[openssh-commits] [openssh] 02/06: upstream: Add basic test for keyboard-interactive auth.

Mon Feb 16 12:20:34 AEDT 2026

This is an automated email from the git hooks/post-receive script.

dtucker pushed a commit to branch master
in repository openssh.

commit c5cee49a0c5721532716365f32977fc02eeea1d5
Author: dtucker at openbsd.org <dtucker at openbsd.org>
AuthorDate: Sun Feb 15 22:29:30 2026 +0000

    upstream: Add basic test for keyboard-interactive auth.
    
    Not enabled by default since it requires some setup on the host.
    
    OpenBSD-Regress-ID: aa8a9608a2ea2e5aaa094c5a5cc453e4797cd902
---
 regress/Makefile  |  3 +-
 regress/kbdint.sh | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 89 insertions(+), 1 deletion(-)

diff --git a/regress/Makefile b/regress/Makefile
index bd44b0489..93826c281 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.141 2025/10/16 00:01:54 djm Exp $
+#	$OpenBSD: Makefile,v 1.143 2026/02/15 22:29:30 dtucker Exp $
 
 tests:		prep file-tests t-exec unit
 
@@ -108,6 +108,7 @@ LTESTS= 	connect \
 		agent-restrict \
 		hostbased \
 		password \
+		kbdint \
 		channel-timeout \
 		connection-timeout \
 		match-subsystem \
diff --git a/regress/kbdint.sh b/regress/kbdint.sh
new file mode 100644
index 000000000..5629270b0
--- /dev/null
+++ b/regress/kbdint.sh
@@ -0,0 +1,87 @@
+#	$OpenBSD: kbdint.sh,v 1.1 2026/02/15 22:29:30 dtucker Exp $
+#	Placed in the Public Domain.
+#
+# This tests keyboard-interactive authentication.  It does not run by default,
+# and needs to be enabled by putting the password of the user running the tests
+# into ${OBJ}/kbdintpw.  Since this obviously puts the password at risk it is
+# recommended to do this on a throwaway VM by setting a random password
+# (and randomizing it again after the test, if you can't immediately dispose
+# of the VM).
+
+tid="kbdint"
+
+if [ -z "$SUDO" -o ! -f ${OBJ}/kbdintpw ]; then
+	skip "Password auth requires SUDO and kbdintpw file."
+fi
+
+# Enable keyboard-interactive auth
+echo "KbdInteractiveAuthentication yes" >>sshd_proxy
+
+# Create askpass script to replay a series of password responses.
+# Keep a counter of the number of times it has been called and
+# reply with the next line of the replypass file.
+cat >${OBJ}/replypass.sh <<EOD
+#!/bin/sh
+n=\`cat ${OBJ}/replypass.N\`
+awk "NR==\$n" ${OBJ}/replypass
+echo \$(( \$n + 1 )) >${OBJ}/replypass.N
+EOD
+chmod 700 ${OBJ}/replypass.sh
+
+SSH_ASKPASS=${OBJ}/replypass.sh
+SSH_ASKPASS_REQUIRE=force
+export SSH_ASKPASS SSH_ASKPASS_REQUIRE
+
+opts="-oKbdInteractiveAuthentication=yes -oPreferredAuthentications=keyboard-interactive"
+opts="-oBatchMode=no $opts"
+
+trace correct password 1st attempt
+cat ${OBJ}/kbdintpw >${OBJ}/replypass
+echo 1 >${OBJ}/replypass.N
+${SSH} $opts -F $OBJ/ssh_proxy somehost true
+if [ $? -ne 0 ]; then
+	fail "ssh kdbint failed"
+fi
+
+trace bad password
+echo badpass >${OBJ}/replypass
+echo 1 >${OBJ}/replypass.N
+${SSH} $opts -F $OBJ/ssh_proxy somehost true
+if [ $? -eq 0 ]; then
+	fail "ssh unexpectedly succeeded"
+fi
+
+trace correct password 2nd attempt
+(echo badpass; cat ${OBJ}/kbdintpw) >${OBJ}/replypass
+echo 1 >${OBJ}/replypass.N
+${SSH} $opts -F $OBJ/ssh_proxy somehost true
+if [ $? -ne 0 ]; then
+	fail "did not succeed on 2nd attempt"
+fi
+
+trace empty password
+echo >${OBJ}/replypass
+echo 1 >${OBJ}/replypass.N
+${SSH} $opts -F $OBJ/ssh_proxy somehost true
+if [ $? -eq 0 ]; then
+	fail "ssh unexpectedly succeeded with empty password"
+fi
+
+trace huge password
+(for i in 0 1 2 3 4 5 6 7 8 9; do printf 0123456789; done; echo) \
+    >${OBJ}/replypass
+echo 1 >${OBJ}/replypass.N
+${SSH} $opts -F $OBJ/ssh_proxy somehost true
+if [ $? -eq 0 ]; then
+	fail "ssh unexpectedly succeeded with huge password"
+fi
+
+trace spam password
+for i in 0 1 2 3 4 5 6 7 8 9; do printf '1\n2\n3\n4\n5\n6\n7\n8\n9\n'; done \
+    >${OBJ}/replypass
+echo 1 >${OBJ}/replypass.N
+${SSH} $opts -F $OBJ/ssh_proxy somehost true
+fail foo
+if [ $? -eq 0 ]; then
+	fail "ssh unexpectedly succeeded with password spam"
+fi

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
