899 строки
23 KiB
Go
899 строки
23 KiB
Go
// Copyright 2011 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package ssh
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/rand"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"log"
|
|
"net"
|
|
"os"
|
|
"strings"
|
|
"testing"
|
|
)
|
|
|
|
type keyboardInteractive map[string]string
|
|
|
|
func (cr keyboardInteractive) Challenge(user string, instruction string, questions []string, echos []bool) ([]string, error) {
|
|
var answers []string
|
|
for _, q := range questions {
|
|
answers = append(answers, cr[q])
|
|
}
|
|
return answers, nil
|
|
}
|
|
|
|
// reused internally by tests
|
|
var clientPassword = "tiger"
|
|
|
|
// tryAuth runs a handshake with a given config against an SSH server
|
|
// with config serverConfig. Returns both client and server side errors.
|
|
func tryAuth(t *testing.T, config *ClientConfig) error {
|
|
err, _ := tryAuthBothSides(t, config, nil)
|
|
return err
|
|
}
|
|
|
|
// tryAuth runs a handshake with a given config against an SSH server
|
|
// with a given GSSAPIWithMICConfig and config serverConfig. Returns both client and server side errors.
|
|
func tryAuthWithGSSAPIWithMICConfig(t *testing.T, clientConfig *ClientConfig, gssAPIWithMICConfig *GSSAPIWithMICConfig) error {
|
|
err, _ := tryAuthBothSides(t, clientConfig, gssAPIWithMICConfig)
|
|
return err
|
|
}
|
|
|
|
// tryAuthBothSides runs the handshake and returns the resulting errors from both sides of the connection.
|
|
func tryAuthBothSides(t *testing.T, config *ClientConfig, gssAPIWithMICConfig *GSSAPIWithMICConfig) (clientError error, serverAuthErrors []error) {
|
|
c1, c2, err := netPipe()
|
|
if err != nil {
|
|
t.Fatalf("netPipe: %v", err)
|
|
}
|
|
defer c1.Close()
|
|
defer c2.Close()
|
|
|
|
certChecker := CertChecker{
|
|
IsUserAuthority: func(k PublicKey) bool {
|
|
return bytes.Equal(k.Marshal(), testPublicKeys["ecdsa"].Marshal())
|
|
},
|
|
UserKeyFallback: func(conn ConnMetadata, key PublicKey) (*Permissions, error) {
|
|
if conn.User() == "testuser" && bytes.Equal(key.Marshal(), testPublicKeys["rsa"].Marshal()) {
|
|
return nil, nil
|
|
}
|
|
|
|
return nil, fmt.Errorf("pubkey for %q not acceptable", conn.User())
|
|
},
|
|
IsRevoked: func(c *Certificate) bool {
|
|
return c.Serial == 666
|
|
},
|
|
}
|
|
serverConfig := &ServerConfig{
|
|
PasswordCallback: func(conn ConnMetadata, pass []byte) (*Permissions, error) {
|
|
if conn.User() == "testuser" && string(pass) == clientPassword {
|
|
return nil, nil
|
|
}
|
|
return nil, errors.New("password auth failed")
|
|
},
|
|
PublicKeyCallback: certChecker.Authenticate,
|
|
KeyboardInteractiveCallback: func(conn ConnMetadata, challenge KeyboardInteractiveChallenge) (*Permissions, error) {
|
|
ans, err := challenge("user",
|
|
"instruction",
|
|
[]string{"question1", "question2"},
|
|
[]bool{true, true})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
ok := conn.User() == "testuser" && ans[0] == "answer1" && ans[1] == "answer2"
|
|
if ok {
|
|
challenge("user", "motd", nil, nil)
|
|
return nil, nil
|
|
}
|
|
return nil, errors.New("keyboard-interactive failed")
|
|
},
|
|
GSSAPIWithMICConfig: gssAPIWithMICConfig,
|
|
}
|
|
serverConfig.AddHostKey(testSigners["rsa"])
|
|
|
|
serverConfig.AuthLogCallback = func(conn ConnMetadata, method string, err error) {
|
|
serverAuthErrors = append(serverAuthErrors, err)
|
|
}
|
|
|
|
go newServer(c1, serverConfig)
|
|
_, _, _, err = NewClientConn(c2, "", config)
|
|
return err, serverAuthErrors
|
|
}
|
|
|
|
func TestClientAuthPublicKey(t *testing.T) {
|
|
config := &ClientConfig{
|
|
User: "testuser",
|
|
Auth: []AuthMethod{
|
|
PublicKeys(testSigners["rsa"]),
|
|
},
|
|
HostKeyCallback: InsecureIgnoreHostKey(),
|
|
}
|
|
if err := tryAuth(t, config); err != nil {
|
|
t.Fatalf("unable to dial remote side: %s", err)
|
|
}
|
|
}
|
|
|
|
func TestAuthMethodPassword(t *testing.T) {
|
|
config := &ClientConfig{
|
|
User: "testuser",
|
|
Auth: []AuthMethod{
|
|
Password(clientPassword),
|
|
},
|
|
HostKeyCallback: InsecureIgnoreHostKey(),
|
|
}
|
|
|
|
if err := tryAuth(t, config); err != nil {
|
|
t.Fatalf("unable to dial remote side: %s", err)
|
|
}
|
|
}
|
|
|
|
func TestAuthMethodFallback(t *testing.T) {
|
|
var passwordCalled bool
|
|
config := &ClientConfig{
|
|
User: "testuser",
|
|
Auth: []AuthMethod{
|
|
PublicKeys(testSigners["rsa"]),
|
|
PasswordCallback(
|
|
func() (string, error) {
|
|
passwordCalled = true
|
|
return "WRONG", nil
|
|
}),
|
|
},
|
|
HostKeyCallback: InsecureIgnoreHostKey(),
|
|
}
|
|
|
|
if err := tryAuth(t, config); err != nil {
|
|
t.Fatalf("unable to dial remote side: %s", err)
|
|
}
|
|
|
|
if passwordCalled {
|
|
t.Errorf("password auth tried before public-key auth.")
|
|
}
|
|
}
|
|
|
|
func TestAuthMethodWrongPassword(t *testing.T) {
|
|
config := &ClientConfig{
|
|
User: "testuser",
|
|
Auth: []AuthMethod{
|
|
Password("wrong"),
|
|
PublicKeys(testSigners["rsa"]),
|
|
},
|
|
HostKeyCallback: InsecureIgnoreHostKey(),
|
|
}
|
|
|
|
if err := tryAuth(t, config); err != nil {
|
|
t.Fatalf("unable to dial remote side: %s", err)
|
|
}
|
|
}
|
|
|
|
func TestAuthMethodKeyboardInteractive(t *testing.T) {
|
|
answers := keyboardInteractive(map[string]string{
|
|
"question1": "answer1",
|
|
"question2": "answer2",
|
|
})
|
|
config := &ClientConfig{
|
|
User: "testuser",
|
|
Auth: []AuthMethod{
|
|
KeyboardInteractive(answers.Challenge),
|
|
},
|
|
HostKeyCallback: InsecureIgnoreHostKey(),
|
|
}
|
|
|
|
if err := tryAuth(t, config); err != nil {
|
|
t.Fatalf("unable to dial remote side: %s", err)
|
|
}
|
|
}
|
|
|
|
func TestAuthMethodWrongKeyboardInteractive(t *testing.T) {
|
|
answers := keyboardInteractive(map[string]string{
|
|
"question1": "answer1",
|
|
"question2": "WRONG",
|
|
})
|
|
config := &ClientConfig{
|
|
User: "testuser",
|
|
Auth: []AuthMethod{
|
|
KeyboardInteractive(answers.Challenge),
|
|
},
|
|
}
|
|
|
|
if err := tryAuth(t, config); err == nil {
|
|
t.Fatalf("wrong answers should not have authenticated with KeyboardInteractive")
|
|
}
|
|
}
|
|
|
|
// the mock server will only authenticate ssh-rsa keys
|
|
func TestAuthMethodInvalidPublicKey(t *testing.T) {
|
|
config := &ClientConfig{
|
|
User: "testuser",
|
|
Auth: []AuthMethod{
|
|
PublicKeys(testSigners["dsa"]),
|
|
},
|
|
}
|
|
|
|
if err := tryAuth(t, config); err == nil {
|
|
t.Fatalf("dsa private key should not have authenticated with rsa public key")
|
|
}
|
|
}
|
|
|
|
// the client should authenticate with the second key
|
|
func TestAuthMethodRSAandDSA(t *testing.T) {
|
|
config := &ClientConfig{
|
|
User: "testuser",
|
|
Auth: []AuthMethod{
|
|
PublicKeys(testSigners["dsa"], testSigners["rsa"]),
|
|
},
|
|
HostKeyCallback: InsecureIgnoreHostKey(),
|
|
}
|
|
if err := tryAuth(t, config); err != nil {
|
|
t.Fatalf("client could not authenticate with rsa key: %v", err)
|
|
}
|
|
}
|
|
|
|
type invalidAlgSigner struct {
|
|
Signer
|
|
}
|
|
|
|
func (s *invalidAlgSigner) Sign(rand io.Reader, data []byte) (*Signature, error) {
|
|
sig, err := s.Signer.Sign(rand, data)
|
|
if sig != nil {
|
|
sig.Format = "invalid"
|
|
}
|
|
return sig, err
|
|
}
|
|
|
|
func TestMethodInvalidAlgorithm(t *testing.T) {
|
|
config := &ClientConfig{
|
|
User: "testuser",
|
|
Auth: []AuthMethod{
|
|
PublicKeys(&invalidAlgSigner{testSigners["rsa"]}),
|
|
},
|
|
HostKeyCallback: InsecureIgnoreHostKey(),
|
|
}
|
|
|
|
err, serverErrors := tryAuthBothSides(t, config, nil)
|
|
if err == nil {
|
|
t.Fatalf("login succeeded")
|
|
}
|
|
|
|
found := false
|
|
want := "algorithm \"invalid\""
|
|
|
|
var errStrings []string
|
|
for _, err := range serverErrors {
|
|
found = found || (err != nil && strings.Contains(err.Error(), want))
|
|
errStrings = append(errStrings, err.Error())
|
|
}
|
|
if !found {
|
|
t.Errorf("server got error %q, want substring %q", errStrings, want)
|
|
}
|
|
}
|
|
|
|
func TestClientHMAC(t *testing.T) {
|
|
for _, mac := range supportedMACs {
|
|
config := &ClientConfig{
|
|
User: "testuser",
|
|
Auth: []AuthMethod{
|
|
PublicKeys(testSigners["rsa"]),
|
|
},
|
|
Config: Config{
|
|
MACs: []string{mac},
|
|
},
|
|
HostKeyCallback: InsecureIgnoreHostKey(),
|
|
}
|
|
if err := tryAuth(t, config); err != nil {
|
|
t.Fatalf("client could not authenticate with mac algo %s: %v", mac, err)
|
|
}
|
|
}
|
|
}
|
|
|
|
// issue 4285.
|
|
func TestClientUnsupportedCipher(t *testing.T) {
|
|
config := &ClientConfig{
|
|
User: "testuser",
|
|
Auth: []AuthMethod{
|
|
PublicKeys(),
|
|
},
|
|
Config: Config{
|
|
Ciphers: []string{"aes128-cbc"}, // not currently supported
|
|
},
|
|
}
|
|
if err := tryAuth(t, config); err == nil {
|
|
t.Errorf("expected no ciphers in common")
|
|
}
|
|
}
|
|
|
|
func TestClientUnsupportedKex(t *testing.T) {
|
|
if os.Getenv("GO_BUILDER_NAME") != "" {
|
|
t.Skip("skipping known-flaky test on the Go build dashboard; see golang.org/issue/15198")
|
|
}
|
|
config := &ClientConfig{
|
|
User: "testuser",
|
|
Auth: []AuthMethod{
|
|
PublicKeys(),
|
|
},
|
|
Config: Config{
|
|
KeyExchanges: []string{"non-existent-kex"},
|
|
},
|
|
HostKeyCallback: InsecureIgnoreHostKey(),
|
|
}
|
|
if err := tryAuth(t, config); err == nil || !strings.Contains(err.Error(), "common algorithm") {
|
|
t.Errorf("got %v, expected 'common algorithm'", err)
|
|
}
|
|
}
|
|
|
|
func TestClientLoginCert(t *testing.T) {
|
|
cert := &Certificate{
|
|
Key: testPublicKeys["rsa"],
|
|
ValidBefore: CertTimeInfinity,
|
|
CertType: UserCert,
|
|
}
|
|
cert.SignCert(rand.Reader, testSigners["ecdsa"])
|
|
certSigner, err := NewCertSigner(cert, testSigners["rsa"])
|
|
if err != nil {
|
|
t.Fatalf("NewCertSigner: %v", err)
|
|
}
|
|
|
|
clientConfig := &ClientConfig{
|
|
User: "user",
|
|
HostKeyCallback: InsecureIgnoreHostKey(),
|
|
}
|
|
clientConfig.Auth = append(clientConfig.Auth, PublicKeys(certSigner))
|
|
|
|
// should succeed
|
|
if err := tryAuth(t, clientConfig); err != nil {
|
|
t.Errorf("cert login failed: %v", err)
|
|
}
|
|
|
|
// corrupted signature
|
|
cert.Signature.Blob[0]++
|
|
if err := tryAuth(t, clientConfig); err == nil {
|
|
t.Errorf("cert login passed with corrupted sig")
|
|
}
|
|
|
|
// revoked
|
|
cert.Serial = 666
|
|
cert.SignCert(rand.Reader, testSigners["ecdsa"])
|
|
if err := tryAuth(t, clientConfig); err == nil {
|
|
t.Errorf("revoked cert login succeeded")
|
|
}
|
|
cert.Serial = 1
|
|
|
|
// sign with wrong key
|
|
cert.SignCert(rand.Reader, testSigners["dsa"])
|
|
if err := tryAuth(t, clientConfig); err == nil {
|
|
t.Errorf("cert login passed with non-authoritative key")
|
|
}
|
|
|
|
// host cert
|
|
cert.CertType = HostCert
|
|
cert.SignCert(rand.Reader, testSigners["ecdsa"])
|
|
if err := tryAuth(t, clientConfig); err == nil {
|
|
t.Errorf("cert login passed with wrong type")
|
|
}
|
|
cert.CertType = UserCert
|
|
|
|
// principal specified
|
|
cert.ValidPrincipals = []string{"user"}
|
|
cert.SignCert(rand.Reader, testSigners["ecdsa"])
|
|
if err := tryAuth(t, clientConfig); err != nil {
|
|
t.Errorf("cert login failed: %v", err)
|
|
}
|
|
|
|
// wrong principal specified
|
|
cert.ValidPrincipals = []string{"fred"}
|
|
cert.SignCert(rand.Reader, testSigners["ecdsa"])
|
|
if err := tryAuth(t, clientConfig); err == nil {
|
|
t.Errorf("cert login passed with wrong principal")
|
|
}
|
|
cert.ValidPrincipals = nil
|
|
|
|
// added critical option
|
|
cert.CriticalOptions = map[string]string{"root-access": "yes"}
|
|
cert.SignCert(rand.Reader, testSigners["ecdsa"])
|
|
if err := tryAuth(t, clientConfig); err == nil {
|
|
t.Errorf("cert login passed with unrecognized critical option")
|
|
}
|
|
|
|
// allowed source address
|
|
cert.CriticalOptions = map[string]string{"source-address": "127.0.0.42/24,::42/120"}
|
|
cert.SignCert(rand.Reader, testSigners["ecdsa"])
|
|
if err := tryAuth(t, clientConfig); err != nil {
|
|
t.Errorf("cert login with source-address failed: %v", err)
|
|
}
|
|
|
|
// disallowed source address
|
|
cert.CriticalOptions = map[string]string{"source-address": "127.0.0.42,::42"}
|
|
cert.SignCert(rand.Reader, testSigners["ecdsa"])
|
|
if err := tryAuth(t, clientConfig); err == nil {
|
|
t.Errorf("cert login with source-address succeeded")
|
|
}
|
|
}
|
|
|
|
func testPermissionsPassing(withPermissions bool, t *testing.T) {
|
|
serverConfig := &ServerConfig{
|
|
PublicKeyCallback: func(conn ConnMetadata, key PublicKey) (*Permissions, error) {
|
|
if conn.User() == "nopermissions" {
|
|
return nil, nil
|
|
}
|
|
return &Permissions{}, nil
|
|
},
|
|
}
|
|
serverConfig.AddHostKey(testSigners["rsa"])
|
|
|
|
clientConfig := &ClientConfig{
|
|
Auth: []AuthMethod{
|
|
PublicKeys(testSigners["rsa"]),
|
|
},
|
|
HostKeyCallback: InsecureIgnoreHostKey(),
|
|
}
|
|
if withPermissions {
|
|
clientConfig.User = "permissions"
|
|
} else {
|
|
clientConfig.User = "nopermissions"
|
|
}
|
|
|
|
c1, c2, err := netPipe()
|
|
if err != nil {
|
|
t.Fatalf("netPipe: %v", err)
|
|
}
|
|
defer c1.Close()
|
|
defer c2.Close()
|
|
|
|
go NewClientConn(c2, "", clientConfig)
|
|
serverConn, err := newServer(c1, serverConfig)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if p := serverConn.Permissions; (p != nil) != withPermissions {
|
|
t.Fatalf("withPermissions is %t, but Permissions object is %#v", withPermissions, p)
|
|
}
|
|
}
|
|
|
|
func TestPermissionsPassing(t *testing.T) {
|
|
testPermissionsPassing(true, t)
|
|
}
|
|
|
|
func TestNoPermissionsPassing(t *testing.T) {
|
|
testPermissionsPassing(false, t)
|
|
}
|
|
|
|
func TestRetryableAuth(t *testing.T) {
|
|
n := 0
|
|
passwords := []string{"WRONG1", "WRONG2"}
|
|
|
|
config := &ClientConfig{
|
|
User: "testuser",
|
|
Auth: []AuthMethod{
|
|
RetryableAuthMethod(PasswordCallback(func() (string, error) {
|
|
p := passwords[n]
|
|
n++
|
|
return p, nil
|
|
}), 2),
|
|
PublicKeys(testSigners["rsa"]),
|
|
},
|
|
HostKeyCallback: InsecureIgnoreHostKey(),
|
|
}
|
|
|
|
if err := tryAuth(t, config); err != nil {
|
|
t.Fatalf("unable to dial remote side: %s", err)
|
|
}
|
|
if n != 2 {
|
|
t.Fatalf("Did not try all passwords")
|
|
}
|
|
}
|
|
|
|
func ExampleRetryableAuthMethod() {
|
|
user := "testuser"
|
|
NumberOfPrompts := 3
|
|
|
|
// Normally this would be a callback that prompts the user to answer the
|
|
// provided questions
|
|
Cb := func(user, instruction string, questions []string, echos []bool) (answers []string, err error) {
|
|
return []string{"answer1", "answer2"}, nil
|
|
}
|
|
|
|
config := &ClientConfig{
|
|
HostKeyCallback: InsecureIgnoreHostKey(),
|
|
User: user,
|
|
Auth: []AuthMethod{
|
|
RetryableAuthMethod(KeyboardInteractiveChallenge(Cb), NumberOfPrompts),
|
|
},
|
|
}
|
|
|
|
host := "mysshserver"
|
|
netConn, err := net.Dial("tcp", host)
|
|
if err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
|
|
sshConn, _, _, err := NewClientConn(netConn, host, config)
|
|
if err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
_ = sshConn
|
|
}
|
|
|
|
// Test if username is received on server side when NoClientAuth is used
|
|
func TestClientAuthNone(t *testing.T) {
|
|
user := "testuser"
|
|
serverConfig := &ServerConfig{
|
|
NoClientAuth: true,
|
|
}
|
|
serverConfig.AddHostKey(testSigners["rsa"])
|
|
|
|
clientConfig := &ClientConfig{
|
|
User: user,
|
|
HostKeyCallback: InsecureIgnoreHostKey(),
|
|
}
|
|
|
|
c1, c2, err := netPipe()
|
|
if err != nil {
|
|
t.Fatalf("netPipe: %v", err)
|
|
}
|
|
defer c1.Close()
|
|
defer c2.Close()
|
|
|
|
go NewClientConn(c2, "", clientConfig)
|
|
serverConn, err := newServer(c1, serverConfig)
|
|
if err != nil {
|
|
t.Fatalf("newServer: %v", err)
|
|
}
|
|
if serverConn.User() != user {
|
|
t.Fatalf("server: got %q, want %q", serverConn.User(), user)
|
|
}
|
|
}
|
|
|
|
// Test if authentication attempts are limited on server when MaxAuthTries is set
|
|
func TestClientAuthMaxAuthTries(t *testing.T) {
|
|
user := "testuser"
|
|
|
|
serverConfig := &ServerConfig{
|
|
MaxAuthTries: 2,
|
|
PasswordCallback: func(conn ConnMetadata, pass []byte) (*Permissions, error) {
|
|
if conn.User() == "testuser" && string(pass) == "right" {
|
|
return nil, nil
|
|
}
|
|
return nil, errors.New("password auth failed")
|
|
},
|
|
}
|
|
serverConfig.AddHostKey(testSigners["rsa"])
|
|
|
|
expectedErr := fmt.Errorf("ssh: handshake failed: %v", &disconnectMsg{
|
|
Reason: 2,
|
|
Message: "too many authentication failures",
|
|
})
|
|
|
|
for tries := 2; tries < 4; tries++ {
|
|
n := tries
|
|
clientConfig := &ClientConfig{
|
|
User: user,
|
|
Auth: []AuthMethod{
|
|
RetryableAuthMethod(PasswordCallback(func() (string, error) {
|
|
n--
|
|
if n == 0 {
|
|
return "right", nil
|
|
}
|
|
return "wrong", nil
|
|
}), tries),
|
|
},
|
|
HostKeyCallback: InsecureIgnoreHostKey(),
|
|
}
|
|
|
|
c1, c2, err := netPipe()
|
|
if err != nil {
|
|
t.Fatalf("netPipe: %v", err)
|
|
}
|
|
defer c1.Close()
|
|
defer c2.Close()
|
|
|
|
go newServer(c1, serverConfig)
|
|
_, _, _, err = NewClientConn(c2, "", clientConfig)
|
|
if tries > 2 {
|
|
if err == nil {
|
|
t.Fatalf("client: got no error, want %s", expectedErr)
|
|
} else if err.Error() != expectedErr.Error() {
|
|
t.Fatalf("client: got %s, want %s", err, expectedErr)
|
|
}
|
|
} else {
|
|
if err != nil {
|
|
t.Fatalf("client: got %s, want no error", err)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
// Test if authentication attempts are correctly limited on server
|
|
// when more public keys are provided then MaxAuthTries
|
|
func TestClientAuthMaxAuthTriesPublicKey(t *testing.T) {
|
|
signers := []Signer{}
|
|
for i := 0; i < 6; i++ {
|
|
signers = append(signers, testSigners["dsa"])
|
|
}
|
|
|
|
validConfig := &ClientConfig{
|
|
User: "testuser",
|
|
Auth: []AuthMethod{
|
|
PublicKeys(append([]Signer{testSigners["rsa"]}, signers...)...),
|
|
},
|
|
HostKeyCallback: InsecureIgnoreHostKey(),
|
|
}
|
|
if err := tryAuth(t, validConfig); err != nil {
|
|
t.Fatalf("unable to dial remote side: %s", err)
|
|
}
|
|
|
|
expectedErr := fmt.Errorf("ssh: handshake failed: %v", &disconnectMsg{
|
|
Reason: 2,
|
|
Message: "too many authentication failures",
|
|
})
|
|
invalidConfig := &ClientConfig{
|
|
User: "testuser",
|
|
Auth: []AuthMethod{
|
|
PublicKeys(append(signers, testSigners["rsa"])...),
|
|
},
|
|
HostKeyCallback: InsecureIgnoreHostKey(),
|
|
}
|
|
if err := tryAuth(t, invalidConfig); err == nil {
|
|
t.Fatalf("client: got no error, want %s", expectedErr)
|
|
} else if err.Error() != expectedErr.Error() {
|
|
t.Fatalf("client: got %s, want %s", err, expectedErr)
|
|
}
|
|
}
|
|
|
|
// Test whether authentication errors are being properly logged if all
|
|
// authentication methods have been exhausted
|
|
func TestClientAuthErrorList(t *testing.T) {
|
|
publicKeyErr := errors.New("This is an error from PublicKeyCallback")
|
|
|
|
clientConfig := &ClientConfig{
|
|
Auth: []AuthMethod{
|
|
PublicKeys(testSigners["rsa"]),
|
|
},
|
|
HostKeyCallback: InsecureIgnoreHostKey(),
|
|
}
|
|
serverConfig := &ServerConfig{
|
|
PublicKeyCallback: func(_ ConnMetadata, _ PublicKey) (*Permissions, error) {
|
|
return nil, publicKeyErr
|
|
},
|
|
}
|
|
serverConfig.AddHostKey(testSigners["rsa"])
|
|
|
|
c1, c2, err := netPipe()
|
|
if err != nil {
|
|
t.Fatalf("netPipe: %v", err)
|
|
}
|
|
defer c1.Close()
|
|
defer c2.Close()
|
|
|
|
go NewClientConn(c2, "", clientConfig)
|
|
_, err = newServer(c1, serverConfig)
|
|
if err == nil {
|
|
t.Fatal("newServer: got nil, expected errors")
|
|
}
|
|
|
|
authErrs, ok := err.(*ServerAuthError)
|
|
if !ok {
|
|
t.Fatalf("errors: got %T, want *ssh.ServerAuthError", err)
|
|
}
|
|
for i, e := range authErrs.Errors {
|
|
switch i {
|
|
case 0:
|
|
if e != ErrNoAuth {
|
|
t.Fatalf("errors: got error %v, want ErrNoAuth", e)
|
|
}
|
|
case 1:
|
|
if e != publicKeyErr {
|
|
t.Fatalf("errors: got %v, want %v", e, publicKeyErr)
|
|
}
|
|
default:
|
|
t.Fatalf("errors: got %v, expected 2 errors", authErrs.Errors)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestAuthMethodGSSAPIWithMIC(t *testing.T) {
|
|
type testcase struct {
|
|
config *ClientConfig
|
|
gssConfig *GSSAPIWithMICConfig
|
|
clientWantErr string
|
|
serverWantErr string
|
|
}
|
|
testcases := []*testcase{
|
|
{
|
|
config: &ClientConfig{
|
|
User: "testuser",
|
|
Auth: []AuthMethod{
|
|
GSSAPIWithMICAuthMethod(
|
|
&FakeClient{
|
|
exchanges: []*exchange{
|
|
{
|
|
outToken: "client-valid-token-1",
|
|
},
|
|
{
|
|
expectedToken: "server-valid-token-1",
|
|
},
|
|
},
|
|
mic: []byte("valid-mic"),
|
|
maxRound: 2,
|
|
}, "testtarget",
|
|
),
|
|
},
|
|
HostKeyCallback: InsecureIgnoreHostKey(),
|
|
},
|
|
gssConfig: &GSSAPIWithMICConfig{
|
|
AllowLogin: func(conn ConnMetadata, srcName string) (*Permissions, error) {
|
|
if srcName != conn.User()+"@DOMAIN" {
|
|
return nil, fmt.Errorf("srcName is %s, conn user is %s", srcName, conn.User())
|
|
}
|
|
return nil, nil
|
|
},
|
|
Server: &FakeServer{
|
|
exchanges: []*exchange{
|
|
{
|
|
outToken: "server-valid-token-1",
|
|
expectedToken: "client-valid-token-1",
|
|
},
|
|
},
|
|
maxRound: 1,
|
|
expectedMIC: []byte("valid-mic"),
|
|
srcName: "testuser@DOMAIN",
|
|
},
|
|
},
|
|
},
|
|
{
|
|
config: &ClientConfig{
|
|
User: "testuser",
|
|
Auth: []AuthMethod{
|
|
GSSAPIWithMICAuthMethod(
|
|
&FakeClient{
|
|
exchanges: []*exchange{
|
|
{
|
|
outToken: "client-valid-token-1",
|
|
},
|
|
{
|
|
expectedToken: "server-valid-token-1",
|
|
},
|
|
},
|
|
mic: []byte("valid-mic"),
|
|
maxRound: 2,
|
|
}, "testtarget",
|
|
),
|
|
},
|
|
HostKeyCallback: InsecureIgnoreHostKey(),
|
|
},
|
|
gssConfig: &GSSAPIWithMICConfig{
|
|
AllowLogin: func(conn ConnMetadata, srcName string) (*Permissions, error) {
|
|
return nil, fmt.Errorf("user is not allowed to login")
|
|
},
|
|
Server: &FakeServer{
|
|
exchanges: []*exchange{
|
|
{
|
|
outToken: "server-valid-token-1",
|
|
expectedToken: "client-valid-token-1",
|
|
},
|
|
},
|
|
maxRound: 1,
|
|
expectedMIC: []byte("valid-mic"),
|
|
srcName: "testuser@DOMAIN",
|
|
},
|
|
},
|
|
serverWantErr: "user is not allowed to login",
|
|
clientWantErr: "ssh: handshake failed: ssh: unable to authenticate",
|
|
},
|
|
{
|
|
config: &ClientConfig{
|
|
User: "testuser",
|
|
Auth: []AuthMethod{
|
|
GSSAPIWithMICAuthMethod(
|
|
&FakeClient{
|
|
exchanges: []*exchange{
|
|
{
|
|
outToken: "client-valid-token-1",
|
|
},
|
|
{
|
|
expectedToken: "server-valid-token-1",
|
|
},
|
|
},
|
|
mic: []byte("valid-mic"),
|
|
maxRound: 2,
|
|
}, "testtarget",
|
|
),
|
|
},
|
|
HostKeyCallback: InsecureIgnoreHostKey(),
|
|
},
|
|
gssConfig: &GSSAPIWithMICConfig{
|
|
AllowLogin: func(conn ConnMetadata, srcName string) (*Permissions, error) {
|
|
if srcName != conn.User() {
|
|
return nil, fmt.Errorf("srcName is %s, conn user is %s", srcName, conn.User())
|
|
}
|
|
return nil, nil
|
|
},
|
|
Server: &FakeServer{
|
|
exchanges: []*exchange{
|
|
{
|
|
outToken: "server-invalid-token-1",
|
|
expectedToken: "client-valid-token-1",
|
|
},
|
|
},
|
|
maxRound: 1,
|
|
expectedMIC: []byte("valid-mic"),
|
|
srcName: "testuser@DOMAIN",
|
|
},
|
|
},
|
|
clientWantErr: "ssh: handshake failed: got \"server-invalid-token-1\", want token \"server-valid-token-1\"",
|
|
},
|
|
{
|
|
config: &ClientConfig{
|
|
User: "testuser",
|
|
Auth: []AuthMethod{
|
|
GSSAPIWithMICAuthMethod(
|
|
&FakeClient{
|
|
exchanges: []*exchange{
|
|
{
|
|
outToken: "client-valid-token-1",
|
|
},
|
|
{
|
|
expectedToken: "server-valid-token-1",
|
|
},
|
|
},
|
|
mic: []byte("invalid-mic"),
|
|
maxRound: 2,
|
|
}, "testtarget",
|
|
),
|
|
},
|
|
HostKeyCallback: InsecureIgnoreHostKey(),
|
|
},
|
|
gssConfig: &GSSAPIWithMICConfig{
|
|
AllowLogin: func(conn ConnMetadata, srcName string) (*Permissions, error) {
|
|
if srcName != conn.User() {
|
|
return nil, fmt.Errorf("srcName is %s, conn user is %s", srcName, conn.User())
|
|
}
|
|
return nil, nil
|
|
},
|
|
Server: &FakeServer{
|
|
exchanges: []*exchange{
|
|
{
|
|
outToken: "server-valid-token-1",
|
|
expectedToken: "client-valid-token-1",
|
|
},
|
|
},
|
|
maxRound: 1,
|
|
expectedMIC: []byte("valid-mic"),
|
|
srcName: "testuser@DOMAIN",
|
|
},
|
|
},
|
|
serverWantErr: "got MICToken \"invalid-mic\", want \"valid-mic\"",
|
|
clientWantErr: "ssh: handshake failed: ssh: unable to authenticate",
|
|
},
|
|
}
|
|
|
|
for i, c := range testcases {
|
|
clientErr, serverErrs := tryAuthBothSides(t, c.config, c.gssConfig)
|
|
if (c.clientWantErr == "") != (clientErr == nil) {
|
|
t.Fatalf("client got %v, want %s, case %d", clientErr, c.clientWantErr, i)
|
|
}
|
|
if (c.serverWantErr == "") != (len(serverErrs) == 2 && serverErrs[1] == nil || len(serverErrs) == 1) {
|
|
t.Fatalf("server got err %v, want %s", serverErrs, c.serverWantErr)
|
|
}
|
|
if c.clientWantErr != "" {
|
|
if clientErr != nil && !strings.Contains(clientErr.Error(), c.clientWantErr) {
|
|
t.Fatalf("client got %v, want %s, case %d", clientErr, c.clientWantErr, i)
|
|
}
|
|
}
|
|
found := false
|
|
var errStrings []string
|
|
if c.serverWantErr != "" {
|
|
for _, err := range serverErrs {
|
|
found = found || (err != nil && strings.Contains(err.Error(), c.serverWantErr))
|
|
errStrings = append(errStrings, err.Error())
|
|
}
|
|
if !found {
|
|
t.Errorf("server got error %q, want substring %q, case %d", errStrings, c.serverWantErr, i)
|
|
}
|
|
}
|
|
}
|
|
}
|