penalty.sh revision 1.5
1# $OpenBSD 2# Placed in the Public Domain. 3 4tid="penalties" 5 6grep -vi PerSourcePenalties $OBJ/sshd_config > $OBJ/sshd_config.bak 7cp $OBJ/authorized_keys_${USER} $OBJ/authorized_keys_${USER}.bak 8 9conf() { 10 test -z "$PIDFILE" || stop_sshd 11 (cat $OBJ/sshd_config.bak ; 12 echo "PerSourcePenalties $@") > $OBJ/sshd_config 13 cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER} 14 start_sshd 15} 16 17conf "authfail:300s min:350s max:900s" 18 19verbose "test connect" 20${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed" 21 22verbose "penalty for authentication failure" 23 24# Fail authentication once 25cat /dev/null > $OBJ/authorized_keys_${USER} 26${SSH} -F $OBJ/ssh_config somehost true && fatal "noauth connect succeeded" 27cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER} 28 29# Should be below penalty threshold 30${SSH} -F $OBJ/ssh_config somehost true || fatal "authfail not expired" 31 32# Fail authentication again; penalty should activate 33cat /dev/null > $OBJ/authorized_keys_${USER} 34${SSH} -F $OBJ/ssh_config somehost true && fatal "noauth connect succeeded" 35cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER} 36 37# These should be refused by the active penalty 38${SSH} -F $OBJ/ssh_config somehost true && fail "authfail not rejected" 39${SSH} -F $OBJ/ssh_config somehost true && fail "repeat authfail not rejected" 40 41conf "noauth:100s" 42${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed" 43verbose "penalty for no authentication" 44${SSHKEYSCAN} -t ssh-ed25519 -p $PORT 127.0.0.1 >/dev/null || fatal "keyscan failed" 45 46# Repeat attempt should be penalised 47${SSHKEYSCAN} -t ssh-ed25519 -p $PORT 127.0.0.1 >/dev/null 2>&1 && fail "keyscan not rejected" 48 49