From: dtucker@openbsd.org Date: Tue, 24 Jun 2025 12:28:23 +0000 (+0000) Subject: upstream: Add simple test for password auth. Requires some setup X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=838d5ec4b12fb519ed9db76e5beccf11b7ee212f;p=thirdparty%2Fopenssh-portable.git upstream: Add simple test for password auth. Requires some setup so does not run by default. OpenBSD-Regress-ID: d5ded47a266b031fc91f99882f07161ab6d1bb70 --- diff --git a/regress/Makefile b/regress/Makefile index d97ea34a2..d0298d45e 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.136 2025/03/11 07:50:20 dtucker Exp $ +# $OpenBSD: Makefile,v 1.138 2025/06/24 12:28:23 dtucker Exp $ tests: prep file-tests t-exec unit @@ -106,6 +106,7 @@ LTESTS= connect \ knownhosts-command \ agent-restrict \ hostbased \ + password \ channel-timeout \ connection-timeout \ match-subsystem \ diff --git a/regress/password.sh b/regress/password.sh new file mode 100644 index 000000000..1c5218d6b --- /dev/null +++ b/regress/password.sh @@ -0,0 +1,59 @@ +# $OpenBSD: password.sh,v 1.1 2025/06/24 12:28:23 dtucker Exp $ +# Placed in the Public Domain. +# +# This tests standard "password" authentication. It does not run by default, +# and needs to be enabled by putting the password of the user running the tests +# into ${OBJ}/password. Since this obviously puts the password at risk it is +# recommended to do this on a throwaway VM by setting a random password +# (and randomizing it again after the test, if you can't immediately dispose +# of the VM). + +tid="password" + +if [ -z "$SUDO" -o ! -f ${OBJ}/password ]; then + skip "Password auth requires SUDO and password file." +fi + +# Enable password auth +echo "PasswordAuthentication yes" >>sshd_proxy + +# Create askpass script to replay a series of password responses. +# Keep a counter of the number of times it has been called and +# reply with the next line of the replypass file. +cat >${OBJ}/replypass.sh <${OBJ}/replypass.N +EOD +chmod 700 ${OBJ}/replypass.sh + +SSH_ASKPASS=${OBJ}/replypass.sh +SSH_ASKPASS_REQUIRE=force +export SSH_ASKPASS SSH_ASKPASS_REQUIRE + +opts="-oPasswordAuthentication=yes -oPreferredAuthentications=password" +opts="-oBatchMode=no $opts" + +trace plain password +cat ${OBJ}/password >${OBJ}/replypass +echo 1 >${OBJ}/replypass.N +${SSH} $opts -F $OBJ/ssh_proxy somehost true +if [ $? -ne 0 ]; then + fail "ssh password failed" +fi + +trace 2-round password +(echo; cat ${OBJ}/password) >${OBJ}/replypass +echo 1 >${OBJ}/replypass.N +${SSH} $opts -F $OBJ/ssh_proxy somehost true +if [ $? -ne 0 ]; then + fail "ssh 2-round password failed" +fi + +trace empty password +echo >${OBJ}/replypass +echo 1 >${OBJ}/replypass.N +${SSH} $opts -F $OBJ/ssh_proxy somehost true +if [ $? -eq 0 ]; then + fail "ssh password failed" +fi