upstream: Add test for hostbased auth. It requires some external

setup (see comments at the top) and thus is disabled unless
TEST_SSH_HOSTBASED_AUTH and SUDO are set.

OpenBSD-Regress-ID: 3ec8ba3750c5b595fc63e7845d13483065a4827a

diff --git a/regress/Makefile b/regress/Makefile
index da36c75a30d3d4b99fee63449b783fbe08492875..0554c1ac9bc7f233b88b4edd47e719d8fa31ebbb 100644 (file)
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-#      $OpenBSD: Makefile,v 1.119 2021/12/19 22:20:12 djm Exp $
+#      $OpenBSD: Makefile,v 1.120 2022/01/06 21:46:56 dtucker Exp $
 
 tests:         prep file-tests t-exec unit
 
@@ -100,8 +100,8 @@ LTESTS=     connect \
                sshsig \
                knownhosts \
                knownhosts-command \
-               agent-restrict
-
+               agent-restrict \
+               hostbased
 
 INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
 #INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp

diff --git a/regress/hostbased.sh b/regress/hostbased.sh
new file mode 100644 (file)
index 0000000..f62d6f5
--- /dev/null
+++ b/regress/hostbased.sh
@@ -0,0 +1,62 @@
+#      $OpenBSD: hostbased.sh,v 1.1 2022/01/06 21:46:56 dtucker Exp $
+#      Placed in the Public Domain.
+
+# This test requires external setup and thus is skipped unless
+# TEST_SSH_HOSTBASED_AUTH and SUDO are set to "yes".
+# Since ssh-keysign has key paths hard coded, unlike the other tests it
+# needs to use the real host keys. It requires:
+# - ssh-keysign must be installed and setuid.
+# - "EnableSSHKeysign yes" must be in the system ssh_config.
+# - the system's own real FQDN the system-wide shosts.equiv.
+# - the system's real public key fingerprints must me in global ssh_known_hosts.
+#
+tid="hostbased"
+
+if [ -z "${TEST_SSH_HOSTBASED_AUTH}" ]; then
+       skip "TEST_SSH_HOSTBASED_AUTH not set."
+elif [ -z "${SUDO}" ]; then
+       skip "SUDO not set"
+fi
+
+cat >>$OBJ/sshd_proxy <<EOD
+HostbasedAuthentication yes
+HostbasedAcceptedAlgorithms +ssh-rsa,ssh-dss
+HostbasedUsesNameFromPacketOnly yes
+HostKeyAlgorithms +ssh-rsa,ssh-dss
+EOD
+
+cat >>$OBJ/ssh_proxy <<EOD
+HostbasedAuthentication yes
+HostKeyAlgorithms +ssh-rsa,ssh-dss
+HostbasedAcceptedAlgorithms +ssh-rsa,ssh-dss
+PreferredAuthentications hostbased
+EOD
+
+algos=""
+for key in `${SUDO} ${SSHD} -T | awk '$1=="hostkey"{print $2}'`; do
+       case "`$SSHKEYGEN -l -f ${key}.pub`" in
+       256*ECDSA*)     algos="$algos ecdsa-sha2-nistp256" ;;
+       384*ECDSA*)     algos="$algos ecdsa-sha2-nistp384" ;;
+       521*ECDSA*)     algos="$algos ecdsa-sha2-nistp521" ;;
+       *RSA*)          algos="$algos ssh-rsa rsa-sha2-256 rsa-sha2-512" ;;
+       *ED25519*)      algos="$algos ssh-ed25519" ;;
+       *DSA*)          algos="$algos ssh-dss" ;;
+       *) warn "unknown host key type $key" ;;
+       esac
+done
+
+for algo in $algos; do
+       trace "hostbased algo $algo"
+       opts="-F $OBJ/ssh_proxy"
+       if [ "x$algo" != "xdefault" ]; then
+               opts="$opts -oHostbasedAcceptedAlgorithms=$algo"
+       fi
+       SSH_CONNECTION=`${SSH} $opts localhost 'echo $SSH_CONNECTION'`
+       if [ $? -ne 0 ]; then
+               fail "connect failed, hostbased algo $algo"
+       fi
+       if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
+               fail "hostbased algo $algo bad SSH_CONNECTION" \
+                   "$SSH_CONNECTION"
+       fi
+done