| // Copyright 2011 The Go Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style |
| // license that can be found in the LICENSE file. |
| |
| package ssh |
| |
| import ( |
| "bytes" |
| "crypto/rand" |
| "errors" |
| "fmt" |
| "io" |
| "log" |
| "net" |
| "os" |
| "runtime" |
| "strings" |
| "testing" |
| ) |
| |
| type keyboardInteractive map[string]string |
| |
| func (cr keyboardInteractive) Challenge(user string, instruction string, questions []string, echos []bool) ([]string, error) { |
| var answers []string |
| for _, q := range questions { |
| answers = append(answers, cr[q]) |
| } |
| return answers, nil |
| } |
| |
| // reused internally by tests |
| var clientPassword = "tiger" |
| |
| // tryAuth runs a handshake with a given config against an SSH server |
| // with config serverConfig. Returns both client and server side errors. |
| func tryAuth(t *testing.T, config *ClientConfig) error { |
| err, _ := tryAuthBothSides(t, config, nil) |
| return err |
| } |
| |
| // tryAuth runs a handshake with a given config against an SSH server |
| // with a given GSSAPIWithMICConfig and config serverConfig. Returns both client and server side errors. |
| func tryAuthWithGSSAPIWithMICConfig(t *testing.T, clientConfig *ClientConfig, gssAPIWithMICConfig *GSSAPIWithMICConfig) error { |
| err, _ := tryAuthBothSides(t, clientConfig, gssAPIWithMICConfig) |
| return err |
| } |
| |
| // tryAuthBothSides runs the handshake and returns the resulting errors from both sides of the connection. |
| func tryAuthBothSides(t *testing.T, config *ClientConfig, gssAPIWithMICConfig *GSSAPIWithMICConfig) (clientError error, serverAuthErrors []error) { |
| c1, c2, err := netPipe() |
| if err != nil { |
| t.Fatalf("netPipe: %v", err) |
| } |
| defer c1.Close() |
| defer c2.Close() |
| |
| certChecker := CertChecker{ |
| IsUserAuthority: func(k PublicKey) bool { |
| return bytes.Equal(k.Marshal(), testPublicKeys["ecdsa"].Marshal()) |
| }, |
| UserKeyFallback: func(conn ConnMetadata, key PublicKey) (*Permissions, error) { |
| if conn.User() == "testuser" && bytes.Equal(key.Marshal(), testPublicKeys["rsa"].Marshal()) { |
| return nil, nil |
| } |
| |
| return nil, fmt.Errorf("pubkey for %q not acceptable", conn.User()) |
| }, |
| IsRevoked: func(c *Certificate) bool { |
| return c.Serial == 666 |
| }, |
| } |
| serverConfig := &ServerConfig{ |
| PasswordCallback: func(conn ConnMetadata, pass []byte) (*Permissions, error) { |
| if conn.User() == "testuser" && string(pass) == clientPassword { |
| return nil, nil |
| } |
| return nil, errors.New("password auth failed") |
| }, |
| PublicKeyCallback: certChecker.Authenticate, |
| KeyboardInteractiveCallback: func(conn ConnMetadata, challenge KeyboardInteractiveChallenge) (*Permissions, error) { |
| ans, err := challenge("user", |
| "instruction", |
| []string{"question1", "question2"}, |
| []bool{true, true}) |
| if err != nil { |
| return nil, err |
| } |
| ok := conn.User() == "testuser" && ans[0] == "answer1" && ans[1] == "answer2" |
| if ok { |
| challenge("user", "motd", nil, nil) |
| return nil, nil |
| } |
| return nil, errors.New("keyboard-interactive failed") |
| }, |
| GSSAPIWithMICConfig: gssAPIWithMICConfig, |
| } |
| serverConfig.AddHostKey(testSigners["rsa"]) |
| |
| serverConfig.AuthLogCallback = func(conn ConnMetadata, method string, err error) { |
| serverAuthErrors = append(serverAuthErrors, err) |
| } |
| |
| go newServer(c1, serverConfig) |
| _, _, _, err = NewClientConn(c2, "", config) |
| return err, serverAuthErrors |
| } |
| |
| type loggingAlgorithmSigner struct { |
| used []string |
| AlgorithmSigner |
| } |
| |
| func (l *loggingAlgorithmSigner) Sign(rand io.Reader, data []byte) (*Signature, error) { |
| l.used = append(l.used, "[Sign]") |
| return l.AlgorithmSigner.Sign(rand, data) |
| } |
| |
| func (l *loggingAlgorithmSigner) SignWithAlgorithm(rand io.Reader, data []byte, algorithm string) (*Signature, error) { |
| l.used = append(l.used, algorithm) |
| return l.AlgorithmSigner.SignWithAlgorithm(rand, data, algorithm) |
| } |
| |
| func TestClientAuthPublicKey(t *testing.T) { |
| signer := &loggingAlgorithmSigner{AlgorithmSigner: testSigners["rsa"].(AlgorithmSigner)} |
| config := &ClientConfig{ |
| User: "testuser", |
| Auth: []AuthMethod{ |
| PublicKeys(signer), |
| }, |
| HostKeyCallback: InsecureIgnoreHostKey(), |
| } |
| if err := tryAuth(t, config); err != nil { |
| t.Fatalf("unable to dial remote side: %s", err) |
| } |
| if len(signer.used) != 1 || signer.used[0] != KeyAlgoRSASHA256 { |
| t.Errorf("unexpected Sign/SignWithAlgorithm calls: %q", signer.used) |
| } |
| } |
| |
| // TestClientAuthNoSHA2 tests a ssh-rsa Signer that doesn't implement AlgorithmSigner. |
| func TestClientAuthNoSHA2(t *testing.T) { |
| config := &ClientConfig{ |
| User: "testuser", |
| Auth: []AuthMethod{ |
| PublicKeys(&legacyRSASigner{testSigners["rsa"]}), |
| }, |
| HostKeyCallback: InsecureIgnoreHostKey(), |
| } |
| if err := tryAuth(t, config); err != nil { |
| t.Fatalf("unable to dial remote side: %s", err) |
| } |
| } |
| |
| // TestClientAuthThirdKey checks that the third configured can succeed. If we |
| // were to do three attempts for each key (rsa-sha2-256, rsa-sha2-512, ssh-rsa), |
| // we'd hit the six maximum attempts before reaching it. |
| func TestClientAuthThirdKey(t *testing.T) { |
| config := &ClientConfig{ |
| User: "testuser", |
| Auth: []AuthMethod{ |
| PublicKeys(testSigners["rsa-openssh-format"], |
| testSigners["rsa-openssh-format"], testSigners["rsa"]), |
| }, |
| HostKeyCallback: InsecureIgnoreHostKey(), |
| } |
| if err := tryAuth(t, config); err != nil { |
| t.Fatalf("unable to dial remote side: %s", err) |
| } |
| } |
| |
| func TestAuthMethodPassword(t *testing.T) { |
| config := &ClientConfig{ |
| User: "testuser", |
| Auth: []AuthMethod{ |
| Password(clientPassword), |
| }, |
| HostKeyCallback: InsecureIgnoreHostKey(), |
| } |
| |
| if err := tryAuth(t, config); err != nil { |
| t.Fatalf("unable to dial remote side: %s", err) |
| } |
| } |
| |
| func TestAuthMethodFallback(t *testing.T) { |
| var passwordCalled bool |
| config := &ClientConfig{ |
| User: "testuser", |
| Auth: []AuthMethod{ |
| PublicKeys(testSigners["rsa"]), |
| PasswordCallback( |
| func() (string, error) { |
| passwordCalled = true |
| return "WRONG", nil |
| }), |
| }, |
| HostKeyCallback: InsecureIgnoreHostKey(), |
| } |
| |
| if err := tryAuth(t, config); err != nil { |
| t.Fatalf("unable to dial remote side: %s", err) |
| } |
| |
| if passwordCalled { |
| t.Errorf("password auth tried before public-key auth.") |
| } |
| } |
| |
| func TestAuthMethodWrongPassword(t *testing.T) { |
| config := &ClientConfig{ |
| User: "testuser", |
| Auth: []AuthMethod{ |
| Password("wrong"), |
| PublicKeys(testSigners["rsa"]), |
| }, |
| HostKeyCallback: InsecureIgnoreHostKey(), |
| } |
| |
| if err := tryAuth(t, config); err != nil { |
| t.Fatalf("unable to dial remote side: %s", err) |
| } |
| } |
| |
| func TestAuthMethodKeyboardInteractive(t *testing.T) { |
| answers := keyboardInteractive(map[string]string{ |
| "question1": "answer1", |
| "question2": "answer2", |
| }) |
| config := &ClientConfig{ |
| User: "testuser", |
| Auth: []AuthMethod{ |
| KeyboardInteractive(answers.Challenge), |
| }, |
| HostKeyCallback: InsecureIgnoreHostKey(), |
| } |
| |
| if err := tryAuth(t, config); err != nil { |
| t.Fatalf("unable to dial remote side: %s", err) |
| } |
| } |
| |
| func TestAuthMethodWrongKeyboardInteractive(t *testing.T) { |
| answers := keyboardInteractive(map[string]string{ |
| "question1": "answer1", |
| "question2": "WRONG", |
| }) |
| config := &ClientConfig{ |
| User: "testuser", |
| Auth: []AuthMethod{ |
| KeyboardInteractive(answers.Challenge), |
| }, |
| } |
| |
| if err := tryAuth(t, config); err == nil { |
| t.Fatalf("wrong answers should not have authenticated with KeyboardInteractive") |
| } |
| } |
| |
| // the mock server will only authenticate ssh-rsa keys |
| func TestAuthMethodInvalidPublicKey(t *testing.T) { |
| config := &ClientConfig{ |
| User: "testuser", |
| Auth: []AuthMethod{ |
| PublicKeys(testSigners["dsa"]), |
| }, |
| } |
| |
| if err := tryAuth(t, config); err == nil { |
| t.Fatalf("dsa private key should not have authenticated with rsa public key") |
| } |
| } |
| |
| // the client should authenticate with the second key |
| func TestAuthMethodRSAandDSA(t *testing.T) { |
| config := &ClientConfig{ |
| User: "testuser", |
| Auth: []AuthMethod{ |
| PublicKeys(testSigners["dsa"], testSigners["rsa"]), |
| }, |
| HostKeyCallback: InsecureIgnoreHostKey(), |
| } |
| if err := tryAuth(t, config); err != nil { |
| t.Fatalf("client could not authenticate with rsa key: %v", err) |
| } |
| } |
| |
| type invalidAlgSigner struct { |
| Signer |
| } |
| |
| func (s *invalidAlgSigner) Sign(rand io.Reader, data []byte) (*Signature, error) { |
| sig, err := s.Signer.Sign(rand, data) |
| if sig != nil { |
| sig.Format = "invalid" |
| } |
| return sig, err |
| } |
| |
| func TestMethodInvalidAlgorithm(t *testing.T) { |
| config := &ClientConfig{ |
| User: "testuser", |
| Auth: []AuthMethod{ |
| PublicKeys(&invalidAlgSigner{testSigners["rsa"]}), |
| }, |
| HostKeyCallback: InsecureIgnoreHostKey(), |
| } |
| |
| err, serverErrors := tryAuthBothSides(t, config, nil) |
| if err == nil { |
| t.Fatalf("login succeeded") |
| } |
| |
| found := false |
| want := "algorithm \"invalid\"" |
| |
| var errStrings []string |
| for _, err := range serverErrors { |
| found = found || (err != nil && strings.Contains(err.Error(), want)) |
| errStrings = append(errStrings, err.Error()) |
| } |
| if !found { |
| t.Errorf("server got error %q, want substring %q", errStrings, want) |
| } |
| } |
| |
| func TestClientHMAC(t *testing.T) { |
| for _, mac := range supportedMACs { |
| config := &ClientConfig{ |
| User: "testuser", |
| Auth: []AuthMethod{ |
| PublicKeys(testSigners["rsa"]), |
| }, |
| Config: Config{ |
| MACs: []string{mac}, |
| }, |
| HostKeyCallback: InsecureIgnoreHostKey(), |
| } |
| if err := tryAuth(t, config); err != nil { |
| t.Fatalf("client could not authenticate with mac algo %s: %v", mac, err) |
| } |
| } |
| } |
| |
| // issue 4285. |
| func TestClientUnsupportedCipher(t *testing.T) { |
| config := &ClientConfig{ |
| User: "testuser", |
| Auth: []AuthMethod{ |
| PublicKeys(), |
| }, |
| Config: Config{ |
| Ciphers: []string{"aes128-cbc"}, // not currently supported |
| }, |
| } |
| if err := tryAuth(t, config); err == nil { |
| t.Errorf("expected no ciphers in common") |
| } |
| } |
| |
| func TestClientUnsupportedKex(t *testing.T) { |
| if os.Getenv("GO_BUILDER_NAME") != "" { |
| t.Skip("skipping known-flaky test on the Go build dashboard; see golang.org/issue/15198") |
| } |
| config := &ClientConfig{ |
| User: "testuser", |
| Auth: []AuthMethod{ |
| PublicKeys(), |
| }, |
| Config: Config{ |
| KeyExchanges: []string{"non-existent-kex"}, |
| }, |
| HostKeyCallback: InsecureIgnoreHostKey(), |
| } |
| if err := tryAuth(t, config); err == nil || !strings.Contains(err.Error(), "common algorithm") { |
| t.Errorf("got %v, expected 'common algorithm'", err) |
| } |
| } |
| |
| func TestClientLoginCert(t *testing.T) { |
| cert := &Certificate{ |
| Key: testPublicKeys["rsa"], |
| ValidBefore: CertTimeInfinity, |
| CertType: UserCert, |
| } |
| cert.SignCert(rand.Reader, testSigners["ecdsa"]) |
| certSigner, err := NewCertSigner(cert, testSigners["rsa"]) |
| if err != nil { |
| t.Fatalf("NewCertSigner: %v", err) |
| } |
| |
| clientConfig := &ClientConfig{ |
| User: "user", |
| HostKeyCallback: InsecureIgnoreHostKey(), |
| } |
| clientConfig.Auth = append(clientConfig.Auth, PublicKeys(certSigner)) |
| |
| // should succeed |
| if err := tryAuth(t, clientConfig); err != nil { |
| t.Errorf("cert login failed: %v", err) |
| } |
| |
| // corrupted signature |
| cert.Signature.Blob[0]++ |
| if err := tryAuth(t, clientConfig); err == nil { |
| t.Errorf("cert login passed with corrupted sig") |
| } |
| |
| // revoked |
| cert.Serial = 666 |
| cert.SignCert(rand.Reader, testSigners["ecdsa"]) |
| if err := tryAuth(t, clientConfig); err == nil { |
| t.Errorf("revoked cert login succeeded") |
| } |
| cert.Serial = 1 |
| |
| // sign with wrong key |
| cert.SignCert(rand.Reader, testSigners["dsa"]) |
| if err := tryAuth(t, clientConfig); err == nil { |
| t.Errorf("cert login passed with non-authoritative key") |
| } |
| |
| // host cert |
| cert.CertType = HostCert |
| cert.SignCert(rand.Reader, testSigners["ecdsa"]) |
| if err := tryAuth(t, clientConfig); err == nil { |
| t.Errorf("cert login passed with wrong type") |
| } |
| cert.CertType = UserCert |
| |
| // principal specified |
| cert.ValidPrincipals = []string{"user"} |
| cert.SignCert(rand.Reader, testSigners["ecdsa"]) |
| if err := tryAuth(t, clientConfig); err != nil { |
| t.Errorf("cert login failed: %v", err) |
| } |
| |
| // wrong principal specified |
| cert.ValidPrincipals = []string{"fred"} |
| cert.SignCert(rand.Reader, testSigners["ecdsa"]) |
| if err := tryAuth(t, clientConfig); err == nil { |
| t.Errorf("cert login passed with wrong principal") |
| } |
| cert.ValidPrincipals = nil |
| |
| // added critical option |
| cert.CriticalOptions = map[string]string{"root-access": "yes"} |
| cert.SignCert(rand.Reader, testSigners["ecdsa"]) |
| if err := tryAuth(t, clientConfig); err == nil { |
| t.Errorf("cert login passed with unrecognized critical option") |
| } |
| |
| // allowed source address |
| cert.CriticalOptions = map[string]string{"source-address": "127.0.0.42/24,::42/120"} |
| cert.SignCert(rand.Reader, testSigners["ecdsa"]) |
| if err := tryAuth(t, clientConfig); err != nil { |
| t.Errorf("cert login with source-address failed: %v", err) |
| } |
| |
| // disallowed source address |
| cert.CriticalOptions = map[string]string{"source-address": "127.0.0.42,::42"} |
| cert.SignCert(rand.Reader, testSigners["ecdsa"]) |
| if err := tryAuth(t, clientConfig); err == nil { |
| t.Errorf("cert login with source-address succeeded") |
| } |
| } |
| |
| func testPermissionsPassing(withPermissions bool, t *testing.T) { |
| serverConfig := &ServerConfig{ |
| PublicKeyCallback: func(conn ConnMetadata, key PublicKey) (*Permissions, error) { |
| if conn.User() == "nopermissions" { |
| return nil, nil |
| } |
| return &Permissions{}, nil |
| }, |
| } |
| serverConfig.AddHostKey(testSigners["rsa"]) |
| |
| clientConfig := &ClientConfig{ |
| Auth: []AuthMethod{ |
| PublicKeys(testSigners["rsa"]), |
| }, |
| HostKeyCallback: InsecureIgnoreHostKey(), |
| } |
| if withPermissions { |
| clientConfig.User = "permissions" |
| } else { |
| clientConfig.User = "nopermissions" |
| } |
| |
| c1, c2, err := netPipe() |
| if err != nil { |
| t.Fatalf("netPipe: %v", err) |
| } |
| defer c1.Close() |
| defer c2.Close() |
| |
| go NewClientConn(c2, "", clientConfig) |
| serverConn, err := newServer(c1, serverConfig) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if p := serverConn.Permissions; (p != nil) != withPermissions { |
| t.Fatalf("withPermissions is %t, but Permissions object is %#v", withPermissions, p) |
| } |
| } |
| |
| func TestPermissionsPassing(t *testing.T) { |
| testPermissionsPassing(true, t) |
| } |
| |
| func TestNoPermissionsPassing(t *testing.T) { |
| testPermissionsPassing(false, t) |
| } |
| |
| func TestRetryableAuth(t *testing.T) { |
| n := 0 |
| passwords := []string{"WRONG1", "WRONG2"} |
| |
| config := &ClientConfig{ |
| User: "testuser", |
| Auth: []AuthMethod{ |
| RetryableAuthMethod(PasswordCallback(func() (string, error) { |
| p := passwords[n] |
| n++ |
| return p, nil |
| }), 2), |
| PublicKeys(testSigners["rsa"]), |
| }, |
| HostKeyCallback: InsecureIgnoreHostKey(), |
| } |
| |
| if err := tryAuth(t, config); err != nil { |
| t.Fatalf("unable to dial remote side: %s", err) |
| } |
| if n != 2 { |
| t.Fatalf("Did not try all passwords") |
| } |
| } |
| |
| func ExampleRetryableAuthMethod() { |
| user := "testuser" |
| NumberOfPrompts := 3 |
| |
| // Normally this would be a callback that prompts the user to answer the |
| // provided questions |
| Cb := func(user, instruction string, questions []string, echos []bool) (answers []string, err error) { |
| return []string{"answer1", "answer2"}, nil |
| } |
| |
| config := &ClientConfig{ |
| HostKeyCallback: InsecureIgnoreHostKey(), |
| User: user, |
| Auth: []AuthMethod{ |
| RetryableAuthMethod(KeyboardInteractiveChallenge(Cb), NumberOfPrompts), |
| }, |
| } |
| |
| host := "mysshserver" |
| netConn, err := net.Dial("tcp", host) |
| if err != nil { |
| log.Fatal(err) |
| } |
| |
| sshConn, _, _, err := NewClientConn(netConn, host, config) |
| if err != nil { |
| log.Fatal(err) |
| } |
| _ = sshConn |
| } |
| |
| // Test if username is received on server side when NoClientAuth is used |
| func TestClientAuthNone(t *testing.T) { |
| user := "testuser" |
| serverConfig := &ServerConfig{ |
| NoClientAuth: true, |
| } |
| serverConfig.AddHostKey(testSigners["rsa"]) |
| |
| clientConfig := &ClientConfig{ |
| User: user, |
| HostKeyCallback: InsecureIgnoreHostKey(), |
| } |
| |
| c1, c2, err := netPipe() |
| if err != nil { |
| t.Fatalf("netPipe: %v", err) |
| } |
| defer c1.Close() |
| defer c2.Close() |
| |
| go NewClientConn(c2, "", clientConfig) |
| serverConn, err := newServer(c1, serverConfig) |
| if err != nil { |
| t.Fatalf("newServer: %v", err) |
| } |
| if serverConn.User() != user { |
| t.Fatalf("server: got %q, want %q", serverConn.User(), user) |
| } |
| } |
| |
| // Test if authentication attempts are limited on server when MaxAuthTries is set |
| func TestClientAuthMaxAuthTries(t *testing.T) { |
| user := "testuser" |
| |
| serverConfig := &ServerConfig{ |
| MaxAuthTries: 2, |
| PasswordCallback: func(conn ConnMetadata, pass []byte) (*Permissions, error) { |
| if conn.User() == "testuser" && string(pass) == "right" { |
| return nil, nil |
| } |
| return nil, errors.New("password auth failed") |
| }, |
| } |
| serverConfig.AddHostKey(testSigners["rsa"]) |
| |
| expectedErr := fmt.Errorf("ssh: handshake failed: %v", &disconnectMsg{ |
| Reason: 2, |
| Message: "too many authentication failures", |
| }) |
| |
| for tries := 2; tries < 4; tries++ { |
| n := tries |
| clientConfig := &ClientConfig{ |
| User: user, |
| Auth: []AuthMethod{ |
| RetryableAuthMethod(PasswordCallback(func() (string, error) { |
| n-- |
| if n == 0 { |
| return "right", nil |
| } |
| return "wrong", nil |
| }), tries), |
| }, |
| HostKeyCallback: InsecureIgnoreHostKey(), |
| } |
| |
| c1, c2, err := netPipe() |
| if err != nil { |
| t.Fatalf("netPipe: %v", err) |
| } |
| defer c1.Close() |
| defer c2.Close() |
| |
| go newServer(c1, serverConfig) |
| _, _, _, err = NewClientConn(c2, "", clientConfig) |
| if tries > 2 { |
| if err == nil { |
| t.Fatalf("client: got no error, want %s", expectedErr) |
| } else if err.Error() != expectedErr.Error() { |
| t.Fatalf("client: got %s, want %s", err, expectedErr) |
| } |
| } else { |
| if err != nil { |
| t.Fatalf("client: got %s, want no error", err) |
| } |
| } |
| } |
| } |
| |
| // Test if authentication attempts are correctly limited on server |
| // when more public keys are provided then MaxAuthTries |
| func TestClientAuthMaxAuthTriesPublicKey(t *testing.T) { |
| signers := []Signer{} |
| for i := 0; i < 6; i++ { |
| signers = append(signers, testSigners["dsa"]) |
| } |
| |
| validConfig := &ClientConfig{ |
| User: "testuser", |
| Auth: []AuthMethod{ |
| PublicKeys(append([]Signer{testSigners["rsa"]}, signers...)...), |
| }, |
| HostKeyCallback: InsecureIgnoreHostKey(), |
| } |
| if err := tryAuth(t, validConfig); err != nil { |
| t.Fatalf("unable to dial remote side: %s", err) |
| } |
| |
| expectedErr := fmt.Errorf("ssh: handshake failed: %v", &disconnectMsg{ |
| Reason: 2, |
| Message: "too many authentication failures", |
| }) |
| invalidConfig := &ClientConfig{ |
| User: "testuser", |
| Auth: []AuthMethod{ |
| PublicKeys(append(signers, testSigners["rsa"])...), |
| }, |
| HostKeyCallback: InsecureIgnoreHostKey(), |
| } |
| if err := tryAuth(t, invalidConfig); err == nil { |
| t.Fatalf("client: got no error, want %s", expectedErr) |
| } else if err.Error() != expectedErr.Error() { |
| // On Windows we can see a WSAECONNABORTED error |
| // if the client writes another authentication request |
| // before the client goroutine reads the disconnection |
| // message. See issue 50805. |
| if runtime.GOOS == "windows" && strings.Contains(err.Error(), "wsarecv: An established connection was aborted") { |
| // OK. |
| } else { |
| t.Fatalf("client: got %s, want %s", err, expectedErr) |
| } |
| } |
| } |
| |
| // Test whether authentication errors are being properly logged if all |
| // authentication methods have been exhausted |
| func TestClientAuthErrorList(t *testing.T) { |
| publicKeyErr := errors.New("This is an error from PublicKeyCallback") |
| |
| clientConfig := &ClientConfig{ |
| Auth: []AuthMethod{ |
| PublicKeys(testSigners["rsa"]), |
| }, |
| HostKeyCallback: InsecureIgnoreHostKey(), |
| } |
| serverConfig := &ServerConfig{ |
| PublicKeyCallback: func(_ ConnMetadata, _ PublicKey) (*Permissions, error) { |
| return nil, publicKeyErr |
| }, |
| } |
| serverConfig.AddHostKey(testSigners["rsa"]) |
| |
| c1, c2, err := netPipe() |
| if err != nil { |
| t.Fatalf("netPipe: %v", err) |
| } |
| defer c1.Close() |
| defer c2.Close() |
| |
| go NewClientConn(c2, "", clientConfig) |
| _, err = newServer(c1, serverConfig) |
| if err == nil { |
| t.Fatal("newServer: got nil, expected errors") |
| } |
| |
| authErrs, ok := err.(*ServerAuthError) |
| if !ok { |
| t.Fatalf("errors: got %T, want *ssh.ServerAuthError", err) |
| } |
| for i, e := range authErrs.Errors { |
| switch i { |
| case 0: |
| if e != ErrNoAuth { |
| t.Fatalf("errors: got error %v, want ErrNoAuth", e) |
| } |
| case 1: |
| if e != publicKeyErr { |
| t.Fatalf("errors: got %v, want %v", e, publicKeyErr) |
| } |
| default: |
| t.Fatalf("errors: got %v, expected 2 errors", authErrs.Errors) |
| } |
| } |
| } |
| |
| func TestAuthMethodGSSAPIWithMIC(t *testing.T) { |
| type testcase struct { |
| config *ClientConfig |
| gssConfig *GSSAPIWithMICConfig |
| clientWantErr string |
| serverWantErr string |
| } |
| testcases := []*testcase{ |
| { |
| config: &ClientConfig{ |
| User: "testuser", |
| Auth: []AuthMethod{ |
| GSSAPIWithMICAuthMethod( |
| &FakeClient{ |
| exchanges: []*exchange{ |
| { |
| outToken: "client-valid-token-1", |
| }, |
| { |
| expectedToken: "server-valid-token-1", |
| }, |
| }, |
| mic: []byte("valid-mic"), |
| maxRound: 2, |
| }, "testtarget", |
| ), |
| }, |
| HostKeyCallback: InsecureIgnoreHostKey(), |
| }, |
| gssConfig: &GSSAPIWithMICConfig{ |
| AllowLogin: func(conn ConnMetadata, srcName string) (*Permissions, error) { |
| if srcName != conn.User()+"@DOMAIN" { |
| return nil, fmt.Errorf("srcName is %s, conn user is %s", srcName, conn.User()) |
| } |
| return nil, nil |
| }, |
| Server: &FakeServer{ |
| exchanges: []*exchange{ |
| { |
| outToken: "server-valid-token-1", |
| expectedToken: "client-valid-token-1", |
| }, |
| }, |
| maxRound: 1, |
| expectedMIC: []byte("valid-mic"), |
| srcName: "testuser@DOMAIN", |
| }, |
| }, |
| }, |
| { |
| config: &ClientConfig{ |
| User: "testuser", |
| Auth: []AuthMethod{ |
| GSSAPIWithMICAuthMethod( |
| &FakeClient{ |
| exchanges: []*exchange{ |
| { |
| outToken: "client-valid-token-1", |
| }, |
| { |
| expectedToken: "server-valid-token-1", |
| }, |
| }, |
| mic: []byte("valid-mic"), |
| maxRound: 2, |
| }, "testtarget", |
| ), |
| }, |
| HostKeyCallback: InsecureIgnoreHostKey(), |
| }, |
| gssConfig: &GSSAPIWithMICConfig{ |
| AllowLogin: func(conn ConnMetadata, srcName string) (*Permissions, error) { |
| return nil, fmt.Errorf("user is not allowed to login") |
| }, |
| Server: &FakeServer{ |
| exchanges: []*exchange{ |
| { |
| outToken: "server-valid-token-1", |
| expectedToken: "client-valid-token-1", |
| }, |
| }, |
| maxRound: 1, |
| expectedMIC: []byte("valid-mic"), |
| srcName: "testuser@DOMAIN", |
| }, |
| }, |
| serverWantErr: "user is not allowed to login", |
| clientWantErr: "ssh: handshake failed: ssh: unable to authenticate", |
| }, |
| { |
| config: &ClientConfig{ |
| User: "testuser", |
| Auth: []AuthMethod{ |
| GSSAPIWithMICAuthMethod( |
| &FakeClient{ |
| exchanges: []*exchange{ |
| { |
| outToken: "client-valid-token-1", |
| }, |
| { |
| expectedToken: "server-valid-token-1", |
| }, |
| }, |
| mic: []byte("valid-mic"), |
| maxRound: 2, |
| }, "testtarget", |
| ), |
| }, |
| HostKeyCallback: InsecureIgnoreHostKey(), |
| }, |
| gssConfig: &GSSAPIWithMICConfig{ |
| AllowLogin: func(conn ConnMetadata, srcName string) (*Permissions, error) { |
| if srcName != conn.User() { |
| return nil, fmt.Errorf("srcName is %s, conn user is %s", srcName, conn.User()) |
| } |
| return nil, nil |
| }, |
| Server: &FakeServer{ |
| exchanges: []*exchange{ |
| { |
| outToken: "server-invalid-token-1", |
| expectedToken: "client-valid-token-1", |
| }, |
| }, |
| maxRound: 1, |
| expectedMIC: []byte("valid-mic"), |
| srcName: "testuser@DOMAIN", |
| }, |
| }, |
| clientWantErr: "ssh: handshake failed: got \"server-invalid-token-1\", want token \"server-valid-token-1\"", |
| }, |
| { |
| config: &ClientConfig{ |
| User: "testuser", |
| Auth: []AuthMethod{ |
| GSSAPIWithMICAuthMethod( |
| &FakeClient{ |
| exchanges: []*exchange{ |
| { |
| outToken: "client-valid-token-1", |
| }, |
| { |
| expectedToken: "server-valid-token-1", |
| }, |
| }, |
| mic: []byte("invalid-mic"), |
| maxRound: 2, |
| }, "testtarget", |
| ), |
| }, |
| HostKeyCallback: InsecureIgnoreHostKey(), |
| }, |
| gssConfig: &GSSAPIWithMICConfig{ |
| AllowLogin: func(conn ConnMetadata, srcName string) (*Permissions, error) { |
| if srcName != conn.User() { |
| return nil, fmt.Errorf("srcName is %s, conn user is %s", srcName, conn.User()) |
| } |
| return nil, nil |
| }, |
| Server: &FakeServer{ |
| exchanges: []*exchange{ |
| { |
| outToken: "server-valid-token-1", |
| expectedToken: "client-valid-token-1", |
| }, |
| }, |
| maxRound: 1, |
| expectedMIC: []byte("valid-mic"), |
| srcName: "testuser@DOMAIN", |
| }, |
| }, |
| serverWantErr: "got MICToken \"invalid-mic\", want \"valid-mic\"", |
| clientWantErr: "ssh: handshake failed: ssh: unable to authenticate", |
| }, |
| } |
| |
| for i, c := range testcases { |
| clientErr, serverErrs := tryAuthBothSides(t, c.config, c.gssConfig) |
| if (c.clientWantErr == "") != (clientErr == nil) { |
| t.Fatalf("client got %v, want %s, case %d", clientErr, c.clientWantErr, i) |
| } |
| if (c.serverWantErr == "") != (len(serverErrs) == 2 && serverErrs[1] == nil || len(serverErrs) == 1) { |
| t.Fatalf("server got err %v, want %s", serverErrs, c.serverWantErr) |
| } |
| if c.clientWantErr != "" { |
| if clientErr != nil && !strings.Contains(clientErr.Error(), c.clientWantErr) { |
| t.Fatalf("client got %v, want %s, case %d", clientErr, c.clientWantErr, i) |
| } |
| } |
| found := false |
| var errStrings []string |
| if c.serverWantErr != "" { |
| for _, err := range serverErrs { |
| found = found || (err != nil && strings.Contains(err.Error(), c.serverWantErr)) |
| errStrings = append(errStrings, err.Error()) |
| } |
| if !found { |
| t.Errorf("server got error %q, want substring %q, case %d", errStrings, c.serverWantErr, i) |
| } |
| } |
| } |
| } |
| |
| func TestCompatibleAlgoAndSignatures(t *testing.T) { |
| type testcase struct { |
| algo string |
| sigFormat string |
| compatible bool |
| } |
| testcases := []*testcase{ |
| { |
| KeyAlgoRSA, |
| KeyAlgoRSA, |
| true, |
| }, |
| { |
| KeyAlgoRSA, |
| KeyAlgoRSASHA256, |
| true, |
| }, |
| { |
| KeyAlgoRSA, |
| KeyAlgoRSASHA512, |
| true, |
| }, |
| { |
| KeyAlgoRSASHA256, |
| KeyAlgoRSA, |
| true, |
| }, |
| { |
| KeyAlgoRSASHA512, |
| KeyAlgoRSA, |
| true, |
| }, |
| { |
| KeyAlgoRSASHA512, |
| KeyAlgoRSASHA256, |
| true, |
| }, |
| { |
| KeyAlgoRSASHA256, |
| KeyAlgoRSASHA512, |
| true, |
| }, |
| { |
| KeyAlgoRSASHA512, |
| KeyAlgoRSASHA512, |
| true, |
| }, |
| { |
| CertAlgoRSAv01, |
| KeyAlgoRSA, |
| true, |
| }, |
| { |
| CertAlgoRSAv01, |
| KeyAlgoRSASHA256, |
| true, |
| }, |
| { |
| CertAlgoRSAv01, |
| KeyAlgoRSASHA512, |
| true, |
| }, |
| { |
| CertAlgoRSASHA256v01, |
| KeyAlgoRSASHA512, |
| true, |
| }, |
| { |
| CertAlgoRSASHA512v01, |
| KeyAlgoRSASHA512, |
| true, |
| }, |
| { |
| CertAlgoRSASHA512v01, |
| KeyAlgoRSASHA256, |
| true, |
| }, |
| { |
| CertAlgoRSASHA256v01, |
| CertAlgoRSAv01, |
| true, |
| }, |
| { |
| CertAlgoRSAv01, |
| CertAlgoRSASHA512v01, |
| true, |
| }, |
| { |
| KeyAlgoECDSA256, |
| KeyAlgoRSA, |
| false, |
| }, |
| { |
| KeyAlgoECDSA256, |
| KeyAlgoECDSA521, |
| false, |
| }, |
| { |
| KeyAlgoECDSA256, |
| KeyAlgoECDSA256, |
| true, |
| }, |
| { |
| KeyAlgoECDSA256, |
| KeyAlgoED25519, |
| false, |
| }, |
| { |
| KeyAlgoED25519, |
| KeyAlgoED25519, |
| true, |
| }, |
| } |
| |
| for _, c := range testcases { |
| if isAlgoCompatible(c.algo, c.sigFormat) != c.compatible { |
| t.Errorf("algorithm %q, signature format %q, expected compatible to be %t", c.algo, c.sigFormat, c.compatible) |
| } |
| } |
| } |