upstream: Add simple test for password auth. Requires some setup

so does not run by default.

OpenBSD-Regress-ID: d5ded47a266b031fc91f99882f07161ab6d1bb70

diff --git a/regress/Makefile b/regress/Makefile
index d97ea34a2050f1d47e5120f5936e35539d3c8724..d0298d45e0090a9d876b5645dc1cd610102fc59e 100644 (file)
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-#      $OpenBSD: Makefile,v 1.136 2025/03/11 07:50:20 dtucker Exp $
+#      $OpenBSD: Makefile,v 1.138 2025/06/24 12:28:23 dtucker Exp $
 
 tests:         prep file-tests t-exec unit
 
@@ -106,6 +106,7 @@ LTESTS=     connect \
                knownhosts-command \
                agent-restrict \
                hostbased \
+               password \
                channel-timeout \
                connection-timeout \
                match-subsystem \

diff --git a/regress/password.sh b/regress/password.sh
new file mode 100644 (file)
index 0000000..1c5218d
--- /dev/null
+++ b/regress/password.sh
@@ -0,0 +1,59 @@
+#      $OpenBSD: password.sh,v 1.1 2025/06/24 12:28:23 dtucker Exp $
+#      Placed in the Public Domain.
+#
+# This tests standard "password" authentication.  It does not run by default,
+# and needs to be enabled by putting the password of the user running the tests
+# into ${OBJ}/password.  Since this obviously puts the password at risk it is
+# recommended to do this on a throwaway VM by setting a random password
+# (and randomizing it again after the test, if you can't immediately dispose
+# of the VM).
+
+tid="password"
+
+if [ -z "$SUDO" -o ! -f ${OBJ}/password ]; then
+       skip "Password auth requires SUDO and password file."
+fi
+
+# Enable password auth
+echo "PasswordAuthentication yes" >>sshd_proxy
+
+# Create askpass script to replay a series of password responses.
+# Keep a counter of the number of times it has been called and
+# reply with the next line of the replypass file.
+cat >${OBJ}/replypass.sh <<EOD
+n=\`cat ${OBJ}/replypass.N\`
+awk "NR==\$n" ${OBJ}/replypass
+echo \$(( \$n + 1 )) >${OBJ}/replypass.N
+EOD
+chmod 700 ${OBJ}/replypass.sh
+
+SSH_ASKPASS=${OBJ}/replypass.sh
+SSH_ASKPASS_REQUIRE=force
+export SSH_ASKPASS SSH_ASKPASS_REQUIRE
+
+opts="-oPasswordAuthentication=yes -oPreferredAuthentications=password"
+opts="-oBatchMode=no $opts"
+
+trace plain password
+cat ${OBJ}/password >${OBJ}/replypass
+echo 1 >${OBJ}/replypass.N
+${SSH} $opts -F $OBJ/ssh_proxy somehost true
+if [ $? -ne 0 ]; then
+       fail "ssh password failed"
+fi
+
+trace 2-round password
+(echo; cat ${OBJ}/password) >${OBJ}/replypass
+echo 1 >${OBJ}/replypass.N
+${SSH} $opts -F $OBJ/ssh_proxy somehost true
+if [ $? -ne 0 ]; then
+       fail "ssh 2-round password failed"
+fi
+
+trace empty password
+echo >${OBJ}/replypass
+echo 1 >${OBJ}/replypass.N
+${SSH} $opts -F $OBJ/ssh_proxy somehost true
+if [ $? -eq 0 ]; then
+       fail "ssh password failed"
+fi