[openssh-commits] [openssh] 03/07: upstream: Add special handling of

Mon Mar 30 18:51:34 AEDT 2026

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 5576e260a0f9836ca55c8279e342c63d1a0851d1
Author: dtucker at openbsd.org <dtucker at openbsd.org>
AuthorDate: Mon Mar 23 09:09:36 2026 +0000

    upstream: Add special handling of
    
    TEST_SSH_HOSTBASED_AUTH=setupandrun.
    
    This will MODIFY THE CONFIG OF THE SYSTEM IT IS RUNNING ON to enable
    hostbased authentication to/from itself and run the hostbased tests.  It
    won't undo these changes, so don't do this on a system where this matters.
    
    OpenBSD-Regress-ID: ae5a86db1791a2b8f999b07b5c8cc756d40bf645
---
 regress/hostbased.sh | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/regress/hostbased.sh b/regress/hostbased.sh
index 5de176b18..3798f8b83 100644
--- a/regress/hostbased.sh
+++ b/regress/hostbased.sh
@@ -1,8 +1,8 @@
-#	$OpenBSD: hostbased.sh,v 1.5 2025/05/06 06:05:48 djm Exp $
+#	$OpenBSD: hostbased.sh,v 1.6 2026/03/23 09:09:36 dtucker Exp $
 #	Placed in the Public Domain.
 
 # This test requires external setup and thus is skipped unless
-# TEST_SSH_HOSTBASED_AUTH and SUDO are set to "yes".
+# TEST_SSH_HOSTBASED_AUTH and SUDO are set.
 # Since ssh-keysign has key paths hard coded, unlike the other tests it
 # needs to use the real host keys. It requires:
 # - ssh-keysign must be installed and setuid.
@@ -10,12 +10,31 @@
 # - the system's own real FQDN the system-wide shosts.equiv.
 # - the system's real public key fingerprints must be in global ssh_known_hosts.
 #
+# Setting TEST_SSH_HOSTBASED_AUTH to the special value "setupandrun" will,
+# if run with SUDO, perform this setup and run the test.  Note that this will
+# modify the global config to enable HostbasedAuthentication and leave it
+# enabled, so do not do this on a system that matters.
+#
 tid="hostbased"
 
 if [ -z "${TEST_SSH_HOSTBASED_AUTH}" ]; then
 	skip "TEST_SSH_HOSTBASED_AUTH not set."
 elif [ -z "${SUDO}" ]; then
 	skip "SUDO not set"
+elif [ "${TEST_SSH_HOSTBASED_AUTH}" = "setupandrun" ]; then
+	verbose "setting up system for hostbased auth"
+	knownhosts=`$SSH -G localhost | \
+	    awk '$1=="globalknownhostsfile" {print $2}'`
+	sshconf=`dirname $knownhosts`
+	hostname | $SUDO tee $sshconf/shosts.equiv >/dev/null
+	if ! grep "^EnableSSHKeysign yes" $sshconf/ssh_config >/dev/null; then
+		echo "EnableSSHKeysign yes" | \
+		    $SUDO tee -a $sshconf/ssh_config >/dev/null
+	fi
+	for pubkey in $sshconf/ssh_host*key*.pub; do
+		echo `hostname` `cat $pubkey` | \
+		    $SUDO tee -a $knownhosts >/dev/null
+	done
 fi
 
 # Enable all supported hostkey algos (but no others)

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
