasedAcceptedAlgorithms +ssh-rsa,ssh-dss +PreferredAuthentications hostbased +EOD + +algos="" +for key in `${SUDO} ${SSHD} -T | awk '$1=="hostkey"{print $2}'`; do + case "`$SSHKEYGEN -l -f ${key}.pub`" in + 256*ECDSA*) algos="$algos ecdsa-sha2-nistp256" ;; + 384*ECDSA*) algos="$algos ecdsa-sha2-nistp384" ;; + 521*ECDSA*) algos="$algos ecdsa-sha2-nistp521" ;; + *RSA*) algos="$algos ssh-rsa rsa-sha2-256 rsa-sha2-512" ;; + *ED25519*) algos="$algos ssh-ed25519" ;; + *DSA*) algos="$algos ssh-dss" ;; + *) warn "unknown host key type $key" ;; + esac +done + +for algo in $algos; do + trace "hostbased algo $algo" + opts="-F $OBJ/ssh_proxy" + if [ "x$algo" != "xdefault" ]; then + opts="$opts -oHostbasedAcceptedAlgorithms=$algo" + fi + SSH_CONNECTION=`${SSH} $opts localhost 'echo $SSH_CONNECTION'` + if [ $? -ne 0 ]; then + fail "connect failed, hostbased algo $algo" + fi + if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then + fail "hostbased algo $algo bad SSH_CONNECTION" \ + "$SSH_CONNECTION" + fi +done |