feat: implement SSH honeypot server with auth and config

Add core SSH server with password authentication, per-IP failure
tracking, credential memory with TTL, and static credential support.
Includes TOML config loading with validation, Ed25519 host key
auto-generation, and a Nix package output.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/auth/auth.go

@@ -0,0 +1,68 @@
+package auth
+
+import (
+	"sync"
+	"time"
+
+	"git.t-juice.club/torjus/oubliette/internal/config"
+)
+
+type credKey struct {
+	Username string
+	Password string
+}
+
+type Decision struct {
+	Accepted bool
+	Reason   string // "static_credential", "threshold_reached", "remembered_credential", "rejected"
+}
+
+type Authenticator struct {
+	mu              sync.Mutex
+	cfg             config.AuthConfig
+	failCounts      map[string]int        // IP -> consecutive failures
+	rememberedCreds map[credKey]time.Time // (user,pass) -> expiry
+	now             func() time.Time      // for testing
+}
+
+func NewAuthenticator(cfg config.AuthConfig) *Authenticator {
+	return &Authenticator{
+		cfg:             cfg,
+		failCounts:      make(map[string]int),
+		rememberedCreds: make(map[credKey]time.Time),
+		now:             time.Now,
+	}
+}
+
+func (a *Authenticator) Authenticate(ip, username, password string) Decision {
+	a.mu.Lock()
+	defer a.mu.Unlock()
+
+	// 1. Check static credentials.
+	for _, cred := range a.cfg.StaticCredentials {
+		if cred.Username == username && cred.Password == password {
+			a.failCounts[ip] = 0
+			return Decision{Accepted: true, Reason: "static_credential"}
+		}
+	}
+
+	// 2. Check remembered credentials.
+	key := credKey{Username: username, Password: password}
+	if expiry, ok := a.rememberedCreds[key]; ok {
+		if a.now().Before(expiry) {
+			a.failCounts[ip] = 0
+			return Decision{Accepted: true, Reason: "remembered_credential"}
+		}
+		delete(a.rememberedCreds, key)
+	}
+
+	// 3. Increment fail count, check threshold.
+	a.failCounts[ip]++
+	if a.failCounts[ip] >= a.cfg.AcceptAfter {
+		a.failCounts[ip] = 0
+		a.rememberedCreds[key] = a.now().Add(a.cfg.CredentialTTLDuration)
+		return Decision{Accepted: true, Reason: "threshold_reached"}
+	}
+
+	return Decision{Accepted: false, Reason: "rejected"}
+}

internal/auth/auth_test.go

@@ -0,0 +1,142 @@
+package auth
+
+import (
+	"sync"
+	"testing"
+	"time"
+
+	"git.t-juice.club/torjus/oubliette/internal/config"
+)
+
+func newTestAuth(acceptAfter int, ttl time.Duration, statics ...config.Credential) *Authenticator {
+	a := NewAuthenticator(config.AuthConfig{
+		AcceptAfter:       acceptAfter,
+		CredentialTTLDuration: ttl,
+		StaticCredentials: statics,
+	})
+	return a
+}
+
+func TestStaticCredentialsAccepted(t *testing.T) {
+	a := newTestAuth(10, time.Hour, config.Credential{Username: "root", Password: "toor"})
+	d := a.Authenticate("1.2.3.4", "root", "toor")
+	if !d.Accepted || d.Reason != "static_credential" {
+		t.Errorf("got %+v, want accepted with static_credential", d)
+	}
+}
+
+func TestStaticCredentialsWrongPassword(t *testing.T) {
+	a := newTestAuth(10, time.Hour, config.Credential{Username: "root", Password: "toor"})
+	d := a.Authenticate("1.2.3.4", "root", "wrong")
+	if d.Accepted {
+		t.Errorf("should not accept wrong password for static credential")
+	}
+}
+
+func TestRejectionBeforeThreshold(t *testing.T) {
+	a := newTestAuth(3, time.Hour)
+	for i := 0; i < 2; i++ {
+		d := a.Authenticate("1.2.3.4", "user", "pass")
+		if d.Accepted {
+			t.Fatalf("attempt %d should be rejected", i+1)
+		}
+		if d.Reason != "rejected" {
+			t.Errorf("attempt %d reason = %q, want %q", i+1, d.Reason, "rejected")
+		}
+	}
+}
+
+func TestThresholdAcceptance(t *testing.T) {
+	a := newTestAuth(3, time.Hour)
+	for i := 0; i < 2; i++ {
+		d := a.Authenticate("1.2.3.4", "user", "pass")
+		if d.Accepted {
+			t.Fatalf("attempt %d should be rejected", i+1)
+		}
+	}
+	d := a.Authenticate("1.2.3.4", "user", "pass")
+	if !d.Accepted || d.Reason != "threshold_reached" {
+		t.Errorf("attempt 3 got %+v, want accepted with threshold_reached", d)
+	}
+}
+
+func TestPerIPIsolation(t *testing.T) {
+	a := newTestAuth(3, time.Hour)
+
+	// IP1 gets 2 failures.
+	for i := 0; i < 2; i++ {
+		a.Authenticate("1.1.1.1", "user", "pass")
+	}
+
+	// IP2 should start at 0, not inherit IP1's count.
+	d := a.Authenticate("2.2.2.2", "user", "pass")
+	if d.Accepted {
+		t.Error("IP2's first attempt should be rejected")
+	}
+}
+
+func TestCredentialMemoryAcrossIPs(t *testing.T) {
+	a := newTestAuth(2, time.Hour)
+
+	// IP1 reaches threshold, credential is remembered.
+	a.Authenticate("1.1.1.1", "user", "pass")
+	d := a.Authenticate("1.1.1.1", "user", "pass")
+	if !d.Accepted || d.Reason != "threshold_reached" {
+		t.Fatalf("threshold not reached: %+v", d)
+	}
+
+	// IP2 should get in with the remembered credential.
+	d = a.Authenticate("2.2.2.2", "user", "pass")
+	if !d.Accepted || d.Reason != "remembered_credential" {
+		t.Errorf("IP2 got %+v, want accepted with remembered_credential", d)
+	}
+}
+
+func TestCredentialMemoryExpires(t *testing.T) {
+	a := newTestAuth(2, time.Hour)
+	now := time.Now()
+	a.now = func() time.Time { return now }
+
+	// Reach threshold to remember credential.
+	a.Authenticate("1.1.1.1", "user", "pass")
+	a.Authenticate("1.1.1.1", "user", "pass")
+
+	// Advance past TTL.
+	a.now = func() time.Time { return now.Add(2 * time.Hour) }
+
+	d := a.Authenticate("2.2.2.2", "user", "pass")
+	if d.Accepted {
+		t.Errorf("expired credential should not be accepted: %+v", d)
+	}
+}
+
+func TestCounterResetsAfterAcceptance(t *testing.T) {
+	a := newTestAuth(2, time.Hour)
+
+	// Reach threshold.
+	a.Authenticate("1.1.1.1", "user", "pass")
+	d := a.Authenticate("1.1.1.1", "user", "pass")
+	if !d.Accepted {
+		t.Fatal("threshold not reached")
+	}
+
+	// With a different credential, counter should be reset.
+	d = a.Authenticate("1.1.1.1", "other", "cred")
+	if d.Accepted {
+		t.Error("first attempt after reset should be rejected")
+	}
+}
+
+func TestConcurrentAccess(t *testing.T) {
+	a := newTestAuth(5, time.Hour)
+	var wg sync.WaitGroup
+
+	for i := 0; i < 100; i++ {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			a.Authenticate("1.2.3.4", "user", "pass")
+		}()
+	}
+	wg.Wait()
+}

internal/config/config.go

@@ -0,0 +1,98 @@
+package config
+
+import (
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/BurntSushi/toml"
+)
+
+type Config struct {
+	SSH      SSHConfig  `toml:"ssh"`
+	Auth     AuthConfig `toml:"auth"`
+	LogLevel string     `toml:"log_level"`
+}
+
+type SSHConfig struct {
+	ListenAddr  string `toml:"listen_addr"`
+	HostKeyPath string `toml:"host_key_path"`
+}
+
+type AuthConfig struct {
+	AcceptAfter       int          `toml:"accept_after"`
+	CredentialTTL     string       `toml:"credential_ttl"`
+	StaticCredentials []Credential `toml:"static_credentials"`
+
+	// Parsed duration, not from TOML directly.
+	CredentialTTLDuration time.Duration `toml:"-"`
+}
+
+type Credential struct {
+	Username string `toml:"username"`
+	Password string `toml:"password"`
+}
+
+func Load(path string) (*Config, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("reading config: %w", err)
+	}
+
+	cfg := &Config{}
+	if err := toml.Unmarshal(data, cfg); err != nil {
+		return nil, fmt.Errorf("parsing config: %w", err)
+	}
+
+	applyDefaults(cfg)
+
+	if err := validate(cfg); err != nil {
+		return nil, fmt.Errorf("validating config: %w", err)
+	}
+
+	return cfg, nil
+}
+
+func applyDefaults(cfg *Config) {
+	if cfg.SSH.ListenAddr == "" {
+		cfg.SSH.ListenAddr = ":2222"
+	}
+	if cfg.SSH.HostKeyPath == "" {
+		cfg.SSH.HostKeyPath = "oubliette_host_key"
+	}
+	if cfg.Auth.AcceptAfter == 0 {
+		cfg.Auth.AcceptAfter = 10
+	}
+	if cfg.Auth.CredentialTTL == "" {
+		cfg.Auth.CredentialTTL = "24h"
+	}
+	if cfg.LogLevel == "" {
+		cfg.LogLevel = "info"
+	}
+}
+
+func validate(cfg *Config) error {
+	d, err := time.ParseDuration(cfg.Auth.CredentialTTL)
+	if err != nil {
+		return fmt.Errorf("invalid credential_ttl %q: %w", cfg.Auth.CredentialTTL, err)
+	}
+	if d <= 0 {
+		return fmt.Errorf("credential_ttl must be positive, got %s", d)
+	}
+	cfg.Auth.CredentialTTLDuration = d
+
+	if cfg.Auth.AcceptAfter < 1 {
+		return fmt.Errorf("accept_after must be at least 1, got %d", cfg.Auth.AcceptAfter)
+	}
+
+	for i, cred := range cfg.Auth.StaticCredentials {
+		if cred.Username == "" {
+			return fmt.Errorf("static_credentials[%d]: username must not be empty", i)
+		}
+		if cred.Password == "" {
+			return fmt.Errorf("static_credentials[%d]: password must not be empty", i)
+		}
+	}
+
+	return nil
+}

internal/config/config_test.go

@@ -0,0 +1,138 @@
+package config
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+)
+
+func TestLoadValidConfig(t *testing.T) {
+	content := `
+log_level = "debug"
+
+[ssh]
+listen_addr = ":3333"
+host_key_path = "/tmp/test_key"
+
+[auth]
+accept_after = 5
+credential_ttl = "1h"
+
+[[auth.static_credentials]]
+username = "root"
+password = "toor"
+`
+	path := writeTemp(t, content)
+	cfg, err := Load(path)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if cfg.LogLevel != "debug" {
+		t.Errorf("log_level = %q, want %q", cfg.LogLevel, "debug")
+	}
+	if cfg.SSH.ListenAddr != ":3333" {
+		t.Errorf("listen_addr = %q, want %q", cfg.SSH.ListenAddr, ":3333")
+	}
+	if cfg.SSH.HostKeyPath != "/tmp/test_key" {
+		t.Errorf("host_key_path = %q, want %q", cfg.SSH.HostKeyPath, "/tmp/test_key")
+	}
+	if cfg.Auth.AcceptAfter != 5 {
+		t.Errorf("accept_after = %d, want %d", cfg.Auth.AcceptAfter, 5)
+	}
+	if cfg.Auth.CredentialTTLDuration != time.Hour {
+		t.Errorf("credential_ttl_duration = %v, want %v", cfg.Auth.CredentialTTLDuration, time.Hour)
+	}
+	if len(cfg.Auth.StaticCredentials) != 1 {
+		t.Fatalf("static_credentials len = %d, want 1", len(cfg.Auth.StaticCredentials))
+	}
+	if cfg.Auth.StaticCredentials[0].Username != "root" {
+		t.Errorf("username = %q, want %q", cfg.Auth.StaticCredentials[0].Username, "root")
+	}
+}
+
+func TestLoadDefaults(t *testing.T) {
+	path := writeTemp(t, "")
+	cfg, err := Load(path)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if cfg.SSH.ListenAddr != ":2222" {
+		t.Errorf("default listen_addr = %q, want %q", cfg.SSH.ListenAddr, ":2222")
+	}
+	if cfg.SSH.HostKeyPath != "oubliette_host_key" {
+		t.Errorf("default host_key_path = %q, want %q", cfg.SSH.HostKeyPath, "oubliette_host_key")
+	}
+	if cfg.Auth.AcceptAfter != 10 {
+		t.Errorf("default accept_after = %d, want %d", cfg.Auth.AcceptAfter, 10)
+	}
+	if cfg.Auth.CredentialTTLDuration != 24*time.Hour {
+		t.Errorf("default credential_ttl = %v, want %v", cfg.Auth.CredentialTTLDuration, 24*time.Hour)
+	}
+	if cfg.LogLevel != "info" {
+		t.Errorf("default log_level = %q, want %q", cfg.LogLevel, "info")
+	}
+}
+
+func TestLoadInvalidTTL(t *testing.T) {
+	content := `
+[auth]
+credential_ttl = "notaduration"
+`
+	path := writeTemp(t, content)
+	_, err := Load(path)
+	if err == nil {
+		t.Fatal("expected error for invalid credential_ttl")
+	}
+}
+
+func TestLoadNegativeTTL(t *testing.T) {
+	content := `
+[auth]
+credential_ttl = "-1h"
+`
+	path := writeTemp(t, content)
+	_, err := Load(path)
+	if err == nil {
+		t.Fatal("expected error for negative credential_ttl")
+	}
+}
+
+func TestLoadInvalidStaticCredential(t *testing.T) {
+	content := `
+[[auth.static_credentials]]
+username = ""
+password = "test"
+`
+	path := writeTemp(t, content)
+	_, err := Load(path)
+	if err == nil {
+		t.Fatal("expected error for empty username")
+	}
+}
+
+func TestLoadMissingFile(t *testing.T) {
+	_, err := Load("/nonexistent/path/config.toml")
+	if err == nil {
+		t.Fatal("expected error for missing file")
+	}
+}
+
+func TestLoadInvalidTOML(t *testing.T) {
+	path := writeTemp(t, "{{{{invalid toml")
+	_, err := Load(path)
+	if err == nil {
+		t.Fatal("expected error for invalid TOML")
+	}
+}
+
+func writeTemp(t *testing.T, content string) string {
+	t.Helper()
+	path := filepath.Join(t.TempDir(), "config.toml")
+	if err := os.WriteFile(path, []byte(content), 0644); err != nil {
+		t.Fatalf("writing temp config: %v", err)
+	}
+	return path
+}

internal/server/server.go

@@ -0,0 +1,230 @@
+package server
+
+import (
+	"context"
+	"crypto/ed25519"
+	"crypto/rand"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"log/slog"
+	"net"
+	"os"
+	"time"
+
+	"git.t-juice.club/torjus/oubliette/internal/auth"
+	"git.t-juice.club/torjus/oubliette/internal/config"
+	"golang.org/x/crypto/ssh"
+)
+
+const sessionTimeout = 30 * time.Second
+
+type Server struct {
+	cfg           config.Config
+	authenticator *auth.Authenticator
+	sshConfig     *ssh.ServerConfig
+	logger        *slog.Logger
+}
+
+func New(cfg config.Config, logger *slog.Logger) (*Server, error) {
+	s := &Server{
+		cfg:           cfg,
+		authenticator: auth.NewAuthenticator(cfg.Auth),
+		logger:        logger,
+	}
+
+	hostKey, err := loadOrGenerateHostKey(cfg.SSH.HostKeyPath)
+	if err != nil {
+		return nil, fmt.Errorf("host key: %w", err)
+	}
+
+	s.sshConfig = &ssh.ServerConfig{
+		PasswordCallback: s.passwordCallback,
+		ServerVersion:    "SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6",
+	}
+	s.sshConfig.AddHostKey(hostKey)
+
+	return s, nil
+}
+
+func (s *Server) ListenAndServe(ctx context.Context) error {
+	listener, err := net.Listen("tcp", s.cfg.SSH.ListenAddr)
+	if err != nil {
+		return fmt.Errorf("listen: %w", err)
+	}
+	defer listener.Close()
+
+	s.logger.Info("SSH server listening", "addr", s.cfg.SSH.ListenAddr)
+
+	go func() {
+		<-ctx.Done()
+		listener.Close()
+	}()
+
+	for {
+		conn, err := listener.Accept()
+		if err != nil {
+			if ctx.Err() != nil {
+				return nil
+			}
+			s.logger.Error("accept error", "err", err)
+			continue
+		}
+		go s.handleConn(conn)
+	}
+}
+
+func (s *Server) handleConn(conn net.Conn) {
+	defer conn.Close()
+
+	sshConn, chans, reqs, err := ssh.NewServerConn(conn, s.sshConfig)
+	if err != nil {
+		s.logger.Debug("SSH handshake failed", "remote_addr", conn.RemoteAddr(), "err", err)
+		return
+	}
+	defer sshConn.Close()
+
+	s.logger.Info("SSH connection established",
+		"remote_addr", sshConn.RemoteAddr(),
+		"user", sshConn.User(),
+	)
+
+	go ssh.DiscardRequests(reqs)
+
+	for newChan := range chans {
+		if newChan.ChannelType() != "session" {
+			newChan.Reject(ssh.UnknownChannelType, "unknown channel type")
+			continue
+		}
+
+		channel, requests, err := newChan.Accept()
+		if err != nil {
+			s.logger.Error("channel accept error", "err", err)
+			return
+		}
+
+		go s.handleSession(channel, requests, sshConn)
+	}
+}
+
+func (s *Server) handleSession(channel ssh.Channel, requests <-chan *ssh.Request, conn *ssh.ServerConn) {
+	defer channel.Close()
+
+	// Handle session requests (pty-req, shell, etc.)
+	go func() {
+		for req := range requests {
+			switch req.Type {
+			case "pty-req", "shell":
+				if req.WantReply {
+					req.Reply(true, nil)
+				}
+			default:
+				if req.WantReply {
+					req.Reply(false, nil)
+				}
+			}
+		}
+	}()
+
+	// Write a fake banner.
+	fmt.Fprint(channel, "Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-89-generic x86_64)\r\n\r\n")
+	fmt.Fprintf(channel, "Last login: %s from 10.0.0.1\r\n", time.Now().Add(-2*time.Hour).Format("Mon Jan 2 15:04:05 2006"))
+	fmt.Fprintf(channel, "%s@ubuntu:~$ ", conn.User())
+
+	// Hold connection open until timeout or client disconnect.
+	timer := time.NewTimer(sessionTimeout)
+	defer timer.Stop()
+
+	done := make(chan struct{})
+	go func() {
+		buf := make([]byte, 256)
+		for {
+			_, err := channel.Read(buf)
+			if err != nil {
+				close(done)
+				return
+			}
+		}
+	}()
+
+	select {
+	case <-timer.C:
+		s.logger.Info("session timed out", "remote_addr", conn.RemoteAddr(), "user", conn.User())
+	case <-done:
+		s.logger.Info("session closed by client", "remote_addr", conn.RemoteAddr(), "user", conn.User())
+	}
+}
+
+func (s *Server) passwordCallback(conn ssh.ConnMetadata, password []byte) (*ssh.Permissions, error) {
+	ip := extractIP(conn.RemoteAddr())
+	d := s.authenticator.Authenticate(ip, conn.User(), string(password))
+
+	s.logger.Info("auth attempt",
+		"remote_addr", conn.RemoteAddr(),
+		"username", conn.User(),
+		"accepted", d.Accepted,
+		"reason", d.Reason,
+	)
+
+	if d.Accepted {
+		return nil, nil
+	}
+	return nil, fmt.Errorf("rejected")
+}
+
+func extractIP(addr net.Addr) string {
+	host, _, err := net.SplitHostPort(addr.String())
+	if err != nil {
+		// Might not have a port, try using the string directly.
+		return addr.String()
+	}
+	// Normalize IPv4-mapped IPv6 addresses.
+	ip := net.ParseIP(host)
+	if ip == nil {
+		return host
+	}
+	if v4 := ip.To4(); v4 != nil {
+		return v4.String()
+	}
+	return ip.String()
+}
+
+func loadOrGenerateHostKey(path string) (ssh.Signer, error) {
+	data, err := os.ReadFile(path)
+	if err == nil {
+		signer, err := ssh.ParsePrivateKey(data)
+		if err != nil {
+			return nil, fmt.Errorf("parsing host key: %w", err)
+		}
+		return signer, nil
+	}
+
+	if !errors.Is(err, os.ErrNotExist) {
+		return nil, fmt.Errorf("reading host key: %w", err)
+	}
+
+	// Generate new Ed25519 key.
+	_, priv, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		return nil, fmt.Errorf("generating key: %w", err)
+	}
+
+	privBytes, err := ssh.MarshalPrivateKey(priv, "")
+	if err != nil {
+		return nil, fmt.Errorf("marshaling key: %w", err)
+	}
+
+	pemData := pem.EncodeToMemory(privBytes)
+	if err := os.WriteFile(path, pemData, 0600); err != nil {
+		return nil, fmt.Errorf("writing host key: %w", err)
+	}
+
+	signer, err := ssh.ParsePrivateKey(pemData)
+	if err != nil {
+		return nil, fmt.Errorf("parsing generated key: %w", err)
+	}
+
+	slog.Info("generated new host key", "path", path)
+	return signer, nil
+}
+

internal/server/server_test.go

@@ -0,0 +1,219 @@
+package server
+
+import (
+	"context"
+	"log/slog"
+	"net"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"git.t-juice.club/torjus/oubliette/internal/config"
+	"golang.org/x/crypto/ssh"
+)
+
+type testAddr struct {
+	str     string
+	network string
+}
+
+func (a testAddr) Network() string { return a.network }
+func (a testAddr) String() string  { return a.str }
+
+func newAddr(s, network string) net.Addr {
+	return testAddr{str: s, network: network}
+}
+
+func TestHostKey_Generate(t *testing.T) {
+	path := filepath.Join(t.TempDir(), "host_key")
+
+	signer, err := loadOrGenerateHostKey(path)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if signer == nil {
+		t.Fatal("signer is nil")
+	}
+
+	// File should exist with correct permissions.
+	info, err := os.Stat(path)
+	if err != nil {
+		t.Fatalf("stat host key: %v", err)
+	}
+	if perm := info.Mode().Perm(); perm != 0600 {
+		t.Errorf("permissions = %o, want 0600", perm)
+	}
+}
+
+func TestHostKey_Load(t *testing.T) {
+	path := filepath.Join(t.TempDir(), "host_key")
+
+	// Generate first.
+	signer1, err := loadOrGenerateHostKey(path)
+	if err != nil {
+		t.Fatalf("generate: %v", err)
+	}
+
+	// Load existing.
+	signer2, err := loadOrGenerateHostKey(path)
+	if err != nil {
+		t.Fatalf("load: %v", err)
+	}
+
+	// Keys should be the same.
+	if string(signer1.PublicKey().Marshal()) != string(signer2.PublicKey().Marshal()) {
+		t.Error("loaded key differs from generated key")
+	}
+}
+
+func TestExtractIP(t *testing.T) {
+	tests := []struct {
+		addr string
+		want string
+	}{
+		{"192.168.1.1:22", "192.168.1.1"},
+		{"[::1]:22", "::1"},
+		{"[::ffff:192.168.1.1]:22", "192.168.1.1"},
+		{"10.0.0.1:12345", "10.0.0.1"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.addr, func(t *testing.T) {
+			addr := newAddr(tt.addr, "tcp")
+			got := extractIP(addr)
+			if got != tt.want {
+				t.Errorf("extractIP(%q) = %q, want %q", tt.addr, got, tt.want)
+			}
+		})
+	}
+}
+
+func TestIntegrationSSHConnect(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping integration test")
+	}
+
+	tmpDir := t.TempDir()
+	cfg := config.Config{
+		SSH: config.SSHConfig{
+			ListenAddr:  "127.0.0.1:0",
+			HostKeyPath: filepath.Join(tmpDir, "host_key"),
+		},
+		Auth: config.AuthConfig{
+			AcceptAfter:       2,
+			CredentialTTLDuration: time.Hour,
+			StaticCredentials: []config.Credential{
+				{Username: "root", Password: "toor"},
+			},
+		},
+		LogLevel: "debug",
+	}
+
+	logger := slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	srv, err := New(cfg, logger)
+	if err != nil {
+		t.Fatalf("creating server: %v", err)
+	}
+
+	// Use a listener to get the actual port.
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("listen: %v", err)
+	}
+	addr := listener.Addr().String()
+	listener.Close()
+
+	cfg.SSH.ListenAddr = addr
+	srv.cfg = cfg
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	errCh := make(chan error, 1)
+	go func() {
+		errCh <- srv.ListenAndServe(ctx)
+	}()
+
+	// Wait for server to be ready.
+	var conn net.Conn
+	for i := range 50 {
+		conn, err = net.DialTimeout("tcp", addr, 100*time.Millisecond)
+		if err == nil {
+			conn.Close()
+			break
+		}
+		if i == 49 {
+			t.Fatalf("server not ready after retries: %v", err)
+		}
+		time.Sleep(50 * time.Millisecond)
+	}
+
+	// Test static credential login.
+	t.Run("static_cred", func(t *testing.T) {
+		clientCfg := &ssh.ClientConfig{
+			User:            "root",
+			Auth:            []ssh.AuthMethod{ssh.Password("toor")},
+			HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+			Timeout:         5 * time.Second,
+		}
+
+		client, err := ssh.Dial("tcp", addr, clientCfg)
+		if err != nil {
+			t.Fatalf("SSH dial: %v", err)
+		}
+		defer client.Close()
+
+		session, err := client.NewSession()
+		if err != nil {
+			t.Fatalf("new session: %v", err)
+		}
+		defer session.Close()
+	})
+
+	// Test wrong password is rejected.
+	t.Run("wrong_password", func(t *testing.T) {
+		clientCfg := &ssh.ClientConfig{
+			User:            "root",
+			Auth:            []ssh.AuthMethod{ssh.Password("wrong")},
+			HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+			Timeout:         5 * time.Second,
+		}
+
+		_, err := ssh.Dial("tcp", addr, clientCfg)
+		if err == nil {
+			t.Fatal("expected error for wrong password")
+		}
+	})
+
+	// Test threshold acceptance: after enough failed dials, a subsequent
+	// dial with the same credentials should succeed via threshold or
+	// remembered credential.
+	t.Run("threshold", func(t *testing.T) {
+		clientCfg := &ssh.ClientConfig{
+			User:            "threshuser",
+			Auth:            []ssh.AuthMethod{ssh.Password("threshpass")},
+			HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+			Timeout:         5 * time.Second,
+		}
+
+		// Make several dials to accumulate failures past the threshold.
+		for range 5 {
+			c, err := ssh.Dial("tcp", addr, clientCfg)
+			if err == nil {
+				// Threshold reached, success!
+				c.Close()
+				return
+			}
+		}
+
+		// After enough failures the credential should be remembered.
+		client, err := ssh.Dial("tcp", addr, clientCfg)
+		if err != nil {
+			t.Fatalf("expected threshold/remembered acceptance after many attempts: %v", err)
+		}
+		client.Close()
+	})
+
+	cancel()
+}