Google Git
Sign in
go / crypto / 3bf9d2afd4f01ad3d1f1e2e19ea6ee7ea27f8384^! / .
commit3bf9d2afd4f01ad3d1f1e2e19ea6ee7ea27f8384[log] [tgz]
authorNicola Murino <nicola.murino@gmail.com>Thu Jun 05 18:49:31 2025 +0200
committerFilippo Valsorda <filippo@golang.org>Thu Jun 05 10:42:09 2025 -0700
tree8e02010f4147555d0d9febe5fd3367fc245d511d
parent9bab96736ccafb2ee12ac5f5ac3655c5491825dd [diff]
ssh/test: skip KEX test if unsupported by system SSH client

Skip the key exchange test when using the system's ssh CLI if the
required KEX algorithm (e.g., mlkem768x25519-sha256) is not supported.
This is determined by running ssh -Q kex and checking for the presence
of the target algorithm.
Prevents false test failures in CI environments with older or limited
SSH implementations.

Cq-Include-Trybots: luci.golang.try:x_crypto-gotip-darwin-amd64-longtest,x_crypto-gotip-linux-amd64-longtest,x_crypto-gotip-windows-amd64-longtest
Change-Id: I3fac703ec70559e18b30d5fff88274335a7c3952
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/679195
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>

diff --git a/ssh/test/sshcli_test.go b/ssh/test/sshcli_test.go
index 6648067..767dd6c 100644
--- a/ssh/test/sshcli_test.go
+++ b/ssh/test/sshcli_test.go

@@ -119,6 +119,14 @@
 	keyExchanges := append(ssh.SupportedAlgorithms().KeyExchanges, ssh.InsecureAlgorithms().KeyExchanges...)
 	for _, kex := range keyExchanges {
 		t.Run(kex, func(t *testing.T) {
+			cmd := testenv.Command(t, sshCLI, "-Q", "kex")
+			out, err := cmd.CombinedOutput()
+			if err != nil {
+				t.Fatalf("%s failed to check if the KEX is supported, error: %v, command output %q", kex, err, string(out))
+			}
+			if !bytes.Contains(out, []byte(kex)) {
+				t.Skipf("KEX %q is not supported in the installed ssh CLI", kex)
+			}
 			config := &ssh.ServerConfig{
 				Config: ssh.Config{
 					KeyExchanges: []string{kex},
@@ -144,9 +152,9 @@
 				t.Fatalf("unable to get server port: %v", err)
 			}
 
-			cmd := testenv.Command(t, sshCLI, "-vvv", "-i", keyPrivPath, "-o", "StrictHostKeyChecking=no",
+			cmd = testenv.Command(t, sshCLI, "-vvv", "-i", keyPrivPath, "-o", "StrictHostKeyChecking=no",
 				"-o", fmt.Sprintf("KexAlgorithms=%s", kex), "-p", port, "testpubkey@127.0.0.1", "true")
-			out, err := cmd.CombinedOutput()
+			out, err = cmd.CombinedOutput()
 			if err != nil {
 				t.Fatalf("%s failed, error: %v, command output %q", kex, err, string(out))
 			}