[openssh-commits] [openssh] branch master updated: upstream: split the PerSourcePenalties test in two: one tests penalty
git+noreply at mindrot.org
git+noreply at mindrot.org
Fri Jun 14 14:46:28 AEST 2024
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
The following commit(s) were added to refs/heads/master by this push:
new 2866ad08 upstream: split the PerSourcePenalties test in two: one tests penalty
2866ad08 is described below
commit 2866ad08a9c50d7b67ce9424ca990532b806a21a
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Fri Jun 14 04:43:11 2024 +0000
upstream: split the PerSourcePenalties test in two: one tests penalty
enforcement but not penalty expiry, the other tests penalty expiry.
This lets us disable the expiry testing in certain CI test environments.
OpenBSD-Regress-ID: f56811064f3e3cb52ee73a206b8c2a06af1c8791
---
regress/Makefile | 5 +++--
regress/penalty-expire.sh | 34 ++++++++++++++++++++++++++++++++++
regress/penalty.sh | 9 +++------
3 files changed, 40 insertions(+), 8 deletions(-)
diff --git a/regress/Makefile b/regress/Makefile
index 24b02191..7f734970 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.134 2024/06/06 19:49:25 djm Exp $
+# $OpenBSD: Makefile,v 1.135 2024/06/14 04:43:11 djm Exp $
tests: prep file-tests t-exec unit
@@ -110,7 +110,8 @@ LTESTS= connect \
match-subsystem \
agent-pkcs11-restrict \
agent-pkcs11-cert \
- penalty
+ penalty \
+ penalty-expire
INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
INTEROP_TESTS+= dropbear-ciphers dropbear-kex
diff --git a/regress/penalty-expire.sh b/regress/penalty-expire.sh
new file mode 100644
index 00000000..30b7bd45
--- /dev/null
+++ b/regress/penalty-expire.sh
@@ -0,0 +1,34 @@
+# $OpenBSD
+# Placed in the Public Domain.
+
+tid="penalties"
+
+grep -vi PerSourcePenalties $OBJ/sshd_config > $OBJ/sshd_config.bak
+cp $OBJ/authorized_keys_${USER} $OBJ/authorized_keys_${USER}.bak
+
+conf() {
+ test -z "$PIDFILE" || stop_sshd
+ (cat $OBJ/sshd_config.bak ;
+ echo "PerSourcePenalties $@") > $OBJ/sshd_config
+ cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
+ start_sshd
+}
+
+conf "noauth:10s authfail:10s max:20s min:1s"
+
+verbose "test connect"
+${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed"
+
+verbose "penalty expiry"
+
+# Incur a penalty
+cat /dev/null > $OBJ/authorized_keys_${USER}
+${SSH} -F $OBJ/ssh_config somehost true && fatal "authfail connect succeeded"
+
+# Check denied
+cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
+${SSH} -F $OBJ/ssh_config somehost true && fatal "authfail not rejected"
+
+# Let it expire and try again.
+sleep 11
+${SSH} -F $OBJ/ssh_config somehost true || fail "authfail not expired"
diff --git a/regress/penalty.sh b/regress/penalty.sh
index 0285f003..4308e0b8 100644
--- a/regress/penalty.sh
+++ b/regress/penalty.sh
@@ -14,7 +14,7 @@ conf() {
start_sshd
}
-conf "noauth:10s authfail:6s grace-exceeded:10s min:8s max:20s"
+conf "authfail:30s min:50s max:200s"
verbose "test connect"
${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed"
@@ -36,13 +36,10 @@ cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
# These should be refused by the active penalty
${SSH} -F $OBJ/ssh_config somehost true && fail "authfail not rejected"
-sleep 5
${SSH} -F $OBJ/ssh_config somehost true && fail "repeat authfail not rejected"
-# Penalty should have expired, this should succeed.
-sleep 8
-${SSH} -F $OBJ/ssh_config somehost true || fail "authfail not expired"
-
+conf "noauth:100s"
+${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed"
verbose "penalty for no authentication"
${SSHKEYSCAN} -t ssh-ed25519 -p $PORT 127.0.0.1 >/dev/null || fatal "keyscan failed"
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list