George Keishing | 49ff747 | 2019-05-02 15:10:28 -0500 | [diff] [blame] | 1 | *** Settings *** |
| 2 | Documentation Test BMC SSH security. |
| 3 | |
George Keishing | a903f5e | 2019-06-25 07:50:46 -0500 | [diff] [blame] | 4 | Resource ../lib/resource.robot |
| 5 | Resource ../lib/openbmc_ffdc_methods.robot |
George Keishing | 49ff747 | 2019-05-02 15:10:28 -0500 | [diff] [blame] | 6 | |
George Keishing | 87dc442 | 2023-10-20 12:56:30 +0530 | [diff] [blame] | 7 | Force Tags BMC_SSH_Security |
| 8 | |
George Keishing | 49ff747 | 2019-05-02 15:10:28 -0500 | [diff] [blame] | 9 | *** Variables *** |
| 10 | |
| 11 | @{allowed_shell_rcs} ${255} |
| 12 | ${ignore_err} ${0} |
| 13 | |
| 14 | # Left anchor for this regex is either a space or a comma. |
| 15 | ${left_anchor} [ ,] |
| 16 | # Right anchor for this regex is either a comma or end-of-line. |
| 17 | ${right_anchor} (,|$) |
| 18 | |
| 19 | ${weak_key_regex} ${left_anchor}(group1_sha1|DES-CBC3|CBC mode|group1|SHA1)${right_anchor} |
| 20 | ${mac_key_regex} ${left_anchor}(MD5|96-bit MAC algorithms)${right_anchor} |
| 21 | |
| 22 | *** Test Cases *** |
| 23 | |
| 24 | Verify BMC SSH Weak Cipher And Algorithm |
| 25 | [Documentation] Connect to BMC and verify no weak cipher and algorithm is |
| 26 | ... supported. |
| 27 | [Tags] Verify_BMC_SSH_Weak_Cipher_And_Algorithm |
| 28 | |
| 29 | # The following is a sample of output from ssh -vv: |
| 30 | # This test requires OpenSSH and depends on output format of ssh -vv. |
| 31 | # debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256, |
| 32 | # ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256, |
| 33 | # diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256, |
| 34 | # diffie-hellman-group14-sha1 |
| 35 | # debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa |
| 36 | # debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr, |
| 37 | # aes128-gcm@openssh.com,aes256-gcm@openssh.com |
| 38 | # debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr, |
| 39 | # aes128-gcm@openssh.com,aes256-gcm@openssh.com |
| 40 | # debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com, |
Joy Onyerikwu | 1483ce0 | 2019-06-26 14:56:36 -0500 | [diff] [blame] | 41 | # hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com, |
| 42 | # umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 |
George Keishing | 49ff747 | 2019-05-02 15:10:28 -0500 | [diff] [blame] | 43 | # debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com, |
Joy Onyerikwu | 1483ce0 | 2019-06-26 14:56:36 -0500 | [diff] [blame] | 44 | # hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com, |
| 45 | # umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 |
George Keishing | 49ff747 | 2019-05-02 15:10:28 -0500 | [diff] [blame] | 46 | |
| 47 | # Example of weak algorithms to check: |
| 48 | # - encryption: triple-DES ("DES-CBC3"). |
| 49 | # - encryption: CBC mode |
| 50 | # - MAC: MD5 and 96-bit MAC algorithms |
| 51 | # - KEX: diffie-hellman-group1(any) , (any) SHA1 |
| 52 | |
| 53 | Printn |
George Keishing | 8ea5b61 | 2022-03-22 23:51:26 -0500 | [diff] [blame] | 54 | ${ssh_cmd_buf}= Catenate ssh -o NumberOfPasswordPrompts=0 -o UserKnownHostsFile=/dev/null |
George Keishing | aa7a6fd | 2022-03-18 00:44:06 -0500 | [diff] [blame] | 55 | ... -o StrictHostKeyChecking=no -vv ${OPENBMC_HOST} 2>&1 |
| 56 | |
| 57 | ${rc} ${std_err}= Shell Cmd ! ${ssh_cmd_buf} |
| 58 | Log std_err=${std_err} console=yes |
| 59 | Log rc=${rc} console=yes |
| 60 | |
| 61 | ${has_it}= Run Keyword And Return Status Should Contain ${std_err} Permission denied |
| 62 | Skip If not ${has_it} |
| 63 | ... Skipping test case since response is not as expected |
| 64 | |
George Keishing | 49ff747 | 2019-05-02 15:10:28 -0500 | [diff] [blame] | 65 | Shell Cmd ! ${ssh_cmd_buf} | egrep -- "${weak_key_regex}" |
| 66 | Shell Cmd ! ${ssh_cmd_buf} | egrep -- "${mac_key_regex}" |