split the PerSourcePenalties test in two: one tests penalty enforcement

but not penalty expiry, the other tests penalty expiry.

This lets us disable the expiry testing in certain CI test environments.

diff --git a/regress/usr.bin/ssh/Makefile b/regress/usr.bin/ssh/Makefile
index 27737c3..820ac68 100644 (file)
--- a/regress/usr.bin/ssh/Makefile
+++ b/regress/usr.bin/ssh/Makefile
@@ -1,4 +1,4 @@
-#      $OpenBSD: Makefile,v 1.134 2024/06/06 19:49:25 djm Exp $
+#      $OpenBSD: Makefile,v 1.135 2024/06/14 04:43:11 djm Exp $
 
 OPENSSL?=      yes
 
@@ -103,7 +103,8 @@ LTESTS=     connect \
                match-subsystem \
                agent-pkcs11-restrict \
                agent-pkcs11-cert \
-               penalty
+               penalty \
+               penalty-expire
 
 INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
 INTEROP_TESTS+=        dropbear-ciphers dropbear-kex

diff --git a/regress/usr.bin/ssh/penalty-expire.sh b/regress/usr.bin/ssh/penalty-expire.sh
new file mode 100644 (file)
index 0000000..30b7bd4
--- /dev/null
+++ b/regress/usr.bin/ssh/penalty-expire.sh
@@ -0,0 +1,34 @@
+#      $OpenBSD
+#      Placed in the Public Domain.
+
+tid="penalties"
+
+grep -vi PerSourcePenalties $OBJ/sshd_config > $OBJ/sshd_config.bak
+cp $OBJ/authorized_keys_${USER} $OBJ/authorized_keys_${USER}.bak
+
+conf() {
+       test -z "$PIDFILE" || stop_sshd
+       (cat $OBJ/sshd_config.bak ;
+        echo "PerSourcePenalties $@") > $OBJ/sshd_config
+       cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
+       start_sshd
+}
+
+conf "noauth:10s authfail:10s max:20s min:1s"
+
+verbose "test connect"
+${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed"
+
+verbose "penalty expiry"
+
+# Incur a penalty
+cat /dev/null > $OBJ/authorized_keys_${USER}
+${SSH} -F $OBJ/ssh_config somehost true && fatal "authfail connect succeeded"
+
+# Check denied
+cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
+${SSH} -F $OBJ/ssh_config somehost true && fatal "authfail not rejected"
+
+# Let it expire and try again.
+sleep 11
+${SSH} -F $OBJ/ssh_config somehost true || fail "authfail not expired"

diff --git a/regress/usr.bin/ssh/penalty.sh b/regress/usr.bin/ssh/penalty.sh
index 0285f00..4308e0b 100644 (file)
--- a/regress/usr.bin/ssh/penalty.sh
+++ b/regress/usr.bin/ssh/penalty.sh
@@ -14,7 +14,7 @@ conf() {
        start_sshd
 }
 
-conf "noauth:10s authfail:6s grace-exceeded:10s min:8s max:20s"
+conf "authfail:30s min:50s max:200s"
 
 verbose "test connect"
 ${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed"
@@ -36,13 +36,10 @@ cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
 
 # These should be refused by the active penalty
 ${SSH} -F $OBJ/ssh_config somehost true && fail "authfail not rejected"
-sleep 5
 ${SSH} -F $OBJ/ssh_config somehost true && fail "repeat authfail not rejected"
 
-# Penalty should have expired, this should succeed.
-sleep 8
-${SSH} -F $OBJ/ssh_config somehost true || fail "authfail not expired"
-
+conf "noauth:100s"
+${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed"
 verbose "penalty for no authentication"
 ${SSHKEYSCAN} -t ssh-ed25519 -p $PORT 127.0.0.1 >/dev/null || fatal "keyscan failed"