[openssh-commits] [openssh] 01/02: upstream: Add test for hostbased auth. It requires some external

Fri Jan 7 09:50:20 AEDT 2022

This is an automated email from the git hooks/post-receive script.

dtucker pushed a commit to branch master
in repository openssh.

commit e12d912ddf1c873cb72e5de9a197afbe0b6622d2
Author: dtucker at openbsd.org <dtucker at openbsd.org>
Date:   Thu Jan 6 21:46:56 2022 +0000

    upstream: Add test for hostbased auth. It requires some external
    
    setup (see comments at the top) and thus is disabled unless
    TEST_SSH_HOSTBASED_AUTH and SUDO are set.
    
    OpenBSD-Regress-ID: 3ec8ba3750c5b595fc63e7845d13483065a4827a
---
 regress/Makefile     |  6 ++---
 regress/hostbased.sh | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 65 insertions(+), 3 deletions(-)

diff --git a/regress/Makefile b/regress/Makefile
index da36c75a..0554c1ac 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.119 2021/12/19 22:20:12 djm Exp $
+#	$OpenBSD: Makefile,v 1.120 2022/01/06 21:46:56 dtucker Exp $
 
 tests:		prep file-tests t-exec unit
 
@@ -100,8 +100,8 @@ LTESTS= 	connect \
 		sshsig \
 		knownhosts \
 		knownhosts-command \
-		agent-restrict
-
+		agent-restrict \
+		hostbased
 
 INTEROP_TESTS=	putty-transfer putty-ciphers putty-kex conch-ciphers
 #INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
diff --git a/regress/hostbased.sh b/regress/hostbased.sh
new file mode 100644
index 00000000..f62d6f5f
--- /dev/null
+++ b/regress/hostbased.sh
@@ -0,0 +1,62 @@
+#	$OpenBSD: hostbased.sh,v 1.1 2022/01/06 21:46:56 dtucker Exp $
+#	Placed in the Public Domain.
+
+# This test requires external setup and thus is skipped unless
+# TEST_SSH_HOSTBASED_AUTH and SUDO are set to "yes".
+# Since ssh-keysign has key paths hard coded, unlike the other tests it
+# needs to use the real host keys. It requires:
+# - ssh-keysign must be installed and setuid.
+# - "EnableSSHKeysign yes" must be in the system ssh_config.
+# - the system's own real FQDN the system-wide shosts.equiv.
+# - the system's real public key fingerprints must me in global ssh_known_hosts.
+#
+tid="hostbased"
+
+if [ -z "${TEST_SSH_HOSTBASED_AUTH}" ]; then
+	skip "TEST_SSH_HOSTBASED_AUTH not set."
+elif [ -z "${SUDO}" ]; then
+	skip "SUDO not set"
+fi
+
+cat >>$OBJ/sshd_proxy <<EOD
+HostbasedAuthentication yes
+HostbasedAcceptedAlgorithms +ssh-rsa,ssh-dss
+HostbasedUsesNameFromPacketOnly yes
+HostKeyAlgorithms +ssh-rsa,ssh-dss
+EOD
+
+cat >>$OBJ/ssh_proxy <<EOD
+HostbasedAuthentication yes
+HostKeyAlgorithms +ssh-rsa,ssh-dss
+HostbasedAcceptedAlgorithms +ssh-rsa,ssh-dss
+PreferredAuthentications hostbased
+EOD
+
+algos=""
+for key in `${SUDO} ${SSHD} -T | awk '$1=="hostkey"{print $2}'`; do
+	case "`$SSHKEYGEN -l -f ${key}.pub`" in
+	256*ECDSA*)	algos="$algos ecdsa-sha2-nistp256" ;;
+	384*ECDSA*)	algos="$algos ecdsa-sha2-nistp384" ;;
+	521*ECDSA*)	algos="$algos ecdsa-sha2-nistp521" ;;
+	*RSA*)		algos="$algos ssh-rsa rsa-sha2-256 rsa-sha2-512" ;;
+	*ED25519*)	algos="$algos ssh-ed25519" ;;
+	*DSA*)		algos="$algos ssh-dss" ;;
+	*) warn "unknown host key type $key" ;;
+	esac
+done
+
+for algo in $algos; do
+	trace "hostbased algo $algo"
+	opts="-F $OBJ/ssh_proxy"
+	if [ "x$algo" != "xdefault" ]; then
+		opts="$opts -oHostbasedAcceptedAlgorithms=$algo"
+	fi
+	SSH_CONNECTION=`${SSH} $opts localhost 'echo $SSH_CONNECTION'`
+	if [ $? -ne 0 ]; then
+		fail "connect failed, hostbased algo $algo"
+	fi
+	if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
+		fail "hostbased algo $algo bad SSH_CONNECTION" \
+		    "$SSH_CONNECTION"
+	fi
+done

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
