[openssh-commits] [openssh] 02/04: upstream: Add simple test for password auth. Requires some setup

git+noreply at mindrot.org git+noreply at mindrot.org
Sun Jun 29 11:15:21 AEST 2025


This is an automated email from the git hooks/post-receive script.

dtucker pushed a commit to branch master
in repository openssh.

commit 838d5ec4b12fb519ed9db76e5beccf11b7ee212f
Author: dtucker at openbsd.org <dtucker at openbsd.org>
AuthorDate: Tue Jun 24 12:28:23 2025 +0000

    upstream: Add simple test for password auth. Requires some setup
    
    so does not run by default.
    
    OpenBSD-Regress-ID: d5ded47a266b031fc91f99882f07161ab6d1bb70
---
 regress/Makefile    |  3 ++-
 regress/password.sh | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 61 insertions(+), 1 deletion(-)

diff --git a/regress/Makefile b/regress/Makefile
index d97ea34a2..d0298d45e 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.136 2025/03/11 07:50:20 dtucker Exp $
+#	$OpenBSD: Makefile,v 1.138 2025/06/24 12:28:23 dtucker Exp $
 
 tests:		prep file-tests t-exec unit
 
@@ -106,6 +106,7 @@ LTESTS= 	connect \
 		knownhosts-command \
 		agent-restrict \
 		hostbased \
+		password \
 		channel-timeout \
 		connection-timeout \
 		match-subsystem \
diff --git a/regress/password.sh b/regress/password.sh
new file mode 100644
index 000000000..1c5218d6b
--- /dev/null
+++ b/regress/password.sh
@@ -0,0 +1,59 @@
+#	$OpenBSD: password.sh,v 1.1 2025/06/24 12:28:23 dtucker Exp $
+#	Placed in the Public Domain.
+#
+# This tests standard "password" authentication.  It does not run by default,
+# and needs to be enabled by putting the password of the user running the tests
+# into ${OBJ}/password.  Since this obviously puts the password at risk it is
+# recommended to do this on a throwaway VM by setting a random password
+# (and randomizing it again after the test, if you can't immediately dispose
+# of the VM).
+
+tid="password"
+
+if [ -z "$SUDO" -o ! -f ${OBJ}/password ]; then
+	skip "Password auth requires SUDO and password file."
+fi
+
+# Enable password auth
+echo "PasswordAuthentication yes" >>sshd_proxy
+
+# Create askpass script to replay a series of password responses.
+# Keep a counter of the number of times it has been called and
+# reply with the next line of the replypass file.
+cat >${OBJ}/replypass.sh <<EOD
+n=\`cat ${OBJ}/replypass.N\`
+awk "NR==\$n" ${OBJ}/replypass
+echo \$(( \$n + 1 )) >${OBJ}/replypass.N
+EOD
+chmod 700 ${OBJ}/replypass.sh
+
+SSH_ASKPASS=${OBJ}/replypass.sh
+SSH_ASKPASS_REQUIRE=force
+export SSH_ASKPASS SSH_ASKPASS_REQUIRE
+
+opts="-oPasswordAuthentication=yes -oPreferredAuthentications=password"
+opts="-oBatchMode=no $opts"
+
+trace plain password
+cat ${OBJ}/password >${OBJ}/replypass
+echo 1 >${OBJ}/replypass.N
+${SSH} $opts -F $OBJ/ssh_proxy somehost true
+if [ $? -ne 0 ]; then
+	fail "ssh password failed"
+fi
+
+trace 2-round password
+(echo; cat ${OBJ}/password) >${OBJ}/replypass
+echo 1 >${OBJ}/replypass.N
+${SSH} $opts -F $OBJ/ssh_proxy somehost true
+if [ $? -ne 0 ]; then
+	fail "ssh 2-round password failed"
+fi
+
+trace empty password
+echo >${OBJ}/replypass
+echo 1 >${OBJ}/replypass.N
+${SSH} $opts -F $OBJ/ssh_proxy somehost true
+if [ $? -eq 0 ]; then
+	fail "ssh password failed"
+fi

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list