1a903f5e2SGeorge Keishing*** Settings ***
2a903f5e2SGeorge KeishingDocumentation    Test BMC SSH security.
3a903f5e2SGeorge Keishing
4a903f5e2SGeorge KeishingResource         ../lib/resource.robot
5a903f5e2SGeorge KeishingResource         ../lib/openbmc_ffdc_methods.robot
6a903f5e2SGeorge Keishing
7*6fb70d98SMatt FischerTest Tags       BMC_SSH_Security
887dc442cSGeorge Keishing
9a903f5e2SGeorge Keishing*** Variables ***
10a903f5e2SGeorge Keishing
11a903f5e2SGeorge Keishing@{allowed_shell_rcs}   ${255}
12a903f5e2SGeorge Keishing${ignore_err}          ${0}
13a903f5e2SGeorge Keishing
14a903f5e2SGeorge Keishing# Left anchor for this regex is either a space or a comma.
15a903f5e2SGeorge Keishing${left_anchor}         [ ,]
16a903f5e2SGeorge Keishing# Right anchor for this regex is either a comma or end-of-line.
17a903f5e2SGeorge Keishing${right_anchor}        (,|$)
18a903f5e2SGeorge Keishing
19a903f5e2SGeorge Keishing${weak_key_regex}   ${left_anchor}(group1_sha1|DES-CBC3|CBC mode|group1|SHA1)${right_anchor}
20a903f5e2SGeorge Keishing${mac_key_regex}    ${left_anchor}(MD5|96-bit MAC algorithms)${right_anchor}
21a903f5e2SGeorge Keishing
22a903f5e2SGeorge Keishing*** Test Cases ***
23a903f5e2SGeorge Keishing
24a903f5e2SGeorge KeishingVerify BMC SSH Weak Cipher And Algorithm
25a903f5e2SGeorge Keishing    [Documentation]  Connect to BMC and verify no weak cipher and algorithm is
26a903f5e2SGeorge Keishing    ...              supported.
27a903f5e2SGeorge Keishing    [Tags]  Verify_BMC_SSH_Weak_Cipher_And_Algorithm
28a903f5e2SGeorge Keishing
29a903f5e2SGeorge Keishing    # The following is a sample of output from ssh -vv:
30a903f5e2SGeorge Keishing    # This test requires OpenSSH and depends on output format of ssh -vv.
31a903f5e2SGeorge Keishing    # debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,
32a903f5e2SGeorge Keishing    #         ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,
33a903f5e2SGeorge Keishing    #         diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,
34a903f5e2SGeorge Keishing    #         diffie-hellman-group14-sha1
35a903f5e2SGeorge Keishing    # debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa
36a903f5e2SGeorge Keishing    # debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,
37a903f5e2SGeorge Keishing    #         aes128-gcm@openssh.com,aes256-gcm@openssh.com
38a903f5e2SGeorge Keishing    # debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,
39a903f5e2SGeorge Keishing    #         aes128-gcm@openssh.com,aes256-gcm@openssh.com
40a903f5e2SGeorge Keishing    # debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,
411483ce0eSJoy Onyerikwu    #         hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,
421483ce0eSJoy Onyerikwu    #         umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
43a903f5e2SGeorge Keishing    # debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,
441483ce0eSJoy Onyerikwu    #         hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,
451483ce0eSJoy Onyerikwu    #         umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
46a903f5e2SGeorge Keishing
47a903f5e2SGeorge Keishing    # Example of weak algorithms to check:
48a903f5e2SGeorge Keishing    # - encryption: triple-DES ("DES-CBC3").
49a903f5e2SGeorge Keishing    # - encryption: CBC mode
50a903f5e2SGeorge Keishing    # - MAC: MD5 and 96-bit MAC algorithms
51a903f5e2SGeorge Keishing    # - KEX: diffie-hellman-group1(any) , (any) SHA1
52a903f5e2SGeorge Keishing
53a903f5e2SGeorge Keishing    Printn
548ea5b61bSGeorge Keishing    ${ssh_cmd_buf}=  Catenate  ssh -o NumberOfPasswordPrompts=0 -o UserKnownHostsFile=/dev/null
55aa7a6fd3SGeorge Keishing    ...  -o StrictHostKeyChecking=no -vv ${OPENBMC_HOST} 2>&1
56aa7a6fd3SGeorge Keishing
57aa7a6fd3SGeorge Keishing    ${rc}  ${std_err}=  Shell Cmd  ! ${ssh_cmd_buf}
58aa7a6fd3SGeorge Keishing    Log  std_err=${std_err}  console=yes
59aa7a6fd3SGeorge Keishing    Log  rc=${rc} console=yes
60aa7a6fd3SGeorge Keishing
61aa7a6fd3SGeorge Keishing    ${has_it}=  Run Keyword And Return Status  Should Contain  ${std_err}  Permission denied
62aa7a6fd3SGeorge Keishing    Skip If  not ${has_it}
63aa7a6fd3SGeorge Keishing    ...  Skipping test case since response is not as expected
64aa7a6fd3SGeorge Keishing
65a903f5e2SGeorge Keishing    Shell Cmd  ! ${ssh_cmd_buf} | egrep -- "${weak_key_regex}"
66a903f5e2SGeorge Keishing    Shell Cmd  ! ${ssh_cmd_buf} | egrep -- "${mac_key_regex}"
67