tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-27 15:54:22 +02:00
Code Issues Packages Projects Releases Wiki Activity

upstream: Add test for hostbased auth. It requires some external

Browse Source 
setup (see comments at the top) and thus is disabled unless
TEST_SSH_HOSTBASED_AUTH and SUDO are set.

OpenBSD-Regress-ID: 3ec8ba3750c5b595fc63e7845d13483065a4827a
This commit is contained in:
dtucker@openbsd.org 2022-01-06 21:46:56 +00:00 committed by Darren Tucker
parent a48533a8da
commit e12d912ddf
2 changed files with 65 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
regress/Makefile
View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.119 2021/12/19 22:20:12 djm Exp $ # $OpenBSD: Makefile,v 1.120 2022/01/06 21:46:56 dtucker Exp $
tests: prep file-tests t-exec unit tests: prep file-tests t-exec unit
@ -100,8 +100,8 @@ LTESTS= connect \
sshsig \ sshsig \
knownhosts \ knownhosts \
knownhosts-command \ knownhosts-command \
agent-restrict agent-restrict \
hostbased
INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
#INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp #INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp

62
regress/hostbased.sh Normal file
View File

@ -0,0 +1,62 @@
# $OpenBSD: hostbased.sh,v 1.1 2022/01/06 21:46:56 dtucker Exp $
# Placed in the Public Domain.
# This test requires external setup and thus is skipped unless
# TEST_SSH_HOSTBASED_AUTH and SUDO are set to "yes".
# Since ssh-keysign has key paths hard coded, unlike the other tests it
# needs to use the real host keys. It requires:
# - ssh-keysign must be installed and setuid.
# - "EnableSSHKeysign yes" must be in the system ssh_config.
# - the system's own real FQDN the system-wide shosts.equiv.
# - the system's real public key fingerprints must me in global ssh_known_hosts.
#
tid="hostbased"
if [ -z "${TEST_SSH_HOSTBASED_AUTH}" ]; then
skip "TEST_SSH_HOSTBASED_AUTH not set."
elif [ -z "${SUDO}" ]; then
skip "SUDO not set"
fi
cat >>$OBJ/sshd_proxy <<EOD
HostbasedAuthentication yes
HostbasedAcceptedAlgorithms +ssh-rsa,ssh-dss
HostbasedUsesNameFromPacketOnly yes
HostKeyAlgorithms +ssh-rsa,ssh-dss
EOD
cat >>$OBJ/ssh_proxy <<EOD
HostbasedAuthentication yes
HostKeyAlgorithms +ssh-rsa,ssh-dss
HostbasedAcceptedAlgorithms +ssh-rsa,ssh-dss
PreferredAuthentications hostbased
EOD
algos=""
for key in `${SUDO} ${SSHD} -T | awk '$1=="hostkey"{print $2}'`; do
case "`$SSHKEYGEN -l -f ${key}.pub`" in
256*ECDSA*) algos="$algos ecdsa-sha2-nistp256" ;;
384*ECDSA*) algos="$algos ecdsa-sha2-nistp384" ;;
521*ECDSA*) algos="$algos ecdsa-sha2-nistp521" ;;
*RSA*) algos="$algos ssh-rsa rsa-sha2-256 rsa-sha2-512" ;;
*ED25519*) algos="$algos ssh-ed25519" ;;
*DSA*) algos="$algos ssh-dss" ;;
*) warn "unknown host key type $key" ;;
esac
done
for algo in $algos; do
trace "hostbased algo $algo"
opts="-F $OBJ/ssh_proxy"
if [ "x$algo" != "xdefault" ]; then
opts="$opts -oHostbasedAcceptedAlgorithms=$algo"
fi
SSH_CONNECTION=`${SSH} $opts localhost 'echo $SSH_CONNECTION'`
if [ $? -ne 0 ]; then
fail "connect failed, hostbased algo $algo"
fi
if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
fail "hostbased algo $algo bad SSH_CONNECTION" \
"$SSH_CONNECTION"
fi
done