Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc-test-automation / d1597f057e8b1517640b5fe18465d6f82201c0a7 / . / security / test_bmc_ssh_security.robot
blob: 88accd0bb9947a8607d0ade65e30ea54ae6088cb [file] [log] [blame]
George Keishing49ff7472019-05-02 15:10:28 -0500[diff] [blame]1*** Settings ***
2Documentation Test BMC SSH security.
3
George Keishinga903f5e2019-06-25 07:50:46 -0500[diff] [blame]4Resource ../lib/resource.robot
5Resource ../lib/openbmc_ffdc_methods.robot
George Keishing49ff7472019-05-02 15:10:28 -0500[diff] [blame]6
7*** Variables ***
8
9@{allowed_shell_rcs} ${255}
10${ignore_err} ${0}
11
12# Left anchor for this regex is either a space or a comma.
13${left_anchor} [ ,]
14# Right anchor for this regex is either a comma or end-of-line.
15${right_anchor} (,|$)
16
17${weak_key_regex} ${left_anchor}(group1_sha1|DES-CBC3|CBC mode|group1|SHA1)${right_anchor}
18${mac_key_regex} ${left_anchor}(MD5|96-bit MAC algorithms)${right_anchor}
19
20*** Test Cases ***
21
22Verify BMC SSH Weak Cipher And Algorithm
23 [Documentation] Connect to BMC and verify no weak cipher and algorithm is
24 ... supported.
25 [Tags] Verify_BMC_SSH_Weak_Cipher_And_Algorithm
26
27 # The following is a sample of output from ssh -vv:
28 # This test requires OpenSSH and depends on output format of ssh -vv.
29 # debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,
30 # ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,
31 # diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,
32 # diffie-hellman-group14-sha1
33 # debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa
34 # debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,
35 # aes128-gcm@openssh.com,aes256-gcm@openssh.com
36 # debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,
37 # aes128-gcm@openssh.com,aes256-gcm@openssh.com
38 # debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,
Joy Onyerikwu1483ce02019-06-26 14:56:36 -0500[diff] [blame]39 # hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,
40 # umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
George Keishing49ff7472019-05-02 15:10:28 -0500[diff] [blame]41 # debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,
Joy Onyerikwu1483ce02019-06-26 14:56:36 -0500[diff] [blame]42 # hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,
43 # umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
George Keishing49ff7472019-05-02 15:10:28 -0500[diff] [blame]44
45 # Example of weak algorithms to check:
46 # - encryption: triple-DES ("DES-CBC3").
47 # - encryption: CBC mode
48 # - MAC: MD5 and 96-bit MAC algorithms
49 # - KEX: diffie-hellman-group1(any) , (any) SHA1
50
51 Printn
George Keishing8ea5b612022-03-22 23:51:26 -0500[diff] [blame]52 ${ssh_cmd_buf}= Catenate ssh -o NumberOfPasswordPrompts=0 -o UserKnownHostsFile=/dev/null
George Keishingaa7a6fd2022-03-18 00:44:06 -0500[diff] [blame]53 ... -o StrictHostKeyChecking=no -vv ${OPENBMC_HOST} 2>&1
54
55 ${rc} ${std_err}= Shell Cmd ! ${ssh_cmd_buf}
56 Log std_err=${std_err} console=yes
57 Log rc=${rc} console=yes
58
59 ${has_it}= Run Keyword And Return Status Should Contain ${std_err} Permission denied
60 Skip If not ${has_it}
61 ... Skipping test case since response is not as expected
62
George Keishing49ff7472019-05-02 15:10:28 -0500[diff] [blame]63 Shell Cmd ! ${ssh_cmd_buf} | egrep -- "${weak_key_regex}"
64 Shell Cmd ! ${ssh_cmd_buf} | egrep -- "${mac_key_regex}"