1*f374ba41SEd Maste# $OpenBSD: hostbased.sh,v 1.4 2022/12/07 11:45:43 dtucker Exp $ 21323ec57SEd Maste# Placed in the Public Domain. 31323ec57SEd Maste 41323ec57SEd Maste# This test requires external setup and thus is skipped unless 51323ec57SEd Maste# TEST_SSH_HOSTBASED_AUTH and SUDO are set to "yes". 61323ec57SEd Maste# Since ssh-keysign has key paths hard coded, unlike the other tests it 71323ec57SEd Maste# needs to use the real host keys. It requires: 81323ec57SEd Maste# - ssh-keysign must be installed and setuid. 91323ec57SEd Maste# - "EnableSSHKeysign yes" must be in the system ssh_config. 101323ec57SEd Maste# - the system's own real FQDN the system-wide shosts.equiv. 11*f374ba41SEd Maste# - the system's real public key fingerprints must be in global ssh_known_hosts. 121323ec57SEd Maste# 131323ec57SEd Mastetid="hostbased" 141323ec57SEd Maste 151323ec57SEd Masteif [ -z "${TEST_SSH_HOSTBASED_AUTH}" ]; then 161323ec57SEd Maste skip "TEST_SSH_HOSTBASED_AUTH not set." 171323ec57SEd Masteelif [ -z "${SUDO}" ]; then 181323ec57SEd Maste skip "SUDO not set" 191323ec57SEd Mastefi 201323ec57SEd Maste 211323ec57SEd Maste# Enable all supported hostkey algos (but no others) 221323ec57SEd Mastehostkeyalgos=`${SSH} -Q HostKeyAlgorithms | tr '\n' , | sed 's/,$//'` 231323ec57SEd Maste 241323ec57SEd Mastecat >>$OBJ/sshd_proxy <<EOD 251323ec57SEd MasteHostbasedAuthentication yes 261323ec57SEd MasteHostbasedAcceptedAlgorithms $hostkeyalgos 271323ec57SEd MasteHostbasedUsesNameFromPacketOnly yes 281323ec57SEd MasteHostKeyAlgorithms $hostkeyalgos 291323ec57SEd MasteEOD 301323ec57SEd Maste 311323ec57SEd Mastecat >>$OBJ/ssh_proxy <<EOD 321323ec57SEd MasteHostbasedAuthentication yes 331323ec57SEd MasteHostKeyAlgorithms $hostkeyalgos 341323ec57SEd MasteHostbasedAcceptedAlgorithms $hostkeyalgos 351323ec57SEd MastePreferredAuthentications hostbased 361323ec57SEd MasteEOD 371323ec57SEd Maste 381323ec57SEd Mastealgos="" 391323ec57SEd Mastefor key in `${SUDO} ${SSHD} -T | awk '$1=="hostkey"{print $2}'`; do 401323ec57SEd Maste case "`$SSHKEYGEN -l -f ${key}.pub`" in 411323ec57SEd Maste 256*ECDSA*) algos="$algos ecdsa-sha2-nistp256" ;; 421323ec57SEd Maste 384*ECDSA*) algos="$algos ecdsa-sha2-nistp384" ;; 431323ec57SEd Maste 521*ECDSA*) algos="$algos ecdsa-sha2-nistp521" ;; 441323ec57SEd Maste *RSA*) algos="$algos ssh-rsa rsa-sha2-256 rsa-sha2-512" ;; 451323ec57SEd Maste *ED25519*) algos="$algos ssh-ed25519" ;; 461323ec57SEd Maste *DSA*) algos="$algos ssh-dss" ;; 471323ec57SEd Maste *) verbose "unknown host key type $key" ;; 481323ec57SEd Maste esac 491323ec57SEd Mastedone 501323ec57SEd Maste 511323ec57SEd Mastefor algo in $algos; do 521323ec57SEd Maste trace "hostbased algo $algo" 531323ec57SEd Maste opts="-F $OBJ/ssh_proxy" 541323ec57SEd Maste if [ "x$algo" != "xdefault" ]; then 551323ec57SEd Maste opts="$opts -oHostbasedAcceptedAlgorithms=$algo" 561323ec57SEd Maste fi 571323ec57SEd Maste SSH_CONNECTION=`${SSH} $opts localhost 'echo $SSH_CONNECTION'` 581323ec57SEd Maste if [ $? -ne 0 ]; then 591323ec57SEd Maste fail "connect failed, hostbased algo $algo" 601323ec57SEd Maste elif [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then 611323ec57SEd Maste fail "hostbased algo $algo bad SSH_CONNECTION" \ 621323ec57SEd Maste "$SSH_CONNECTION" 631323ec57SEd Maste else 641323ec57SEd Maste verbose "ok hostbased algo $algo" 651323ec57SEd Maste fi 661323ec57SEd Mastedone 67