1# $OpenBSD 2# Placed in the Public Domain. 3 4tid="penalties" 5 6grep -vi PerSourcePenalties $OBJ/sshd_config > $OBJ/sshd_config.bak 7cp $OBJ/authorized_keys_${USER} $OBJ/authorized_keys_${USER}.bak 8 9conf() { 10 test -z "$PIDFILE" || stop_sshd 11 (cat $OBJ/sshd_config.bak ; 12 echo "PerSourcePenalties $@") > $OBJ/sshd_config 13 cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER} 14 start_sshd 15} 16 17conf "authfail:300s min:350s max:900s" 18 19verbose "test connect" 20${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed" 21 22verbose "penalty for authentication failure" 23 24# Fail authentication once 25cat /dev/null > $OBJ/authorized_keys_${USER} 26${SSH} -F $OBJ/ssh_config somehost true && fatal "noauth connect succeeded" 27cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER} 28sleep 2 29 30# Should be below penalty threshold 31${SSH} -F $OBJ/ssh_config somehost true || fatal "authfail not expired" 32sleep 2 33 34# Fail authentication again; penalty should activate 35cat /dev/null > $OBJ/authorized_keys_${USER} 36${SSH} -F $OBJ/ssh_config somehost true && fatal "noauth connect succeeded" 37cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER} 38sleep 2 39 40# These should be refused by the active penalty 41${SSH} -F $OBJ/ssh_config somehost true && fail "authfail not rejected" 42${SSH} -F $OBJ/ssh_config somehost true && fail "repeat authfail not rejected" 43 44conf "noauth:100s" 45${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed" 46verbose "penalty for no authentication" 47${SSHKEYSCAN} -t ssh-ed25519 -p $PORT 127.0.0.1 >/dev/null || fatal "keyscan failed" 48sleep 2 49 50# Repeat attempt should be penalised 51${SSHKEYSCAN} -t ssh-ed25519 -p $PORT 127.0.0.1 >/dev/null 2>&1 && fail "keyscan not rejected" 52 53