From 79b153cbc5072b7824e1b224c21271685439850c Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 6 Jun 2024 19:49:25 +0000 Subject: [PATCH] regress test for PerSourcePenalties --- regress/usr.bin/ssh/Makefile | 5 ++-- regress/usr.bin/ssh/penalty.sh | 51 ++++++++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 regress/usr.bin/ssh/penalty.sh diff --git a/regress/usr.bin/ssh/Makefile b/regress/usr.bin/ssh/Makefile index 09870cd1a6e..27737c38a76 100644 --- a/regress/usr.bin/ssh/Makefile +++ b/regress/usr.bin/ssh/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.133 2024/01/11 04:50:28 djm Exp $ +# $OpenBSD: Makefile,v 1.134 2024/06/06 19:49:25 djm Exp $ OPENSSL?= yes @@ -102,7 +102,8 @@ LTESTS= connect \ connection-timeout \ match-subsystem \ agent-pkcs11-restrict \ - agent-pkcs11-cert + agent-pkcs11-cert \ + penalty INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers INTEROP_TESTS+= dropbear-ciphers dropbear-kex diff --git a/regress/usr.bin/ssh/penalty.sh b/regress/usr.bin/ssh/penalty.sh new file mode 100644 index 00000000000..5ac7ef67ecf --- /dev/null +++ b/regress/usr.bin/ssh/penalty.sh @@ -0,0 +1,51 @@ +# $OpenBSD +# Placed in the Public Domain. + +tid="penalties" + +grep -vi PerSourcePenalties $OBJ/sshd_config > $OBJ/sshd_config.bak +cp $OBJ/authorized_keys_${USER} $OBJ/authorized_keys_${USER}.bak + +conf() { + test -z "$PIDFILE" || stop_sshd + (cat $OBJ/sshd_config.bak ; + echo "PerSourcePenalties $@") > $OBJ/sshd_config + cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER} + start_sshd +} + +conf "noauth:10s authfail:6s grace-exceeded:10s min:8s max:20s" + +verbose "test connect" +${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed" + +verbose "penalty for authentication failure" + +# Fail authentication once +cat /dev/null > $OBJ/authorized_keys_${USER} +${SSH} -F $OBJ/ssh_config somehost true && fatal "noauth connect succeeded" +cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER} + +# Should be below penalty threshold +${SSH} -F $OBJ/ssh_config somehost true || fatal "authfail not expired" + +# Fail authentication again; penalty should activate +cat /dev/null > $OBJ/authorized_keys_${USER} +${SSH} -F $OBJ/ssh_config somehost true && fatal "noauth connect succeeded" +cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER} + +# These should be refused by the active penalty +${SSH} -F $OBJ/ssh_config somehost true && fail "authfail not rejected" +sleep 5 +${SSH} -F $OBJ/ssh_config somehost true && fail "repeat authfail not rejected" + +# Penalty should have expired, this should succeed. +sleep 8 +${SSH} -F $OBJ/ssh_config somehost true || fail "authfail not expired" + +verbose "penalty for no authentication" +${SSHKEYSCAN} -p $PORT 127.0.0.1 >/dev/null 2>&1 || fatal "keyscan failed" + +# Repeat attempt should be penalised +${SSHKEYSCAN} -p $PORT 127.0.0.1 >/dev/null 2>&1 && fail "keyscan not rejected" + -- 2.20.1