upstream: split the PerSourcePenalties test in two: one tests penalty

enforcement but not penalty expiry, the other tests penalty expiry. This lets us disable the expiry testing in certain CI test environments. OpenBSD-Regress-ID: f56811064f3e3cb52ee73a206b8c2a06af1c8791
2025-02-19 15:26:52 +00:00 · 2024-06-14 04:43:11 +00:00 · 2024-06-14 04:43:11 +00:00 · 2866ad08a9
commit 2866ad08a9
parent b2c64bc170
3 changed files with 40 additions and 8 deletions
--- a/regress/Makefile
+++ b/regress/Makefile
@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.134 2024/06/06 19:49:25 djm Exp $
+#	$OpenBSD: Makefile,v 1.135 2024/06/14 04:43:11 djm Exp $

 tests:		prep file-tests t-exec unit

@ -110,7 +110,8 @@ LTESTS= 	connect \
 		match-subsystem \
 		agent-pkcs11-restrict \
 		agent-pkcs11-cert \
-		penalty
+		penalty \
+		penalty-expire

 INTEROP_TESTS=	putty-transfer putty-ciphers putty-kex conch-ciphers
 INTEROP_TESTS+=	dropbear-ciphers dropbear-kex
--- a/regress/penalty-expire.sh
+++ b/regress/penalty-expire.sh
@ -0,0 +1,34 @@
+#	$OpenBSD
+#	Placed in the Public Domain.
+
+tid="penalties"
+
+grep -vi PerSourcePenalties $OBJ/sshd_config > $OBJ/sshd_config.bak
+cp $OBJ/authorized_keys_${USER} $OBJ/authorized_keys_${USER}.bak
+
+conf() {
+	test -z "$PIDFILE" || stop_sshd
+	(cat $OBJ/sshd_config.bak ;
+	 echo "PerSourcePenalties $@") > $OBJ/sshd_config
+	cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
+	start_sshd
+}
+
+conf "noauth:10s authfail:10s max:20s min:1s"
+
+verbose "test connect"
+${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed"
+
+verbose "penalty expiry"
+
+# Incur a penalty
+cat /dev/null > $OBJ/authorized_keys_${USER}
+${SSH} -F $OBJ/ssh_config somehost true && fatal "authfail connect succeeded"
+
+# Check denied
+cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
+${SSH} -F $OBJ/ssh_config somehost true && fatal "authfail not rejected"
+
+# Let it expire and try again.
+sleep 11
+${SSH} -F $OBJ/ssh_config somehost true || fail "authfail not expired"
--- a/regress/penalty.sh
+++ b/regress/penalty.sh
@ -14,7 +14,7 @@ conf() {
 	start_sshd
 }

-conf "noauth:10s authfail:6s grace-exceeded:10s min:8s max:20s"
+conf "authfail:30s min:50s max:200s"

 verbose "test connect"
 ${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed"
@ -36,13 +36,10 @@ cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}

 # These should be refused by the active penalty
 ${SSH} -F $OBJ/ssh_config somehost true && fail "authfail not rejected"
-sleep 5
 ${SSH} -F $OBJ/ssh_config somehost true && fail "repeat authfail not rejected"

-# Penalty should have expired, this should succeed.
-sleep 8
-${SSH} -F $OBJ/ssh_config somehost true || fail "authfail not expired"
-
+conf "noauth:100s"
+${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed"
 verbose "penalty for no authentication"
 ${SSHKEYSCAN} -t ssh-ed25519 -p $PORT 127.0.0.1 >/dev/null || fatal "keyscan failed"