regress/hostbased.sh - third_party/openssh-portable - Git at Google

 #	$OpenBSD: hostbased.sh,v 1.4 2022/12/07 11:45:43 dtucker Exp $
 #	Placed in the Public Domain.

 # This test requires external setup and thus is skipped unless
 # TEST_SSH_HOSTBASED_AUTH and SUDO are set to "yes".
 # Since ssh-keysign has key paths hard coded, unlike the other tests it
 # needs to use the real host keys. It requires:
 # - ssh-keysign must be installed and setuid.
 # - "EnableSSHKeysign yes" must be in the system ssh_config.
 # - the system's own real FQDN the system-wide shosts.equiv.
 # - the system's real public key fingerprints must be in global ssh_known_hosts.
 #
 tid="hostbased"

 if [ -z "${TEST_SSH_HOSTBASED_AUTH}" ]; then
 	skip "TEST_SSH_HOSTBASED_AUTH not set."
 elif [ -z "${SUDO}" ]; then
 	skip "SUDO not set"
 fi

 # Enable all supported hostkey algos (but no others)
 hostkeyalgos=`${SSH} -Q HostKeyAlgorithms | tr '\n' , | sed 's/,$//'`

 cat >>$OBJ/sshd_proxy <<EOD
 HostbasedAuthentication yes
 HostbasedAcceptedAlgorithms $hostkeyalgos
 HostbasedUsesNameFromPacketOnly yes
 HostKeyAlgorithms $hostkeyalgos
 EOD

 cat >>$OBJ/ssh_proxy <<EOD
 HostbasedAuthentication yes
 HostKeyAlgorithms $hostkeyalgos
 HostbasedAcceptedAlgorithms $hostkeyalgos
 PreferredAuthentications hostbased
 EOD

 algos=""
 for key in `${SUDO} ${SSHD} -T | awk '$1=="hostkey"{print $2}'`; do
 	case "`$SSHKEYGEN -l -f ${key}.pub`" in
 	256*ECDSA*)	algos="$algos ecdsa-sha2-nistp256" ;;
 	384*ECDSA*)	algos="$algos ecdsa-sha2-nistp384" ;;
 	521*ECDSA*)	algos="$algos ecdsa-sha2-nistp521" ;;
 	*RSA*)		algos="$algos ssh-rsa rsa-sha2-256 rsa-sha2-512" ;;
 	*ED25519*)	algos="$algos ssh-ed25519" ;;
 	*DSA*)		algos="$algos ssh-dss" ;;
 	*) verbose "unknown host key type $key" ;;
 	esac
 done

 for algo in $algos; do
 	trace "hostbased algo $algo"
 	opts="-F $OBJ/ssh_proxy"
 	if [ "x$algo" != "xdefault" ]; then
 		opts="$opts -oHostbasedAcceptedAlgorithms=$algo"
 	fi
 	SSH_CONNECTION=`${SSH} $opts localhost 'echo $SSH_CONNECTION'`
 	if [ $? -ne 0 ]; then
 		fail "connect failed, hostbased algo $algo"
 	elif [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
 		fail "hostbased algo $algo bad SSH_CONNECTION" \
 		    "$SSH_CONNECTION"
 	else
 		verbose "ok hostbased algo $algo"
 	fi
 done
	# $OpenBSD: hostbased.sh,v 1.4 2022/12/07 11:45:43 dtucker Exp $
	# Placed in the Public Domain.

	# This test requires external setup and thus is skipped unless
	# TEST_SSH_HOSTBASED_AUTH and SUDO are set to "yes".
	# Since ssh-keysign has key paths hard coded, unlike the other tests it
	# needs to use the real host keys. It requires:
	# - ssh-keysign must be installed and setuid.
	# - "EnableSSHKeysign yes" must be in the system ssh_config.
	# - the system's own real FQDN the system-wide shosts.equiv.
	# - the system's real public key fingerprints must be in global ssh_known_hosts.
	#
	tid="hostbased"

	if [ -z "${TEST_SSH_HOSTBASED_AUTH}" ]; then
	skip "TEST_SSH_HOSTBASED_AUTH not set."
	elif [ -z "${SUDO}" ]; then
	skip "SUDO not set"
	fi

	# Enable all supported hostkey algos (but no others)
	hostkeyalgos=`${SSH} -Q HostKeyAlgorithms \| tr '\n' , \| sed 's/,$//'`

	cat >>$OBJ/sshd_proxy <<EOD
	HostbasedAuthentication yes
	HostbasedAcceptedAlgorithms $hostkeyalgos
	HostbasedUsesNameFromPacketOnly yes
	HostKeyAlgorithms $hostkeyalgos
	EOD

	cat >>$OBJ/ssh_proxy <<EOD
	HostbasedAuthentication yes
	HostKeyAlgorithms $hostkeyalgos
	HostbasedAcceptedAlgorithms $hostkeyalgos
	PreferredAuthentications hostbased
	EOD

	algos=""
	for key in `${SUDO} ${SSHD} -T \| awk '$1=="hostkey"{print $2}'`; do
	case "`$SSHKEYGEN -l -f ${key}.pub`" in
	256ECDSA) algos="$algos ecdsa-sha2-nistp256" ;;
	384ECDSA) algos="$algos ecdsa-sha2-nistp384" ;;
	521ECDSA) algos="$algos ecdsa-sha2-nistp521" ;;
	RSA) algos="$algos ssh-rsa rsa-sha2-256 rsa-sha2-512" ;;
	ED25519) algos="$algos ssh-ed25519" ;;
	DSA) algos="$algos ssh-dss" ;;
	*) verbose "unknown host key type $key" ;;
	esac
	done

	for algo in $algos; do
	trace "hostbased algo $algo"
	opts="-F $OBJ/ssh_proxy"
	if [ "x$algo" != "xdefault" ]; then
	opts="$opts -oHostbasedAcceptedAlgorithms=$algo"
	fi
	SSH_CONNECTION=`${SSH} $opts localhost 'echo $SSH_CONNECTION'`
	if [ $? -ne 0 ]; then
	fail "connect failed, hostbased algo $algo"
	elif [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
	fail "hostbased algo $algo bad SSH_CONNECTION" \
	"$SSH_CONNECTION"
	else
	verbose "ok hostbased algo $algo"
	fi
	done