1# $OpenBSD: hostbased.sh,v 1.4 2022/12/07 11:45:43 dtucker Exp $ 2# Placed in the Public Domain. 3 4# This test requires external setup and thus is skipped unless 5# TEST_SSH_HOSTBASED_AUTH and SUDO are set to "yes". 6# Since ssh-keysign has key paths hard coded, unlike the other tests it 7# needs to use the real host keys. It requires: 8# - ssh-keysign must be installed and setuid. 9# - "EnableSSHKeysign yes" must be in the system ssh_config. 10# - the system's own real FQDN the system-wide shosts.equiv. 11# - the system's real public key fingerprints must be in global ssh_known_hosts. 12# 13tid="hostbased" 14 15if [ -z "${TEST_SSH_HOSTBASED_AUTH}" ]; then 16 skip "TEST_SSH_HOSTBASED_AUTH not set." 17elif [ -z "${SUDO}" ]; then 18 skip "SUDO not set" 19fi 20 21# Enable all supported hostkey algos (but no others) 22hostkeyalgos=`${SSH} -Q HostKeyAlgorithms | tr '\n' , | sed 's/,$//'` 23 24cat >>$OBJ/sshd_proxy <<EOD 25HostbasedAuthentication yes 26HostbasedAcceptedAlgorithms $hostkeyalgos 27HostbasedUsesNameFromPacketOnly yes 28HostKeyAlgorithms $hostkeyalgos 29EOD 30 31cat >>$OBJ/ssh_proxy <<EOD 32HostbasedAuthentication yes 33HostKeyAlgorithms $hostkeyalgos 34HostbasedAcceptedAlgorithms $hostkeyalgos 35PreferredAuthentications hostbased 36EOD 37 38algos="" 39for key in `${SUDO} ${SSHD} -T | awk '$1=="hostkey"{print $2}'`; do 40 case "`$SSHKEYGEN -l -f ${key}.pub`" in 41 256*ECDSA*) algos="$algos ecdsa-sha2-nistp256" ;; 42 384*ECDSA*) algos="$algos ecdsa-sha2-nistp384" ;; 43 521*ECDSA*) algos="$algos ecdsa-sha2-nistp521" ;; 44 *RSA*) algos="$algos ssh-rsa rsa-sha2-256 rsa-sha2-512" ;; 45 *ED25519*) algos="$algos ssh-ed25519" ;; 46 *DSA*) algos="$algos ssh-dss" ;; 47 *) verbose "unknown host key type $key" ;; 48 esac 49done 50 51for algo in $algos; do 52 trace "hostbased algo $algo" 53 opts="-F $OBJ/ssh_proxy" 54 if [ "x$algo" != "xdefault" ]; then 55 opts="$opts -oHostbasedAcceptedAlgorithms=$algo" 56 fi 57 SSH_CONNECTION=`${SSH} $opts localhost 'echo $SSH_CONNECTION'` 58 if [ $? -ne 0 ]; then 59 fail "connect failed, hostbased algo $algo" 60 elif [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then 61 fail "hostbased algo $algo bad SSH_CONNECTION" \ 62 "$SSH_CONNECTION" 63 else 64 verbose "ok hostbased algo $algo" 65 fi 66done 67