1# $OpenBSD: kbdint.sh,v 1.2 2026/02/24 00:39:59 dtucker Exp $ 2# Placed in the Public Domain. 3# 4# This tests keyboard-interactive authentication. It does not run by default, 5# and needs to be enabled by putting the password of the user running the tests 6# into ${OBJ}/kbdintpw. Since this obviously puts the password at risk it is 7# recommended to do this on a throwaway VM by setting a random password 8# (and randomizing it again after the test, if you can't immediately dispose 9# of the VM). 10 11tid="kbdint" 12 13if [ -z "$SUDO" -o ! -f ${OBJ}/kbdintpw ]; then 14 skip "Password auth requires SUDO and kbdintpw file." 15fi 16 17# Enable keyboard-interactive auth 18echo "KbdInteractiveAuthentication yes" >>sshd_proxy 19 20# Create askpass script to replay a series of password responses. 21# Keep a counter of the number of times it has been called and 22# reply with the next line of the replypass file. 23cat >${OBJ}/replypass.sh <<EOD 24#!/bin/sh 25n=\`cat ${OBJ}/replypass.N\` 26awk "NR==\$n" ${OBJ}/replypass 27echo \$(( \$n + 1 )) >${OBJ}/replypass.N 28EOD 29chmod 700 ${OBJ}/replypass.sh 30 31SSH_ASKPASS=${OBJ}/replypass.sh 32SSH_ASKPASS_REQUIRE=force 33export SSH_ASKPASS SSH_ASKPASS_REQUIRE 34 35opts="-oKbdInteractiveAuthentication=yes -oPreferredAuthentications=keyboard-interactive" 36opts="-oBatchMode=no $opts" 37 38trace correct password 1st attempt 39cat ${OBJ}/kbdintpw >${OBJ}/replypass 40echo 1 >${OBJ}/replypass.N 41${SSH} $opts -F $OBJ/ssh_proxy somehost true 42if [ $? -ne 0 ]; then 43 fail "ssh kdbint failed" 44fi 45 46trace bad password 47echo badpass >${OBJ}/replypass 48echo 1 >${OBJ}/replypass.N 49${SSH} $opts -F $OBJ/ssh_proxy somehost true 50if [ $? -eq 0 ]; then 51 fail "ssh unexpectedly succeeded" 52fi 53 54trace correct password 2nd attempt 55(echo badpass; cat ${OBJ}/kbdintpw) >${OBJ}/replypass 56echo 1 >${OBJ}/replypass.N 57${SSH} $opts -F $OBJ/ssh_proxy somehost true 58if [ $? -ne 0 ]; then 59 fail "did not succeed on 2nd attempt" 60fi 61 62trace empty password 63echo >${OBJ}/replypass 64echo 1 >${OBJ}/replypass.N 65${SSH} $opts -F $OBJ/ssh_proxy somehost true 66if [ $? -eq 0 ]; then 67 fail "ssh unexpectedly succeeded with empty password" 68fi 69 70trace huge password 71(for i in 0 1 2 3 4 5 6 7 8 9; do printf 0123456789; done; echo) \ 72 >${OBJ}/replypass 73echo 1 >${OBJ}/replypass.N 74${SSH} $opts -F $OBJ/ssh_proxy somehost true 75if [ $? -eq 0 ]; then 76 fail "ssh unexpectedly succeeded with huge password" 77fi 78 79trace spam password 80for i in 0 1 2 3 4 5 6 7 8 9; do printf '1\n2\n3\n4\n5\n6\n7\n8\n9\n'; done \ 81 >${OBJ}/replypass 82echo 1 >${OBJ}/replypass.N 83${SSH} $opts -F $OBJ/ssh_proxy somehost true 84if [ $? -eq 0 ]; then 85 fail "ssh unexpectedly succeeded with password spam" 86fi 87