-
Notifications
You must be signed in to change notification settings - Fork 2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
These tests try to ensure better compatibility of our server implementation with the ssh CLI. With these tests in place: 1) before merging CL 447757 we would have noticed that our server implementation was broken with OpenSSH 8.8+ 2) after merging CL 447757 we would have noticed that our server implementation was broken with OpenSSH 7.2-7.7 The ssh CLI from $PATH is used by default, but can be overridden using the SSH_CLI_PATH environment variable. Change-Id: I93d64be41c7613132b0364afac8397f57c2dcbca Reviewed-on: https://go-review.googlesource.com/c/crypto/+/506837 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Benny Siegert <bsiegert@gmail.com> Reviewed-by: Han-Wen Nienhuys <hanwen@google.com> Run-TryBot: Nicola Murino <nicola.murino@gmail.com>
- Loading branch information
Showing
3 changed files
with
200 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,98 @@ | ||
// Copyright 2023 The Go Authors. All rights reserved. | ||
// Use of this source code is governed by a BSD-style | ||
// license that can be found in the LICENSE file. | ||
|
||
package test | ||
|
||
import ( | ||
"net" | ||
|
||
"golang.org/x/crypto/ssh" | ||
) | ||
|
||
type exitStatusMsg struct { | ||
Status uint32 | ||
} | ||
|
||
// goServer is a test Go SSH server that accepts public key and certificate | ||
// authentication and replies with a 0 exit status to any exec request without | ||
// running any commands. | ||
type goTestServer struct { | ||
listener net.Listener | ||
config *ssh.ServerConfig | ||
done <-chan struct{} | ||
} | ||
|
||
func newTestServer(config *ssh.ServerConfig) (*goTestServer, error) { | ||
server := &goTestServer{ | ||
config: config, | ||
} | ||
listener, err := net.Listen("tcp", "127.0.0.1:") | ||
if err != nil { | ||
return nil, err | ||
} | ||
server.listener = listener | ||
done := make(chan struct{}, 1) | ||
server.done = done | ||
go server.acceptConnections(done) | ||
|
||
return server, nil | ||
} | ||
|
||
func (s *goTestServer) port() (string, error) { | ||
_, port, err := net.SplitHostPort(s.listener.Addr().String()) | ||
return port, err | ||
} | ||
|
||
func (s *goTestServer) acceptConnections(done chan<- struct{}) { | ||
defer close(done) | ||
|
||
for { | ||
c, err := s.listener.Accept() | ||
if err != nil { | ||
return | ||
} | ||
_, chans, reqs, err := ssh.NewServerConn(c, s.config) | ||
if err != nil { | ||
return | ||
} | ||
go ssh.DiscardRequests(reqs) | ||
defer c.Close() | ||
|
||
for newChannel := range chans { | ||
if newChannel.ChannelType() != "session" { | ||
newChannel.Reject(ssh.UnknownChannelType, "unknown channel type") | ||
continue | ||
} | ||
|
||
channel, requests, err := newChannel.Accept() | ||
if err != nil { | ||
continue | ||
} | ||
|
||
go func(in <-chan *ssh.Request) { | ||
for req := range in { | ||
ok := false | ||
switch req.Type { | ||
case "exec": | ||
ok = true | ||
go func() { | ||
channel.SendRequest("exit-status", false, ssh.Marshal(&exitStatusMsg{Status: 0})) | ||
channel.Close() | ||
}() | ||
} | ||
if req.WantReply { | ||
req.Reply(ok, nil) | ||
} | ||
} | ||
}(requests) | ||
} | ||
} | ||
} | ||
|
||
func (s *goTestServer) Close() error { | ||
err := s.listener.Close() | ||
// wait for the accept loop to exit | ||
<-s.done | ||
return err | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,96 @@ | ||
// Copyright 2023 The Go Authors. All rights reserved. | ||
// Use of this source code is governed by a BSD-style | ||
// license that can be found in the LICENSE file. | ||
|
||
package test | ||
|
||
import ( | ||
"bytes" | ||
"fmt" | ||
"os" | ||
"os/exec" | ||
"path/filepath" | ||
"testing" | ||
|
||
"golang.org/x/crypto/internal/testenv" | ||
"golang.org/x/crypto/ssh" | ||
"golang.org/x/crypto/ssh/testdata" | ||
) | ||
|
||
func sshClient(t *testing.T) string { | ||
if testing.Short() { | ||
t.Skip("Skipping test that executes OpenSSH in -short mode") | ||
} | ||
sshCLI := os.Getenv("SSH_CLI_PATH") | ||
if sshCLI == "" { | ||
sshCLI = "ssh" | ||
} | ||
var err error | ||
sshCLI, err = exec.LookPath(sshCLI) | ||
if err != nil { | ||
t.Skipf("Can't find an ssh(1) client to test against: %v", err) | ||
} | ||
return sshCLI | ||
} | ||
|
||
func TestSSHCLIAuth(t *testing.T) { | ||
sshCLI := sshClient(t) | ||
dir := t.TempDir() | ||
keyPrivPath := filepath.Join(dir, "rsa") | ||
|
||
for fn, content := range map[string][]byte{ | ||
keyPrivPath: testdata.PEMBytes["rsa"], | ||
keyPrivPath + ".pub": ssh.MarshalAuthorizedKey(testPublicKeys["rsa"]), | ||
filepath.Join(dir, "rsa-cert.pub"): testdata.SSHCertificates["rsa-user-testcertificate"], | ||
} { | ||
if err := os.WriteFile(fn, content, 0600); err != nil { | ||
t.Fatalf("WriteFile(%q): %v", fn, err) | ||
} | ||
} | ||
|
||
certChecker := ssh.CertChecker{ | ||
IsUserAuthority: func(k ssh.PublicKey) bool { | ||
return bytes.Equal(k.Marshal(), testPublicKeys["ca"].Marshal()) | ||
}, | ||
UserKeyFallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) { | ||
if conn.User() == "testpubkey" && bytes.Equal(key.Marshal(), testPublicKeys["rsa"].Marshal()) { | ||
return nil, nil | ||
} | ||
|
||
return nil, fmt.Errorf("pubkey for %q not acceptable", conn.User()) | ||
}, | ||
} | ||
|
||
config := &ssh.ServerConfig{ | ||
PublicKeyCallback: certChecker.Authenticate, | ||
} | ||
config.AddHostKey(testSigners["rsa"]) | ||
|
||
server, err := newTestServer(config) | ||
if err != nil { | ||
t.Fatalf("unable to start test server: %v", err) | ||
} | ||
defer server.Close() | ||
|
||
port, err := server.port() | ||
if err != nil { | ||
t.Fatalf("unable to get server port: %v", err) | ||
} | ||
|
||
// test public key authentication. | ||
cmd := testenv.Command(t, sshCLI, "-vvv", "-i", keyPrivPath, "-o", "StrictHostKeyChecking=no", | ||
"-p", port, "testpubkey@127.0.0.1", "true") | ||
out, err := cmd.CombinedOutput() | ||
if err != nil { | ||
t.Fatalf("public key authentication failed, error: %v, command output %q", err, string(out)) | ||
} | ||
// Test SSH user certificate authentication. | ||
// The username must match one of the principals included in the certificate. | ||
// The certificate "rsa-user-testcertificate" has "testcertificate" as principal. | ||
cmd = testenv.Command(t, sshCLI, "-vvv", "-i", keyPrivPath, "-o", "StrictHostKeyChecking=no", | ||
"-p", port, "testcertificate@127.0.0.1", "true") | ||
out, err = cmd.CombinedOutput() | ||
if err != nil { | ||
t.Fatalf("user certificate authentication failed, error: %v, command output %q", err, string(out)) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters