diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 14:40:04 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 14:40:04 +0000 |
| commit | 25505898530a333011f4fd5cbc841ad6b26c089c (patch) | |
| tree | 333a33fdd60930bcccc3f177ed9467d535e9bac6 /regress/hostbased.sh | |
| parent | Initial commit. (diff) | |
| download | openssh-25505898530a333011f4fd5cbc841ad6b26c089c.tar.xz openssh-25505898530a333011f4fd5cbc841ad6b26c089c.zip | |
Adding upstream version 1:9.2p1.upstream/1%9.2p1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'regress/hostbased.sh')
| -rw-r--r-- | regress/hostbased.sh | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/regress/hostbased.sh b/regress/hostbased.sh new file mode 100644 index 0000000..eb9cf27 --- /dev/null +++ b/regress/hostbased.sh @@ -0,0 +1,66 @@ +# $OpenBSD: hostbased.sh,v 1.4 2022/12/07 11:45:43 dtucker Exp $ +# Placed in the Public Domain. + +# This test requires external setup and thus is skipped unless +# TEST_SSH_HOSTBASED_AUTH and SUDO are set to "yes". +# Since ssh-keysign has key paths hard coded, unlike the other tests it +# needs to use the real host keys. It requires: +# - ssh-keysign must be installed and setuid. +# - "EnableSSHKeysign yes" must be in the system ssh_config. +# - the system's own real FQDN the system-wide shosts.equiv. +# - the system's real public key fingerprints must be in global ssh_known_hosts. +# +tid="hostbased" + +if [ -z "${TEST_SSH_HOSTBASED_AUTH}" ]; then + skip "TEST_SSH_HOSTBASED_AUTH not set." +elif [ -z "${SUDO}" ]; then + skip "SUDO not set" +fi + +# Enable all supported hostkey algos (but no others) +hostkeyalgos=`${SSH} -Q HostKeyAlgorithms | tr '\n' , | sed 's/,$//'` + +cat >>$OBJ/sshd_proxy <<EOD +HostbasedAuthentication yes +HostbasedAcceptedAlgorithms $hostkeyalgos +HostbasedUsesNameFromPacketOnly yes +HostKeyAlgorithms $hostkeyalgos +EOD + +cat >>$OBJ/ssh_proxy <<EOD +HostbasedAuthentication yes +HostKeyAlgorithms $hostkeyalgos +HostbasedAcceptedAlgorithms $hostkeyalgos +PreferredAuthentications hostbased +EOD + +algos="" +for key in `${SUDO} ${SSHD} -T | awk '$1=="hostkey"{print $2}'`; do + case "`$SSHKEYGEN -l -f ${key}.pub`" in + 256*ECDSA*) algos="$algos ecdsa-sha2-nistp256" ;; + 384*ECDSA*) algos="$algos ecdsa-sha2-nistp384" ;; + 521*ECDSA*) algos="$algos ecdsa-sha2-nistp521" ;; + *RSA*) algos="$algos ssh-rsa rsa-sha2-256 rsa-sha2-512" ;; + *ED25519*) algos="$algos ssh-ed25519" ;; + *DSA*) algos="$algos ssh-dss" ;; + *) verbose "unknown host key type $key" ;; + esac +done + +for algo in $algos; do + trace "hostbased algo $algo" + opts="-F $OBJ/ssh_proxy" + if [ "x$algo" != "xdefault" ]; then + opts="$opts -oHostbasedAcceptedAlgorithms=$algo" + fi + SSH_CONNECTION=`${SSH} $opts localhost 'echo $SSH_CONNECTION'` + if [ $? -ne 0 ]; then + fail "connect failed, hostbased algo $algo" + elif [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then + fail "hostbased algo $algo bad SSH_CONNECTION" \ + "$SSH_CONNECTION" + else + verbose "ok hostbased algo $algo" + fi +done |