1# $OpenBSD: password.sh,v 1.2 2025/06/29 08:20:21 dtucker Exp $ 2# Placed in the Public Domain. 3# 4# This tests standard "password" authentication. It does not run by default, 5# and needs to be enabled by putting the password of the user running the tests 6# into ${OBJ}/password. Since this obviously puts the password at risk it is 7# recommended to do this on a throwaway VM by setting a random password 8# (and randomizing it again after the test, if you can't immediately dispose 9# of the VM). 10 11tid="password" 12 13if [ -z "$SUDO" -o ! -f ${OBJ}/password ]; then 14 skip "Password auth requires SUDO and password file." 15fi 16 17# Enable password auth 18echo "PasswordAuthentication yes" >>sshd_proxy 19 20# Create askpass script to replay a series of password responses. 21# Keep a counter of the number of times it has been called and 22# reply with the next line of the replypass file. 23cat >${OBJ}/replypass.sh <<EOD 24#!/bin/sh 25n=\`cat ${OBJ}/replypass.N\` 26awk "NR==\$n" ${OBJ}/replypass 27echo \$(( \$n + 1 )) >${OBJ}/replypass.N 28EOD 29chmod 700 ${OBJ}/replypass.sh 30 31SSH_ASKPASS=${OBJ}/replypass.sh 32SSH_ASKPASS_REQUIRE=force 33export SSH_ASKPASS SSH_ASKPASS_REQUIRE 34 35opts="-oPasswordAuthentication=yes -oPreferredAuthentications=password" 36opts="-oBatchMode=no $opts" 37 38trace plain password 39cat ${OBJ}/password >${OBJ}/replypass 40echo 1 >${OBJ}/replypass.N 41${SSH} $opts -F $OBJ/ssh_proxy somehost true 42if [ $? -ne 0 ]; then 43 fail "ssh password failed" 44fi 45 46trace 2-round password 47(echo; cat ${OBJ}/password) >${OBJ}/replypass 48echo 1 >${OBJ}/replypass.N 49${SSH} $opts -F $OBJ/ssh_proxy somehost true 50if [ $? -ne 0 ]; then 51 fail "ssh 2-round password failed" 52fi 53 54trace empty password 55echo >${OBJ}/replypass 56echo 1 >${OBJ}/replypass.N 57${SSH} $opts -F $OBJ/ssh_proxy somehost true 58if [ $? -eq 0 ]; then 59 fail "ssh password failed" 60fi 61