From: djm <djm@openbsd.org>
Date: Thu, 6 Jun 2024 19:49:25 +0000 (+0000)
Subject: regress test for PerSourcePenalties
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=79b153cbc5072b7824e1b224c21271685439850c;p=openbsd

regress test for PerSourcePenalties
---

diff --git a/regress/usr.bin/ssh/Makefile b/regress/usr.bin/ssh/Makefile
index 09870cd1a6e..27737c38a76 100644
--- a/regress/usr.bin/ssh/Makefile
+++ b/regress/usr.bin/ssh/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.133 2024/01/11 04:50:28 djm Exp $
+#	$OpenBSD: Makefile,v 1.134 2024/06/06 19:49:25 djm Exp $
 
 OPENSSL?=	yes
 
@@ -102,7 +102,8 @@ LTESTS= 	connect \
 		connection-timeout \
 		match-subsystem \
 		agent-pkcs11-restrict \
-		agent-pkcs11-cert
+		agent-pkcs11-cert \
+		penalty
 
 INTEROP_TESTS=	putty-transfer putty-ciphers putty-kex conch-ciphers
 INTEROP_TESTS+=	dropbear-ciphers dropbear-kex
diff --git a/regress/usr.bin/ssh/penalty.sh b/regress/usr.bin/ssh/penalty.sh
new file mode 100644
index 00000000000..5ac7ef67ecf
--- /dev/null
+++ b/regress/usr.bin/ssh/penalty.sh
@@ -0,0 +1,51 @@
+#	$OpenBSD
+#	Placed in the Public Domain.
+
+tid="penalties"
+
+grep -vi PerSourcePenalties $OBJ/sshd_config > $OBJ/sshd_config.bak
+cp $OBJ/authorized_keys_${USER} $OBJ/authorized_keys_${USER}.bak
+
+conf() {
+	test -z "$PIDFILE" || stop_sshd
+	(cat $OBJ/sshd_config.bak ;
+	 echo "PerSourcePenalties $@") > $OBJ/sshd_config
+	cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
+	start_sshd
+}
+
+conf "noauth:10s authfail:6s grace-exceeded:10s min:8s max:20s"
+
+verbose "test connect"
+${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed"
+
+verbose "penalty for authentication failure"
+
+# Fail authentication once
+cat /dev/null > $OBJ/authorized_keys_${USER}
+${SSH} -F $OBJ/ssh_config somehost true && fatal "noauth connect succeeded"
+cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
+
+# Should be below penalty threshold
+${SSH} -F $OBJ/ssh_config somehost true || fatal "authfail not expired"
+
+# Fail authentication again; penalty should activate
+cat /dev/null > $OBJ/authorized_keys_${USER}
+${SSH} -F $OBJ/ssh_config somehost true && fatal "noauth connect succeeded"
+cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
+
+# These should be refused by the active penalty
+${SSH} -F $OBJ/ssh_config somehost true && fail "authfail not rejected"
+sleep 5
+${SSH} -F $OBJ/ssh_config somehost true && fail "repeat authfail not rejected"
+
+# Penalty should have expired, this should succeed.
+sleep 8
+${SSH} -F $OBJ/ssh_config somehost true || fail "authfail not expired"
+
+verbose "penalty for no authentication"
+${SSHKEYSCAN} -p $PORT 127.0.0.1 >/dev/null 2>&1 || fatal "keyscan failed"
+
+# Repeat attempt should be penalised
+${SSHKEYSCAN} -p $PORT 127.0.0.1 >/dev/null 2>&1 && fail "keyscan not rejected"
+