mirror of git://anongit.mindrot.org/openssh.git
upstream: Add test for hostbased auth. It requires some external
setup (see comments at the top) and thus is disabled unless TEST_SSH_HOSTBASED_AUTH and SUDO are set. OpenBSD-Regress-ID: 3ec8ba3750c5b595fc63e7845d13483065a4827a
This commit is contained in:
dtucker@openbsd.org
Darren Tucker
parent
a48533a8da
commit
e12d912ddf
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: Makefile,v 1.119 2021/12/19 22:20:12 djm Exp $
|
||||
# $OpenBSD: Makefile,v 1.120 2022/01/06 21:46:56 dtucker Exp $
|
||||
|
||||
tests: prep file-tests t-exec unit
|
||||
|
||||
|
|
@ -100,8 +100,8 @@ LTESTS= connect \
|
|||
sshsig \
|
||||
knownhosts \
|
||||
knownhosts-command \
|
||||
agent-restrict
|
||||
|
||||
agent-restrict \
|
||||
hostbased
|
||||
|
||||
INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
|
||||
#INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
|
||||
|
|
|
|||
|
|
@ -0,0 +1,62 @@
|
|||
# $OpenBSD: hostbased.sh,v 1.1 2022/01/06 21:46:56 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
# This test requires external setup and thus is skipped unless
|
||||
# TEST_SSH_HOSTBASED_AUTH and SUDO are set to "yes".
|
||||
# Since ssh-keysign has key paths hard coded, unlike the other tests it
|
||||
# needs to use the real host keys. It requires:
|
||||
# - ssh-keysign must be installed and setuid.
|
||||
# - "EnableSSHKeysign yes" must be in the system ssh_config.
|
||||
# - the system's own real FQDN the system-wide shosts.equiv.
|
||||
# - the system's real public key fingerprints must me in global ssh_known_hosts.
|
||||
#
|
||||
tid="hostbased"
|
||||
|
||||
if [ -z "${TEST_SSH_HOSTBASED_AUTH}" ]; then
|
||||
skip "TEST_SSH_HOSTBASED_AUTH not set."
|
||||
elif [ -z "${SUDO}" ]; then
|
||||
skip "SUDO not set"
|
||||
fi
|
||||
|
||||
cat >>$OBJ/sshd_proxy <<EOD
|
||||
HostbasedAuthentication yes
|
||||
HostbasedAcceptedAlgorithms +ssh-rsa,ssh-dss
|
||||
HostbasedUsesNameFromPacketOnly yes
|
||||
HostKeyAlgorithms +ssh-rsa,ssh-dss
|
||||
EOD
|
||||
|
||||
cat >>$OBJ/ssh_proxy <<EOD
|
||||
HostbasedAuthentication yes
|
||||
HostKeyAlgorithms +ssh-rsa,ssh-dss
|
||||
HostbasedAcceptedAlgorithms +ssh-rsa,ssh-dss
|
||||
PreferredAuthentications hostbased
|
||||
EOD
|
||||
|
||||
algos=""
|
||||
for key in `${SUDO} ${SSHD} -T | awk '$1=="hostkey"{print $2}'`; do
|
||||
case "`$SSHKEYGEN -l -f ${key}.pub`" in
|
||||
256*ECDSA*) algos="$algos ecdsa-sha2-nistp256" ;;
|
||||
384*ECDSA*) algos="$algos ecdsa-sha2-nistp384" ;;
|
||||
521*ECDSA*) algos="$algos ecdsa-sha2-nistp521" ;;
|
||||
*RSA*) algos="$algos ssh-rsa rsa-sha2-256 rsa-sha2-512" ;;
|
||||
*ED25519*) algos="$algos ssh-ed25519" ;;
|
||||
*DSA*) algos="$algos ssh-dss" ;;
|
||||
*) warn "unknown host key type $key" ;;
|
||||
esac
|
||||
done
|
||||
|
||||
for algo in $algos; do
|
||||
trace "hostbased algo $algo"
|
||||
opts="-F $OBJ/ssh_proxy"
|
||||
if [ "x$algo" != "xdefault" ]; then
|
||||
opts="$opts -oHostbasedAcceptedAlgorithms=$algo"
|
||||
fi
|
||||
SSH_CONNECTION=`${SSH} $opts localhost 'echo $SSH_CONNECTION'`
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "connect failed, hostbased algo $algo"
|
||||
fi
|
||||
if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
|
||||
fail "hostbased algo $algo bad SSH_CONNECTION" \
|
||||
"$SSH_CONNECTION"
|
||||
fi
|
||||
done
|
||||
Loading…
Reference in New Issue