1a903f5e2SGeorge Keishing*** Settings *** 2a903f5e2SGeorge KeishingDocumentation Test BMC SSH security. 3a903f5e2SGeorge Keishing 4a903f5e2SGeorge KeishingResource ../lib/resource.robot 5a903f5e2SGeorge KeishingResource ../lib/openbmc_ffdc_methods.robot 6a903f5e2SGeorge Keishing 7*6fb70d98SMatt FischerTest Tags BMC_SSH_Security 887dc442cSGeorge Keishing 9a903f5e2SGeorge Keishing*** Variables *** 10a903f5e2SGeorge Keishing 11a903f5e2SGeorge Keishing@{allowed_shell_rcs} ${255} 12a903f5e2SGeorge Keishing${ignore_err} ${0} 13a903f5e2SGeorge Keishing 14a903f5e2SGeorge Keishing# Left anchor for this regex is either a space or a comma. 15a903f5e2SGeorge Keishing${left_anchor} [ ,] 16a903f5e2SGeorge Keishing# Right anchor for this regex is either a comma or end-of-line. 17a903f5e2SGeorge Keishing${right_anchor} (,|$) 18a903f5e2SGeorge Keishing 19a903f5e2SGeorge Keishing${weak_key_regex} ${left_anchor}(group1_sha1|DES-CBC3|CBC mode|group1|SHA1)${right_anchor} 20a903f5e2SGeorge Keishing${mac_key_regex} ${left_anchor}(MD5|96-bit MAC algorithms)${right_anchor} 21a903f5e2SGeorge Keishing 22a903f5e2SGeorge Keishing*** Test Cases *** 23a903f5e2SGeorge Keishing 24a903f5e2SGeorge KeishingVerify BMC SSH Weak Cipher And Algorithm 25a903f5e2SGeorge Keishing [Documentation] Connect to BMC and verify no weak cipher and algorithm is 26a903f5e2SGeorge Keishing ... supported. 27a903f5e2SGeorge Keishing [Tags] Verify_BMC_SSH_Weak_Cipher_And_Algorithm 28a903f5e2SGeorge Keishing 29a903f5e2SGeorge Keishing # The following is a sample of output from ssh -vv: 30a903f5e2SGeorge Keishing # This test requires OpenSSH and depends on output format of ssh -vv. 31a903f5e2SGeorge Keishing # debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256, 32a903f5e2SGeorge Keishing # ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256, 33a903f5e2SGeorge Keishing # diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256, 34a903f5e2SGeorge Keishing # diffie-hellman-group14-sha1 35a903f5e2SGeorge Keishing # debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa 36a903f5e2SGeorge Keishing # debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr, 37a903f5e2SGeorge Keishing # aes128-gcm@openssh.com,aes256-gcm@openssh.com 38a903f5e2SGeorge Keishing # debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr, 39a903f5e2SGeorge Keishing # aes128-gcm@openssh.com,aes256-gcm@openssh.com 40a903f5e2SGeorge Keishing # debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com, 411483ce0eSJoy Onyerikwu # hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com, 421483ce0eSJoy Onyerikwu # umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 43a903f5e2SGeorge Keishing # debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com, 441483ce0eSJoy Onyerikwu # hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com, 451483ce0eSJoy Onyerikwu # umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 46a903f5e2SGeorge Keishing 47a903f5e2SGeorge Keishing # Example of weak algorithms to check: 48a903f5e2SGeorge Keishing # - encryption: triple-DES ("DES-CBC3"). 49a903f5e2SGeorge Keishing # - encryption: CBC mode 50a903f5e2SGeorge Keishing # - MAC: MD5 and 96-bit MAC algorithms 51a903f5e2SGeorge Keishing # - KEX: diffie-hellman-group1(any) , (any) SHA1 52a903f5e2SGeorge Keishing 53a903f5e2SGeorge Keishing Printn 548ea5b61bSGeorge Keishing ${ssh_cmd_buf}= Catenate ssh -o NumberOfPasswordPrompts=0 -o UserKnownHostsFile=/dev/null 55aa7a6fd3SGeorge Keishing ... -o StrictHostKeyChecking=no -vv ${OPENBMC_HOST} 2>&1 56aa7a6fd3SGeorge Keishing 57aa7a6fd3SGeorge Keishing ${rc} ${std_err}= Shell Cmd ! ${ssh_cmd_buf} 58aa7a6fd3SGeorge Keishing Log std_err=${std_err} console=yes 59aa7a6fd3SGeorge Keishing Log rc=${rc} console=yes 60aa7a6fd3SGeorge Keishing 61aa7a6fd3SGeorge Keishing ${has_it}= Run Keyword And Return Status Should Contain ${std_err} Permission denied 62aa7a6fd3SGeorge Keishing Skip If not ${has_it} 63aa7a6fd3SGeorge Keishing ... Skipping test case since response is not as expected 64aa7a6fd3SGeorge Keishing 65a903f5e2SGeorge Keishing Shell Cmd ! ${ssh_cmd_buf} | egrep -- "${weak_key_regex}" 66a903f5e2SGeorge Keishing Shell Cmd ! ${ssh_cmd_buf} | egrep -- "${mac_key_regex}" 67