From: dtucker@openbsd.org Date: Sun, 15 Feb 2026 22:29:30 +0000 (+0000) Subject: upstream: Add basic test for keyboard-interactive auth. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c5cee49a0c5721532716365f32977fc02eeea1d5;p=thirdparty%2Fopenssh-portable.git upstream: Add basic test for keyboard-interactive auth. Not enabled by default since it requires some setup on the host. OpenBSD-Regress-ID: aa8a9608a2ea2e5aaa094c5a5cc453e4797cd902 --- diff --git a/regress/Makefile b/regress/Makefile index bd44b0489..93826c281 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.141 2025/10/16 00:01:54 djm Exp $ +# $OpenBSD: Makefile,v 1.143 2026/02/15 22:29:30 dtucker Exp $ tests: prep file-tests t-exec unit @@ -108,6 +108,7 @@ LTESTS= connect \ agent-restrict \ hostbased \ password \ + kbdint \ channel-timeout \ connection-timeout \ match-subsystem \ diff --git a/regress/kbdint.sh b/regress/kbdint.sh new file mode 100644 index 000000000..5629270b0 --- /dev/null +++ b/regress/kbdint.sh @@ -0,0 +1,87 @@ +# $OpenBSD: kbdint.sh,v 1.1 2026/02/15 22:29:30 dtucker Exp $ +# Placed in the Public Domain. +# +# This tests keyboard-interactive authentication. It does not run by default, +# and needs to be enabled by putting the password of the user running the tests +# into ${OBJ}/kbdintpw. Since this obviously puts the password at risk it is +# recommended to do this on a throwaway VM by setting a random password +# (and randomizing it again after the test, if you can't immediately dispose +# of the VM). + +tid="kbdint" + +if [ -z "$SUDO" -o ! -f ${OBJ}/kbdintpw ]; then + skip "Password auth requires SUDO and kbdintpw file." +fi + +# Enable keyboard-interactive auth +echo "KbdInteractiveAuthentication yes" >>sshd_proxy + +# Create askpass script to replay a series of password responses. +# Keep a counter of the number of times it has been called and +# reply with the next line of the replypass file. +cat >${OBJ}/replypass.sh <${OBJ}/replypass.N +EOD +chmod 700 ${OBJ}/replypass.sh + +SSH_ASKPASS=${OBJ}/replypass.sh +SSH_ASKPASS_REQUIRE=force +export SSH_ASKPASS SSH_ASKPASS_REQUIRE + +opts="-oKbdInteractiveAuthentication=yes -oPreferredAuthentications=keyboard-interactive" +opts="-oBatchMode=no $opts" + +trace correct password 1st attempt +cat ${OBJ}/kbdintpw >${OBJ}/replypass +echo 1 >${OBJ}/replypass.N +${SSH} $opts -F $OBJ/ssh_proxy somehost true +if [ $? -ne 0 ]; then + fail "ssh kdbint failed" +fi + +trace bad password +echo badpass >${OBJ}/replypass +echo 1 >${OBJ}/replypass.N +${SSH} $opts -F $OBJ/ssh_proxy somehost true +if [ $? -eq 0 ]; then + fail "ssh unexpectedly succeeded" +fi + +trace correct password 2nd attempt +(echo badpass; cat ${OBJ}/kbdintpw) >${OBJ}/replypass +echo 1 >${OBJ}/replypass.N +${SSH} $opts -F $OBJ/ssh_proxy somehost true +if [ $? -ne 0 ]; then + fail "did not succeed on 2nd attempt" +fi + +trace empty password +echo >${OBJ}/replypass +echo 1 >${OBJ}/replypass.N +${SSH} $opts -F $OBJ/ssh_proxy somehost true +if [ $? -eq 0 ]; then + fail "ssh unexpectedly succeeded with empty password" +fi + +trace huge password +(for i in 0 1 2 3 4 5 6 7 8 9; do printf 0123456789; done; echo) \ + >${OBJ}/replypass +echo 1 >${OBJ}/replypass.N +${SSH} $opts -F $OBJ/ssh_proxy somehost true +if [ $? -eq 0 ]; then + fail "ssh unexpectedly succeeded with huge password" +fi + +trace spam password +for i in 0 1 2 3 4 5 6 7 8 9; do printf '1\n2\n3\n4\n5\n6\n7\n8\n9\n'; done \ + >${OBJ}/replypass +echo 1 >${OBJ}/replypass.N +${SSH} $opts -F $OBJ/ssh_proxy somehost true +fail foo +if [ $? -eq 0 ]; then + fail "ssh unexpectedly succeeded with password spam" +fi