summaryrefslogtreecommitdiffstats
path: root/regress/penalty.sh
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-08-26 07:43:01 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-08-26 07:43:01 +0000
commit726d6c984de7e297200843e99ab5e70c88a0cbf4 (patch)
tree48851420d8e29a6900c86af9dd178bd2e2aee72d /regress/penalty.sh
parentReleasing progress-linux version 1:9.7p1-7~progress7.99u1. (diff)
downloadopenssh-726d6c984de7e297200843e99ab5e70c88a0cbf4.tar.xz
openssh-726d6c984de7e297200843e99ab5e70c88a0cbf4.zip
Merging upstream version 1:9.8p1.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--regress/penalty.sh52
1 files changed, 52 insertions, 0 deletions
diff --git a/regress/penalty.sh b/regress/penalty.sh
new file mode 100644
index 0000000..8b83532
--- /dev/null
+++ b/regress/penalty.sh
@@ -0,0 +1,52 @@
+# $OpenBSD
+# Placed in the Public Domain.
+
+tid="penalties"
+
+grep -vi PerSourcePenalties $OBJ/sshd_config > $OBJ/sshd_config.bak
+cp $OBJ/authorized_keys_${USER} $OBJ/authorized_keys_${USER}.bak
+
+conf() {
+ test -z "$PIDFILE" || stop_sshd
+ (cat $OBJ/sshd_config.bak ;
+ echo "PerSourcePenalties $@") > $OBJ/sshd_config
+ cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
+ start_sshd
+}
+
+conf "authfail:300s min:350s max:900s"
+
+verbose "test connect"
+${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed"
+
+verbose "penalty for authentication failure"
+
+# Fail authentication once
+cat /dev/null > $OBJ/authorized_keys_${USER}
+${SSH} -F $OBJ/ssh_config somehost true && fatal "noauth connect succeeded"
+cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
+sleep 2
+
+# Should be below penalty threshold
+${SSH} -F $OBJ/ssh_config somehost true || fatal "authfail not expired"
+sleep 2
+
+# Fail authentication again; penalty should activate
+cat /dev/null > $OBJ/authorized_keys_${USER}
+${SSH} -F $OBJ/ssh_config somehost true && fatal "noauth connect succeeded"
+cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
+sleep 2
+
+# These should be refused by the active penalty
+${SSH} -F $OBJ/ssh_config somehost true && fail "authfail not rejected"
+${SSH} -F $OBJ/ssh_config somehost true && fail "repeat authfail not rejected"
+
+conf "noauth:100s"
+${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed"
+verbose "penalty for no authentication"
+${SSHKEYSCAN} -t ssh-ed25519 -p $PORT 127.0.0.1 >/dev/null || fatal "keyscan failed"
+sleep 2
+
+# Repeat attempt should be penalised
+${SSHKEYSCAN} -t ssh-ed25519 -p $PORT 127.0.0.1 >/dev/null 2>&1 && fail "keyscan not rejected"
+
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-20 17:52:35 +0000