[openssh-commits] [openssh] branch master updated: missing file for PerSourcePenalties regress test
git+noreply at mindrot.org
git+noreply at mindrot.org
Thu Jun 13 11:17:15 AEST 2024
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
The following commit(s) were added to refs/heads/master by this push:
new f1c42858 missing file for PerSourcePenalties regress test
f1c42858 is described below
commit f1c42858b94f5d9b58867b34dce3afb39c6b56a8
Author: Damien Miller <djm at mindrot.org>
AuthorDate: Thu Jun 13 11:16:57 2024 +1000
missing file for PerSourcePenalties regress test
---
regress/penalty.sh | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 51 insertions(+)
diff --git a/regress/penalty.sh b/regress/penalty.sh
new file mode 100644
index 00000000..5ac7ef67
--- /dev/null
+++ b/regress/penalty.sh
@@ -0,0 +1,51 @@
+# $OpenBSD
+# Placed in the Public Domain.
+
+tid="penalties"
+
+grep -vi PerSourcePenalties $OBJ/sshd_config > $OBJ/sshd_config.bak
+cp $OBJ/authorized_keys_${USER} $OBJ/authorized_keys_${USER}.bak
+
+conf() {
+ test -z "$PIDFILE" || stop_sshd
+ (cat $OBJ/sshd_config.bak ;
+ echo "PerSourcePenalties $@") > $OBJ/sshd_config
+ cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
+ start_sshd
+}
+
+conf "noauth:10s authfail:6s grace-exceeded:10s min:8s max:20s"
+
+verbose "test connect"
+${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed"
+
+verbose "penalty for authentication failure"
+
+# Fail authentication once
+cat /dev/null > $OBJ/authorized_keys_${USER}
+${SSH} -F $OBJ/ssh_config somehost true && fatal "noauth connect succeeded"
+cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
+
+# Should be below penalty threshold
+${SSH} -F $OBJ/ssh_config somehost true || fatal "authfail not expired"
+
+# Fail authentication again; penalty should activate
+cat /dev/null > $OBJ/authorized_keys_${USER}
+${SSH} -F $OBJ/ssh_config somehost true && fatal "noauth connect succeeded"
+cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
+
+# These should be refused by the active penalty
+${SSH} -F $OBJ/ssh_config somehost true && fail "authfail not rejected"
+sleep 5
+${SSH} -F $OBJ/ssh_config somehost true && fail "repeat authfail not rejected"
+
+# Penalty should have expired, this should succeed.
+sleep 8
+${SSH} -F $OBJ/ssh_config somehost true || fail "authfail not expired"
+
+verbose "penalty for no authentication"
+${SSHKEYSCAN} -p $PORT 127.0.0.1 >/dev/null 2>&1 || fatal "keyscan failed"
+
+# Repeat attempt should be penalised
+${SSHKEYSCAN} -p $PORT 127.0.0.1 >/dev/null 2>&1 && fail "keyscan not rejected"
+
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list