xref: /freebsd/crypto/openssh/regress/hostbased.sh (revision 031beb4e239bfce798af17f5fe8dba8bcaf13d99)
1#	$OpenBSD: hostbased.sh,v 1.4 2022/12/07 11:45:43 dtucker Exp $
2#	Placed in the Public Domain.
3
4# This test requires external setup and thus is skipped unless
5# TEST_SSH_HOSTBASED_AUTH and SUDO are set to "yes".
6# Since ssh-keysign has key paths hard coded, unlike the other tests it
7# needs to use the real host keys. It requires:
8# - ssh-keysign must be installed and setuid.
9# - "EnableSSHKeysign yes" must be in the system ssh_config.
10# - the system's own real FQDN the system-wide shosts.equiv.
11# - the system's real public key fingerprints must be in global ssh_known_hosts.
12#
13tid="hostbased"
14
15if [ -z "${TEST_SSH_HOSTBASED_AUTH}" ]; then
16	skip "TEST_SSH_HOSTBASED_AUTH not set."
17elif [ -z "${SUDO}" ]; then
18	skip "SUDO not set"
19fi
20
21# Enable all supported hostkey algos (but no others)
22hostkeyalgos=`${SSH} -Q HostKeyAlgorithms | tr '\n' , | sed 's/,$//'`
23
24cat >>$OBJ/sshd_proxy <<EOD
25HostbasedAuthentication yes
26HostbasedAcceptedAlgorithms $hostkeyalgos
27HostbasedUsesNameFromPacketOnly yes
28HostKeyAlgorithms $hostkeyalgos
29EOD
30
31cat >>$OBJ/ssh_proxy <<EOD
32HostbasedAuthentication yes
33HostKeyAlgorithms $hostkeyalgos
34HostbasedAcceptedAlgorithms $hostkeyalgos
35PreferredAuthentications hostbased
36EOD
37
38algos=""
39for key in `${SUDO} ${SSHD} -T | awk '$1=="hostkey"{print $2}'`; do
40	case "`$SSHKEYGEN -l -f ${key}.pub`" in
41	256*ECDSA*)	algos="$algos ecdsa-sha2-nistp256" ;;
42	384*ECDSA*)	algos="$algos ecdsa-sha2-nistp384" ;;
43	521*ECDSA*)	algos="$algos ecdsa-sha2-nistp521" ;;
44	*RSA*)		algos="$algos ssh-rsa rsa-sha2-256 rsa-sha2-512" ;;
45	*ED25519*)	algos="$algos ssh-ed25519" ;;
46	*DSA*)		algos="$algos ssh-dss" ;;
47	*) verbose "unknown host key type $key" ;;
48	esac
49done
50
51for algo in $algos; do
52	trace "hostbased algo $algo"
53	opts="-F $OBJ/ssh_proxy"
54	if [ "x$algo" != "xdefault" ]; then
55		opts="$opts -oHostbasedAcceptedAlgorithms=$algo"
56	fi
57	SSH_CONNECTION=`${SSH} $opts localhost 'echo $SSH_CONNECTION'`
58	if [ $? -ne 0 ]; then
59		fail "connect failed, hostbased algo $algo"
60	elif [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
61		fail "hostbased algo $algo bad SSH_CONNECTION" \
62		    "$SSH_CONNECTION"
63	else
64		verbose "ok hostbased algo $algo"
65	fi
66done
67