ssh: add test case against ssh CLI
These tests try to ensure better compatibility of our server implementation
with the ssh CLI.
With these tests in place:
1) before merging CL 447757 we would have noticed that our server
implementation was broken with OpenSSH 8.8+
2) after merging CL 447757 we would have noticed that our server
implementation was broken with OpenSSH 7.2-7.7
The ssh CLI from $PATH is used by default, but can be overridden using
the SSH_CLI_PATH environment variable.
Change-Id: I93d64be41c7613132b0364afac8397f57c2dcbca
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/506837
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Benny Siegert <bsiegert@gmail.com>
Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
Run-TryBot: Nicola Murino <nicola.murino@gmail.com>
diff --git a/ssh/test/server_test.go b/ssh/test/server_test.go
new file mode 100644
index 0000000..e70241b
--- /dev/null
+++ b/ssh/test/server_test.go
@@ -0,0 +1,98 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package test
+
+import (
+ "net"
+
+ "golang.org/x/crypto/ssh"
+)
+
+type exitStatusMsg struct {
+ Status uint32
+}
+
+// goServer is a test Go SSH server that accepts public key and certificate
+// authentication and replies with a 0 exit status to any exec request without
+// running any commands.
+type goTestServer struct {
+ listener net.Listener
+ config *ssh.ServerConfig
+ done <-chan struct{}
+}
+
+func newTestServer(config *ssh.ServerConfig) (*goTestServer, error) {
+ server := &goTestServer{
+ config: config,
+ }
+ listener, err := net.Listen("tcp", "127.0.0.1:")
+ if err != nil {
+ return nil, err
+ }
+ server.listener = listener
+ done := make(chan struct{}, 1)
+ server.done = done
+ go server.acceptConnections(done)
+
+ return server, nil
+}
+
+func (s *goTestServer) port() (string, error) {
+ _, port, err := net.SplitHostPort(s.listener.Addr().String())
+ return port, err
+}
+
+func (s *goTestServer) acceptConnections(done chan<- struct{}) {
+ defer close(done)
+
+ for {
+ c, err := s.listener.Accept()
+ if err != nil {
+ return
+ }
+ _, chans, reqs, err := ssh.NewServerConn(c, s.config)
+ if err != nil {
+ return
+ }
+ go ssh.DiscardRequests(reqs)
+ defer c.Close()
+
+ for newChannel := range chans {
+ if newChannel.ChannelType() != "session" {
+ newChannel.Reject(ssh.UnknownChannelType, "unknown channel type")
+ continue
+ }
+
+ channel, requests, err := newChannel.Accept()
+ if err != nil {
+ continue
+ }
+
+ go func(in <-chan *ssh.Request) {
+ for req := range in {
+ ok := false
+ switch req.Type {
+ case "exec":
+ ok = true
+ go func() {
+ channel.SendRequest("exit-status", false, ssh.Marshal(&exitStatusMsg{Status: 0}))
+ channel.Close()
+ }()
+ }
+ if req.WantReply {
+ req.Reply(ok, nil)
+ }
+ }
+ }(requests)
+ }
+ }
+}
+
+func (s *goTestServer) Close() error {
+ err := s.listener.Close()
+ // wait for the accept loop to exit
+ <-s.done
+ return err
+}
diff --git a/ssh/test/sshcli_test.go b/ssh/test/sshcli_test.go
new file mode 100644
index 0000000..d3b85d7
--- /dev/null
+++ b/ssh/test/sshcli_test.go
@@ -0,0 +1,96 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package test
+
+import (
+ "bytes"
+ "fmt"
+ "os"
+ "os/exec"
+ "path/filepath"
+ "testing"
+
+ "golang.org/x/crypto/internal/testenv"
+ "golang.org/x/crypto/ssh"
+ "golang.org/x/crypto/ssh/testdata"
+)
+
+func sshClient(t *testing.T) string {
+ if testing.Short() {
+ t.Skip("Skipping test that executes OpenSSH in -short mode")
+ }
+ sshCLI := os.Getenv("SSH_CLI_PATH")
+ if sshCLI == "" {
+ sshCLI = "ssh"
+ }
+ var err error
+ sshCLI, err = exec.LookPath(sshCLI)
+ if err != nil {
+ t.Skipf("Can't find an ssh(1) client to test against: %v", err)
+ }
+ return sshCLI
+}
+
+func TestSSHCLIAuth(t *testing.T) {
+ sshCLI := sshClient(t)
+ dir := t.TempDir()
+ keyPrivPath := filepath.Join(dir, "rsa")
+
+ for fn, content := range map[string][]byte{
+ keyPrivPath: testdata.PEMBytes["rsa"],
+ keyPrivPath + ".pub": ssh.MarshalAuthorizedKey(testPublicKeys["rsa"]),
+ filepath.Join(dir, "rsa-cert.pub"): testdata.SSHCertificates["rsa-user-testcertificate"],
+ } {
+ if err := os.WriteFile(fn, content, 0600); err != nil {
+ t.Fatalf("WriteFile(%q): %v", fn, err)
+ }
+ }
+
+ certChecker := ssh.CertChecker{
+ IsUserAuthority: func(k ssh.PublicKey) bool {
+ return bytes.Equal(k.Marshal(), testPublicKeys["ca"].Marshal())
+ },
+ UserKeyFallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
+ if conn.User() == "testpubkey" && bytes.Equal(key.Marshal(), testPublicKeys["rsa"].Marshal()) {
+ return nil, nil
+ }
+
+ return nil, fmt.Errorf("pubkey for %q not acceptable", conn.User())
+ },
+ }
+
+ config := &ssh.ServerConfig{
+ PublicKeyCallback: certChecker.Authenticate,
+ }
+ config.AddHostKey(testSigners["rsa"])
+
+ server, err := newTestServer(config)
+ if err != nil {
+ t.Fatalf("unable to start test server: %v", err)
+ }
+ defer server.Close()
+
+ port, err := server.port()
+ if err != nil {
+ t.Fatalf("unable to get server port: %v", err)
+ }
+
+ // test public key authentication.
+ cmd := testenv.Command(t, sshCLI, "-vvv", "-i", keyPrivPath, "-o", "StrictHostKeyChecking=no",
+ "-p", port, "testpubkey@127.0.0.1", "true")
+ out, err := cmd.CombinedOutput()
+ if err != nil {
+ t.Fatalf("public key authentication failed, error: %v, command output %q", err, string(out))
+ }
+ // Test SSH user certificate authentication.
+ // The username must match one of the principals included in the certificate.
+ // The certificate "rsa-user-testcertificate" has "testcertificate" as principal.
+ cmd = testenv.Command(t, sshCLI, "-vvv", "-i", keyPrivPath, "-o", "StrictHostKeyChecking=no",
+ "-p", port, "testcertificate@127.0.0.1", "true")
+ out, err = cmd.CombinedOutput()
+ if err != nil {
+ t.Fatalf("user certificate authentication failed, error: %v, command output %q", err, string(out))
+ }
+}
diff --git a/ssh/testdata/keys.go b/ssh/testdata/keys.go
index ad95a81..69f9eef 100644
--- a/ssh/testdata/keys.go
+++ b/ssh/testdata/keys.go
@@ -196,6 +196,12 @@
`),
"rsa-sha2-512": []byte(`ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgFGv4IpXfs4L/Y0b3rmUdPFhWoUrVnXuPxXr6aHGs7wgAAAADAQABAAAAgQC8A6FGHDiWCSREAXCq6yBfNVr0xCVG2CzvktFNRpue+RXrGs/2a6ySEJQb3IYquw7HlJgu6fg3WIWhOmHCjfpG0PrL4CRwbqQ2LaPPXhJErWYejcD8Di00cF3677+G10KMZk9RXbmHtuBFZT98wxg8j+ZsBMqGM1+7yrWUvynswQAAAAAAAAAAAAAAAgAAABRob3N0LmV4YW1wbGUuY29tLWtleQAAABQAAAAQaG9zdC5leGFtcGxlLmNvbQAAAABeSMRYAAAAAHBPBp4AAAAAAAAAAAAAAAAAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQC+D11D0hEbn2Vglv4YRJ8pZNyHjIGmvth3DWOQrq++2vH2MujmGQDxfr4SVE9GpMBlKU3lwGbpgIBxAg6yZcNSfo6PWVU9ACg6NMFO+yMzc2MaG+/naQdNjSewywF5j2rkNO2XOaViRVSrZroe2B/aY2LTV0jDl8nu5NOjwRs1/s7SLe5z1rw/X0dpmXk0qJY3gQhmR8HZZ1dhEkJUGwaBCPd0T8asSYf1Ag2rUD4aQ28r3q69mbwfWOOa6rMemVZruUV5dzHwVNVNtVv+ImtnYtz8m8g+K0plaGptHn3KsaOnASkh3tujhaE7kvc4HR9Igli9+76jhZie3h/dTN5zAAABFAAAAAxyc2Etc2hhMi01MTIAAAEAnF4fVj6mm+UFeNCIf9AKJCv9WzymjjPvzzmaMWWkPWqoV0P0m5SiYfvbY9SbA73Blpv8SOr0DmpublF183kodREia4KyVuC8hLhSCV2Y16hy9MBegOZMepn80w+apj7Rn9QCz5OfEakDdztp6OWTBtqxnZFcTQ4XrgFkNWeWRElGdEvAVNn2WHwHi4EIdz0mdv48Imv5SPlOuW862ZdFG4Do1dUfDIiGsBofLlgcyIYlf+eNHul6sBeUkuwFxisMpI5DQzNp8PX1g/QJA2wzwT674PTqDXNttKjyh50Fdr4sXxm9Gz1+jVLoESvFNa55ERdSyAqNu4wTy11MZsWwSA== host.example.com
`),
+ // Assumes "ca" key above in file named "ca", sign a user cert for "rsa.pub"
+ // using "testcertificate" as principal:
+ //
+ // ssh-keygen -s ca -I username -n testcertificate rsa.pub
+ "rsa-user-testcertificate": []byte(`ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgr0MnhSf+KkQWEQmweJOGsJfOrUt80pQZDaI9YiwSfDUAAAADAQABAAAAgQC8A6FGHDiWCSREAXCq6yBfNVr0xCVG2CzvktFNRpue+RXrGs/2a6ySEJQb3IYquw7HlJgu6fg3WIWhOmHCjfpG0PrL4CRwbqQ2LaPPXhJErWYejcD8Di00cF3677+G10KMZk9RXbmHtuBFZT98wxg8j+ZsBMqGM1+7yrWUvynswQAAAAAAAAAAAAAAAQAAAAh1c2VybmFtZQAAABMAAAAPdGVzdGNlcnRpZmljYXRlAAAAAAAAAAD//////////wAAAAAAAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQC+D11D0hEbn2Vglv4YRJ8pZNyHjIGmvth3DWOQrq++2vH2MujmGQDxfr4SVE9GpMBlKU3lwGbpgIBxAg6yZcNSfo6PWVU9ACg6NMFO+yMzc2MaG+/naQdNjSewywF5j2rkNO2XOaViRVSrZroe2B/aY2LTV0jDl8nu5NOjwRs1/s7SLe5z1rw/X0dpmXk0qJY3gQhmR8HZZ1dhEkJUGwaBCPd0T8asSYf1Ag2rUD4aQ28r3q69mbwfWOOa6rMemVZruUV5dzHwVNVNtVv+ImtnYtz8m8g+K0plaGptHn3KsaOnASkh3tujhaE7kvc4HR9Igli9+76jhZie3h/dTN5zAAABFAAAAAxyc2Etc2hhMi01MTIAAAEAFuA+67KvnlmcodIp0Lv4mR9UW/CHghAaN1csBJTkI8mx3wXKyIPTsS2uXboEhWD0a7S9gps2SEwC5m6E3kV2Rzg7aH1S03GZqMvVlK2VHe7fzuoW2yOKk6yEPjeTF0pKCFbUQ6mce8pRpD/zdvjG0Z287XM3c3Axlrn7qq7TS0MDTjEZ/dsUNFHxep3co/HuAsWVWPVDItr/FPnvZ6WVH1yc8N/AJn0gLHobkGgug22vI9rNIge1wrnXxU9BUSouzkau/PQsrCQapnn+I1H7HaQt0wdk45nxMP+ags+HRI9qpX/p8WDn6+zpqYqN/nfw2aoytyaJqhsV32Teuqtrgg== rsa.pub
+`),
}
var PEMEncryptedKeys = []struct {
