1*25749746SEd Maste# $OpenBSD: kbdint.sh,v 1.2 2026/02/24 00:39:59 dtucker Exp $ 2*25749746SEd Maste# Placed in the Public Domain. 3*25749746SEd Maste# 4*25749746SEd Maste# This tests keyboard-interactive authentication. It does not run by default, 5*25749746SEd Maste# and needs to be enabled by putting the password of the user running the tests 6*25749746SEd Maste# into ${OBJ}/kbdintpw. Since this obviously puts the password at risk it is 7*25749746SEd Maste# recommended to do this on a throwaway VM by setting a random password 8*25749746SEd Maste# (and randomizing it again after the test, if you can't immediately dispose 9*25749746SEd Maste# of the VM). 10*25749746SEd Maste 11*25749746SEd Mastetid="kbdint" 12*25749746SEd Maste 13*25749746SEd Masteif [ -z "$SUDO" -o ! -f ${OBJ}/kbdintpw ]; then 14*25749746SEd Maste skip "Password auth requires SUDO and kbdintpw file." 15*25749746SEd Mastefi 16*25749746SEd Maste 17*25749746SEd Maste# Enable keyboard-interactive auth 18*25749746SEd Masteecho "KbdInteractiveAuthentication yes" >>sshd_proxy 19*25749746SEd Maste 20*25749746SEd Maste# Create askpass script to replay a series of password responses. 21*25749746SEd Maste# Keep a counter of the number of times it has been called and 22*25749746SEd Maste# reply with the next line of the replypass file. 23*25749746SEd Mastecat >${OBJ}/replypass.sh <<EOD 24*25749746SEd Maste#!/bin/sh 25*25749746SEd Masten=\`cat ${OBJ}/replypass.N\` 26*25749746SEd Masteawk "NR==\$n" ${OBJ}/replypass 27*25749746SEd Masteecho \$(( \$n + 1 )) >${OBJ}/replypass.N 28*25749746SEd MasteEOD 29*25749746SEd Mastechmod 700 ${OBJ}/replypass.sh 30*25749746SEd Maste 31*25749746SEd MasteSSH_ASKPASS=${OBJ}/replypass.sh 32*25749746SEd MasteSSH_ASKPASS_REQUIRE=force 33*25749746SEd Masteexport SSH_ASKPASS SSH_ASKPASS_REQUIRE 34*25749746SEd Maste 35*25749746SEd Masteopts="-oKbdInteractiveAuthentication=yes -oPreferredAuthentications=keyboard-interactive" 36*25749746SEd Masteopts="-oBatchMode=no $opts" 37*25749746SEd Maste 38*25749746SEd Mastetrace correct password 1st attempt 39*25749746SEd Mastecat ${OBJ}/kbdintpw >${OBJ}/replypass 40*25749746SEd Masteecho 1 >${OBJ}/replypass.N 41*25749746SEd Maste${SSH} $opts -F $OBJ/ssh_proxy somehost true 42*25749746SEd Masteif [ $? -ne 0 ]; then 43*25749746SEd Maste fail "ssh kdbint failed" 44*25749746SEd Mastefi 45*25749746SEd Maste 46*25749746SEd Mastetrace bad password 47*25749746SEd Masteecho badpass >${OBJ}/replypass 48*25749746SEd Masteecho 1 >${OBJ}/replypass.N 49*25749746SEd Maste${SSH} $opts -F $OBJ/ssh_proxy somehost true 50*25749746SEd Masteif [ $? -eq 0 ]; then 51*25749746SEd Maste fail "ssh unexpectedly succeeded" 52*25749746SEd Mastefi 53*25749746SEd Maste 54*25749746SEd Mastetrace correct password 2nd attempt 55*25749746SEd Maste(echo badpass; cat ${OBJ}/kbdintpw) >${OBJ}/replypass 56*25749746SEd Masteecho 1 >${OBJ}/replypass.N 57*25749746SEd Maste${SSH} $opts -F $OBJ/ssh_proxy somehost true 58*25749746SEd Masteif [ $? -ne 0 ]; then 59*25749746SEd Maste fail "did not succeed on 2nd attempt" 60*25749746SEd Mastefi 61*25749746SEd Maste 62*25749746SEd Mastetrace empty password 63*25749746SEd Masteecho >${OBJ}/replypass 64*25749746SEd Masteecho 1 >${OBJ}/replypass.N 65*25749746SEd Maste${SSH} $opts -F $OBJ/ssh_proxy somehost true 66*25749746SEd Masteif [ $? -eq 0 ]; then 67*25749746SEd Maste fail "ssh unexpectedly succeeded with empty password" 68*25749746SEd Mastefi 69*25749746SEd Maste 70*25749746SEd Mastetrace huge password 71*25749746SEd Maste(for i in 0 1 2 3 4 5 6 7 8 9; do printf 0123456789; done; echo) \ 72*25749746SEd Maste >${OBJ}/replypass 73*25749746SEd Masteecho 1 >${OBJ}/replypass.N 74*25749746SEd Maste${SSH} $opts -F $OBJ/ssh_proxy somehost true 75*25749746SEd Masteif [ $? -eq 0 ]; then 76*25749746SEd Maste fail "ssh unexpectedly succeeded with huge password" 77*25749746SEd Mastefi 78*25749746SEd Maste 79*25749746SEd Mastetrace spam password 80*25749746SEd Mastefor i in 0 1 2 3 4 5 6 7 8 9; do printf '1\n2\n3\n4\n5\n6\n7\n8\n9\n'; done \ 81*25749746SEd Maste >${OBJ}/replypass 82*25749746SEd Masteecho 1 >${OBJ}/replypass.N 83*25749746SEd Maste${SSH} $opts -F $OBJ/ssh_proxy somehost true 84*25749746SEd Masteif [ $? -eq 0 ]; then 85*25749746SEd Maste fail "ssh unexpectedly succeeded with password spam" 86*25749746SEd Mastefi 87