Skip to content

Commit

Permalink
ssh: add test case against ssh CLI
Browse files Browse the repository at this point in the history
These tests try to ensure better compatibility of our server implementation
with the ssh CLI.

With these tests in place:

1) before merging CL 447757 we would have noticed that our server
   implementation was broken with OpenSSH 8.8+
2) after merging CL 447757 we would have noticed that our server
   implementation was broken with OpenSSH 7.2-7.7

The ssh CLI from $PATH is used by default, but can be overridden using
the SSH_CLI_PATH environment variable.

Change-Id: I93d64be41c7613132b0364afac8397f57c2dcbca
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/506837
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Benny Siegert <[email protected]>
Reviewed-by: Han-Wen Nienhuys <[email protected]>
Run-TryBot: Nicola Murino <[email protected]>
  • Loading branch information
drakkan authored and bsiegert committed Oct 24, 2023
1 parent 4f30245 commit cf8dcb0
Show file tree
Hide file tree
Showing 3 changed files with 200 additions and 0 deletions.
98 changes: 98 additions & 0 deletions ssh/test/server_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
// Copyright 2023 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package test

import (
"net"

"golang.org/x/crypto/ssh"
)

type exitStatusMsg struct {
Status uint32
}

// goServer is a test Go SSH server that accepts public key and certificate
// authentication and replies with a 0 exit status to any exec request without
// running any commands.
type goTestServer struct {
listener net.Listener
config *ssh.ServerConfig
done <-chan struct{}
}

func newTestServer(config *ssh.ServerConfig) (*goTestServer, error) {
server := &goTestServer{
config: config,
}
listener, err := net.Listen("tcp", "127.0.0.1:")
if err != nil {
return nil, err
}
server.listener = listener
done := make(chan struct{}, 1)
server.done = done
go server.acceptConnections(done)

return server, nil
}

func (s *goTestServer) port() (string, error) {
_, port, err := net.SplitHostPort(s.listener.Addr().String())
return port, err
}

func (s *goTestServer) acceptConnections(done chan<- struct{}) {
defer close(done)

for {
c, err := s.listener.Accept()
if err != nil {
return
}
_, chans, reqs, err := ssh.NewServerConn(c, s.config)
if err != nil {
return
}
go ssh.DiscardRequests(reqs)
defer c.Close()

for newChannel := range chans {
if newChannel.ChannelType() != "session" {
newChannel.Reject(ssh.UnknownChannelType, "unknown channel type")
continue
}

channel, requests, err := newChannel.Accept()
if err != nil {
continue
}

go func(in <-chan *ssh.Request) {
for req := range in {
ok := false
switch req.Type {
case "exec":
ok = true
go func() {
channel.SendRequest("exit-status", false, ssh.Marshal(&exitStatusMsg{Status: 0}))
channel.Close()
}()
}
if req.WantReply {
req.Reply(ok, nil)
}
}
}(requests)
}
}
}

func (s *goTestServer) Close() error {
err := s.listener.Close()
// wait for the accept loop to exit
<-s.done
return err
}
96 changes: 96 additions & 0 deletions ssh/test/sshcli_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
// Copyright 2023 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package test

import (
"bytes"
"fmt"
"os"
"os/exec"
"path/filepath"
"testing"

"golang.org/x/crypto/internal/testenv"
"golang.org/x/crypto/ssh"
"golang.org/x/crypto/ssh/testdata"
)

func sshClient(t *testing.T) string {
if testing.Short() {
t.Skip("Skipping test that executes OpenSSH in -short mode")
}
sshCLI := os.Getenv("SSH_CLI_PATH")
if sshCLI == "" {
sshCLI = "ssh"
}
var err error
sshCLI, err = exec.LookPath(sshCLI)
if err != nil {
t.Skipf("Can't find an ssh(1) client to test against: %v", err)
}
return sshCLI
}

func TestSSHCLIAuth(t *testing.T) {
sshCLI := sshClient(t)
dir := t.TempDir()
keyPrivPath := filepath.Join(dir, "rsa")

for fn, content := range map[string][]byte{
keyPrivPath: testdata.PEMBytes["rsa"],
keyPrivPath + ".pub": ssh.MarshalAuthorizedKey(testPublicKeys["rsa"]),
filepath.Join(dir, "rsa-cert.pub"): testdata.SSHCertificates["rsa-user-testcertificate"],
} {
if err := os.WriteFile(fn, content, 0600); err != nil {
t.Fatalf("WriteFile(%q): %v", fn, err)
}
}

certChecker := ssh.CertChecker{
IsUserAuthority: func(k ssh.PublicKey) bool {
return bytes.Equal(k.Marshal(), testPublicKeys["ca"].Marshal())
},
UserKeyFallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
if conn.User() == "testpubkey" && bytes.Equal(key.Marshal(), testPublicKeys["rsa"].Marshal()) {
return nil, nil
}

return nil, fmt.Errorf("pubkey for %q not acceptable", conn.User())
},
}

config := &ssh.ServerConfig{
PublicKeyCallback: certChecker.Authenticate,
}
config.AddHostKey(testSigners["rsa"])

server, err := newTestServer(config)
if err != nil {
t.Fatalf("unable to start test server: %v", err)
}
defer server.Close()

port, err := server.port()
if err != nil {
t.Fatalf("unable to get server port: %v", err)
}

// test public key authentication.
cmd := testenv.Command(t, sshCLI, "-vvv", "-i", keyPrivPath, "-o", "StrictHostKeyChecking=no",
"-p", port, "[email protected]", "true")
out, err := cmd.CombinedOutput()
if err != nil {
t.Fatalf("public key authentication failed, error: %v, command output %q", err, string(out))
}
// Test SSH user certificate authentication.
// The username must match one of the principals included in the certificate.
// The certificate "rsa-user-testcertificate" has "testcertificate" as principal.
cmd = testenv.Command(t, sshCLI, "-vvv", "-i", keyPrivPath, "-o", "StrictHostKeyChecking=no",
"-p", port, "[email protected]", "true")
out, err = cmd.CombinedOutput()
if err != nil {
t.Fatalf("user certificate authentication failed, error: %v, command output %q", err, string(out))
}
}
6 changes: 6 additions & 0 deletions ssh/testdata/keys.go
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,12 @@ var SSHCertificates = map[string][]byte{
"rsa-sha2-256": []byte(`[email protected] AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgOyK28gunJkM60qp4EbsYAjgbUsyjS8u742OLjipIgc0AAAADAQABAAAAgQC8A6FGHDiWCSREAXCq6yBfNVr0xCVG2CzvktFNRpue+RXrGs/2a6ySEJQb3IYquw7HlJgu6fg3WIWhOmHCjfpG0PrL4CRwbqQ2LaPPXhJErWYejcD8Di00cF3677+G10KMZk9RXbmHtuBFZT98wxg8j+ZsBMqGM1+7yrWUvynswQAAAAAAAAAAAAAAAgAAABRob3N0LmV4YW1wbGUuY29tLWtleQAAABQAAAAQaG9zdC5leGFtcGxlLmNvbQAAAABeSMJ4AAAAAHBPBLwAAAAAAAAAAAAAAAAAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQC+D11D0hEbn2Vglv4YRJ8pZNyHjIGmvth3DWOQrq++2vH2MujmGQDxfr4SVE9GpMBlKU3lwGbpgIBxAg6yZcNSfo6PWVU9ACg6NMFO+yMzc2MaG+/naQdNjSewywF5j2rkNO2XOaViRVSrZroe2B/aY2LTV0jDl8nu5NOjwRs1/s7SLe5z1rw/X0dpmXk0qJY3gQhmR8HZZ1dhEkJUGwaBCPd0T8asSYf1Ag2rUD4aQ28r3q69mbwfWOOa6rMemVZruUV5dzHwVNVNtVv+ImtnYtz8m8g+K0plaGptHn3KsaOnASkh3tujhaE7kvc4HR9Igli9+76jhZie3h/dTN5zAAABFAAAAAxyc2Etc2hhMi0yNTYAAAEAbG4De/+QiqopPS3O1H7ySeEUCY56qmdgr02sFErnihdXPDaWXUXxacvJHaEtLrSTSaPL/3v3iKvjLWDOHaQ5c+cN9J7Tqzso7RQCXZD2nK9bwCUyBoiDyBCRe8w4DQEtfL5okpVzQsSAiojQ8hBohMOpy3gFfXrdm4PVC1ZKqlZh4fAc7ajieRq/Tpq2xOLdHwxkcgPNR83WVHva6K9/xjev/5n227/gkHo0qbGs8YYDOFXIEhENi+B23IzxdNVieWdyQpYpe0C2i95Jhyo0wJmaFY2ArruTS+D1jGQQpMPvAQRy26/A5hI83GLhpwyhrN/M8wCxzAhyPL6Ieuh5tQ== host.example.com
`),
"rsa-sha2-512": []byte(`[email protected] AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgFGv4IpXfs4L/Y0b3rmUdPFhWoUrVnXuPxXr6aHGs7wgAAAADAQABAAAAgQC8A6FGHDiWCSREAXCq6yBfNVr0xCVG2CzvktFNRpue+RXrGs/2a6ySEJQb3IYquw7HlJgu6fg3WIWhOmHCjfpG0PrL4CRwbqQ2LaPPXhJErWYejcD8Di00cF3677+G10KMZk9RXbmHtuBFZT98wxg8j+ZsBMqGM1+7yrWUvynswQAAAAAAAAAAAAAAAgAAABRob3N0LmV4YW1wbGUuY29tLWtleQAAABQAAAAQaG9zdC5leGFtcGxlLmNvbQAAAABeSMRYAAAAAHBPBp4AAAAAAAAAAAAAAAAAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQC+D11D0hEbn2Vglv4YRJ8pZNyHjIGmvth3DWOQrq++2vH2MujmGQDxfr4SVE9GpMBlKU3lwGbpgIBxAg6yZcNSfo6PWVU9ACg6NMFO+yMzc2MaG+/naQdNjSewywF5j2rkNO2XOaViRVSrZroe2B/aY2LTV0jDl8nu5NOjwRs1/s7SLe5z1rw/X0dpmXk0qJY3gQhmR8HZZ1dhEkJUGwaBCPd0T8asSYf1Ag2rUD4aQ28r3q69mbwfWOOa6rMemVZruUV5dzHwVNVNtVv+ImtnYtz8m8g+K0plaGptHn3KsaOnASkh3tujhaE7kvc4HR9Igli9+76jhZie3h/dTN5zAAABFAAAAAxyc2Etc2hhMi01MTIAAAEAnF4fVj6mm+UFeNCIf9AKJCv9WzymjjPvzzmaMWWkPWqoV0P0m5SiYfvbY9SbA73Blpv8SOr0DmpublF183kodREia4KyVuC8hLhSCV2Y16hy9MBegOZMepn80w+apj7Rn9QCz5OfEakDdztp6OWTBtqxnZFcTQ4XrgFkNWeWRElGdEvAVNn2WHwHi4EIdz0mdv48Imv5SPlOuW862ZdFG4Do1dUfDIiGsBofLlgcyIYlf+eNHul6sBeUkuwFxisMpI5DQzNp8PX1g/QJA2wzwT674PTqDXNttKjyh50Fdr4sXxm9Gz1+jVLoESvFNa55ERdSyAqNu4wTy11MZsWwSA== host.example.com
`),
// Assumes "ca" key above in file named "ca", sign a user cert for "rsa.pub"
// using "testcertificate" as principal:
//
// ssh-keygen -s ca -I username -n testcertificate rsa.pub
"rsa-user-testcertificate": []byte(`[email protected] AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgr0MnhSf+KkQWEQmweJOGsJfOrUt80pQZDaI9YiwSfDUAAAADAQABAAAAgQC8A6FGHDiWCSREAXCq6yBfNVr0xCVG2CzvktFNRpue+RXrGs/2a6ySEJQb3IYquw7HlJgu6fg3WIWhOmHCjfpG0PrL4CRwbqQ2LaPPXhJErWYejcD8Di00cF3677+G10KMZk9RXbmHtuBFZT98wxg8j+ZsBMqGM1+7yrWUvynswQAAAAAAAAAAAAAAAQAAAAh1c2VybmFtZQAAABMAAAAPdGVzdGNlcnRpZmljYXRlAAAAAAAAAAD//////////wAAAAAAAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQC+D11D0hEbn2Vglv4YRJ8pZNyHjIGmvth3DWOQrq++2vH2MujmGQDxfr4SVE9GpMBlKU3lwGbpgIBxAg6yZcNSfo6PWVU9ACg6NMFO+yMzc2MaG+/naQdNjSewywF5j2rkNO2XOaViRVSrZroe2B/aY2LTV0jDl8nu5NOjwRs1/s7SLe5z1rw/X0dpmXk0qJY3gQhmR8HZZ1dhEkJUGwaBCPd0T8asSYf1Ag2rUD4aQ28r3q69mbwfWOOa6rMemVZruUV5dzHwVNVNtVv+ImtnYtz8m8g+K0plaGptHn3KsaOnASkh3tujhaE7kvc4HR9Igli9+76jhZie3h/dTN5zAAABFAAAAAxyc2Etc2hhMi01MTIAAAEAFuA+67KvnlmcodIp0Lv4mR9UW/CHghAaN1csBJTkI8mx3wXKyIPTsS2uXboEhWD0a7S9gps2SEwC5m6E3kV2Rzg7aH1S03GZqMvVlK2VHe7fzuoW2yOKk6yEPjeTF0pKCFbUQ6mce8pRpD/zdvjG0Z287XM3c3Axlrn7qq7TS0MDTjEZ/dsUNFHxep3co/HuAsWVWPVDItr/FPnvZ6WVH1yc8N/AJn0gLHobkGgug22vI9rNIge1wrnXxU9BUSouzkau/PQsrCQapnn+I1H7HaQt0wdk45nxMP+ags+HRI9qpX/p8WDn6+zpqYqN/nfw2aoytyaJqhsV32Teuqtrgg== rsa.pub
`),
}

Expand Down

0 comments on commit cf8dcb0

Please sign in to comment.