1*** Settings *** 2Documentation Test BMC SSH security. 3 4Resource ../lib/resource.robot 5Resource ../lib/openbmc_ffdc_methods.robot 6 7*** Variables *** 8 9@{allowed_shell_rcs} ${255} 10${ignore_err} ${0} 11 12# Left anchor for this regex is either a space or a comma. 13${left_anchor} [ ,] 14# Right anchor for this regex is either a comma or end-of-line. 15${right_anchor} (,|$) 16 17${weak_key_regex} ${left_anchor}(group1_sha1|DES-CBC3|CBC mode|group1|SHA1)${right_anchor} 18${mac_key_regex} ${left_anchor}(MD5|96-bit MAC algorithms)${right_anchor} 19 20*** Test Cases *** 21 22Verify BMC SSH Weak Cipher And Algorithm 23 [Documentation] Connect to BMC and verify no weak cipher and algorithm is 24 ... supported. 25 [Tags] Verify_BMC_SSH_Weak_Cipher_And_Algorithm 26 27 # The following is a sample of output from ssh -vv: 28 # This test requires OpenSSH and depends on output format of ssh -vv. 29 # debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256, 30 # ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256, 31 # diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256, 32 # diffie-hellman-group14-sha1 33 # debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa 34 # debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr, 35 # aes128-gcm@openssh.com,aes256-gcm@openssh.com 36 # debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr, 37 # aes128-gcm@openssh.com,aes256-gcm@openssh.com 38 # debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com, 39 # hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com, 40 # umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 41 # debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com, 42 # hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com, 43 # umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 44 45 # Example of weak algorithms to check: 46 # - encryption: triple-DES ("DES-CBC3"). 47 # - encryption: CBC mode 48 # - MAC: MD5 and 96-bit MAC algorithms 49 # - KEX: diffie-hellman-group1(any) , (any) SHA1 50 51 Printn 52 ${ssh_cmd_buf}= Catenate ssh -o NumberOfPasswordPrompts=0 -o UserKnownHostsFile=/dev/null 53 ... -o StrictHostKeyChecking=no -vv ${OPENBMC_HOST} 2>&1 54 55 ${rc} ${std_err}= Shell Cmd ! ${ssh_cmd_buf} 56 Log std_err=${std_err} console=yes 57 Log rc=${rc} console=yes 58 59 ${has_it}= Run Keyword And Return Status Should Contain ${std_err} Permission denied 60 Skip If not ${has_it} 61 ... Skipping test case since response is not as expected 62 63 Shell Cmd ! ${ssh_cmd_buf} | egrep -- "${weak_key_regex}" 64 Shell Cmd ! ${ssh_cmd_buf} | egrep -- "${mac_key_regex}" 65