fionera
/
transfer.sh
forked from kiska/transfer.sh
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
238 Commits
9 Branches
34 MiB
 
 
 
Tree: 90dacf718b
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '90dacf718b'
${ noResults }
transfer.sh/vendor/golang.org/x/crypto/ssh/client_auth_test.go

472 lines
12 KiB
Raw Blame History 

  1. // Copyright 2011 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package ssh

  6. 

  7. import (

  8. 	"bytes"

  9. 	"crypto/rand"

  10. 	"errors"

  11. 	"fmt"

  12. 	"os"

  13. 	"strings"

  14. 	"testing"

  15. )

  16. 

  17. type keyboardInteractive map[string]string

  18. 

  19. func (cr keyboardInteractive) Challenge(user string, instruction string, questions []string, echos []bool) ([]string, error) {

  20. 	var answers []string

  21. 	for _, q := range questions {

  22. 		answers = append(answers, cr[q])

  23. 	}

  24. 	return answers, nil

  25. }

  26. 

  27. // reused internally by tests

  28. var clientPassword = "tiger"

  29. 

  30. // tryAuth runs a handshake with a given config against an SSH server

  31. // with config serverConfig

  32. func tryAuth(t *testing.T, config *ClientConfig) error {

  33. 	c1, c2, err := netPipe()

  34. 	if err != nil {

  35. 		t.Fatalf("netPipe: %v", err)

  36. 	}

  37. 	defer c1.Close()

  38. 	defer c2.Close()

  39. 

  40. 	certChecker := CertChecker{

  41. 		IsAuthority: func(k PublicKey) bool {

  42. 			return bytes.Equal(k.Marshal(), testPublicKeys["ecdsa"].Marshal())

  43. 		},

  44. 		UserKeyFallback: func(conn ConnMetadata, key PublicKey) (*Permissions, error) {

  45. 			if conn.User() == "testuser" && bytes.Equal(key.Marshal(), testPublicKeys["rsa"].Marshal()) {

  46. 				return nil, nil

  47. 			}

  48. 

  49. 			return nil, fmt.Errorf("pubkey for %q not acceptable", conn.User())

  50. 		},

  51. 		IsRevoked: func(c *Certificate) bool {

  52. 			return c.Serial == 666

  53. 		},

  54. 	}

  55. 

  56. 	serverConfig := &ServerConfig{

  57. 		PasswordCallback: func(conn ConnMetadata, pass []byte) (*Permissions, error) {

  58. 			if conn.User() == "testuser" && string(pass) == clientPassword {

  59. 				return nil, nil

  60. 			}

  61. 			return nil, errors.New("password auth failed")

  62. 		},

  63. 		PublicKeyCallback: certChecker.Authenticate,

  64. 		KeyboardInteractiveCallback: func(conn ConnMetadata, challenge KeyboardInteractiveChallenge) (*Permissions, error) {

  65. 			ans, err := challenge("user",

  66. 				"instruction",

  67. 				[]string{"question1", "question2"},

  68. 				[]bool{true, true})

  69. 			if err != nil {

  70. 				return nil, err

  71. 			}

  72. 			ok := conn.User() == "testuser" && ans[0] == "answer1" && ans[1] == "answer2"

  73. 			if ok {

  74. 				challenge("user", "motd", nil, nil)

  75. 				return nil, nil

  76. 			}

  77. 			return nil, errors.New("keyboard-interactive failed")

  78. 		},

  79. 		AuthLogCallback: func(conn ConnMetadata, method string, err error) {

  80. 		},

  81. 	}

  82. 	serverConfig.AddHostKey(testSigners["rsa"])

  83. 

  84. 	go newServer(c1, serverConfig)

  85. 	_, _, _, err = NewClientConn(c2, "", config)

  86. 	return err

  87. }

  88. 

  89. func TestClientAuthPublicKey(t *testing.T) {

  90. 	config := &ClientConfig{

  91. 		User: "testuser",

  92. 		Auth: []AuthMethod{

  93. 			PublicKeys(testSigners["rsa"]),

  94. 		},

  95. 	}

  96. 	if err := tryAuth(t, config); err != nil {

  97. 		t.Fatalf("unable to dial remote side: %s", err)

  98. 	}

  99. }

  100. 

  101. func TestAuthMethodPassword(t *testing.T) {

  102. 	config := &ClientConfig{

  103. 		User: "testuser",

  104. 		Auth: []AuthMethod{

  105. 			Password(clientPassword),

  106. 		},

  107. 	}

  108. 

  109. 	if err := tryAuth(t, config); err != nil {

  110. 		t.Fatalf("unable to dial remote side: %s", err)

  111. 	}

  112. }

  113. 

  114. func TestAuthMethodFallback(t *testing.T) {

  115. 	var passwordCalled bool

  116. 	config := &ClientConfig{

  117. 		User: "testuser",

  118. 		Auth: []AuthMethod{

  119. 			PublicKeys(testSigners["rsa"]),

  120. 			PasswordCallback(

  121. 				func() (string, error) {

  122. 					passwordCalled = true

  123. 					return "WRONG", nil

  124. 				}),

  125. 		},

  126. 	}

  127. 

  128. 	if err := tryAuth(t, config); err != nil {

  129. 		t.Fatalf("unable to dial remote side: %s", err)

  130. 	}

  131. 

  132. 	if passwordCalled {

  133. 		t.Errorf("password auth tried before public-key auth.")

  134. 	}

  135. }

  136. 

  137. func TestAuthMethodWrongPassword(t *testing.T) {

  138. 	config := &ClientConfig{

  139. 		User: "testuser",

  140. 		Auth: []AuthMethod{

  141. 			Password("wrong"),

  142. 			PublicKeys(testSigners["rsa"]),

  143. 		},

  144. 	}

  145. 

  146. 	if err := tryAuth(t, config); err != nil {

  147. 		t.Fatalf("unable to dial remote side: %s", err)

  148. 	}

  149. }

  150. 

  151. func TestAuthMethodKeyboardInteractive(t *testing.T) {

  152. 	answers := keyboardInteractive(map[string]string{

  153. 		"question1": "answer1",

  154. 		"question2": "answer2",

  155. 	})

  156. 	config := &ClientConfig{

  157. 		User: "testuser",

  158. 		Auth: []AuthMethod{

  159. 			KeyboardInteractive(answers.Challenge),

  160. 		},

  161. 	}

  162. 

  163. 	if err := tryAuth(t, config); err != nil {

  164. 		t.Fatalf("unable to dial remote side: %s", err)

  165. 	}

  166. }

  167. 

  168. func TestAuthMethodWrongKeyboardInteractive(t *testing.T) {

  169. 	answers := keyboardInteractive(map[string]string{

  170. 		"question1": "answer1",

  171. 		"question2": "WRONG",

  172. 	})

  173. 	config := &ClientConfig{

  174. 		User: "testuser",

  175. 		Auth: []AuthMethod{

  176. 			KeyboardInteractive(answers.Challenge),

  177. 		},

  178. 	}

  179. 

  180. 	if err := tryAuth(t, config); err == nil {

  181. 		t.Fatalf("wrong answers should not have authenticated with KeyboardInteractive")

  182. 	}

  183. }

  184. 

  185. // the mock server will only authenticate ssh-rsa keys

  186. func TestAuthMethodInvalidPublicKey(t *testing.T) {

  187. 	config := &ClientConfig{

  188. 		User: "testuser",

  189. 		Auth: []AuthMethod{

  190. 			PublicKeys(testSigners["dsa"]),

  191. 		},

  192. 	}

  193. 

  194. 	if err := tryAuth(t, config); err == nil {

  195. 		t.Fatalf("dsa private key should not have authenticated with rsa public key")

  196. 	}

  197. }

  198. 

  199. // the client should authenticate with the second key

  200. func TestAuthMethodRSAandDSA(t *testing.T) {

  201. 	config := &ClientConfig{

  202. 		User: "testuser",

  203. 		Auth: []AuthMethod{

  204. 			PublicKeys(testSigners["dsa"], testSigners["rsa"]),

  205. 		},

  206. 	}

  207. 	if err := tryAuth(t, config); err != nil {

  208. 		t.Fatalf("client could not authenticate with rsa key: %v", err)

  209. 	}

  210. }

  211. 

  212. func TestClientHMAC(t *testing.T) {

  213. 	for _, mac := range supportedMACs {

  214. 		config := &ClientConfig{

  215. 			User: "testuser",

  216. 			Auth: []AuthMethod{

  217. 				PublicKeys(testSigners["rsa"]),

  218. 			},

  219. 			Config: Config{

  220. 				MACs: []string{mac},

  221. 			},

  222. 		}

  223. 		if err := tryAuth(t, config); err != nil {

  224. 			t.Fatalf("client could not authenticate with mac algo %s: %v", mac, err)

  225. 		}

  226. 	}

  227. }

  228. 

  229. // issue 4285.

  230. func TestClientUnsupportedCipher(t *testing.T) {

  231. 	config := &ClientConfig{

  232. 		User: "testuser",

  233. 		Auth: []AuthMethod{

  234. 			PublicKeys(),

  235. 		},

  236. 		Config: Config{

  237. 			Ciphers: []string{"aes128-cbc"}, // not currently supported

  238. 		},

  239. 	}

  240. 	if err := tryAuth(t, config); err == nil {

  241. 		t.Errorf("expected no ciphers in common")

  242. 	}

  243. }

  244. 

  245. func TestClientUnsupportedKex(t *testing.T) {

  246. 	if os.Getenv("GO_BUILDER_NAME") != "" {

  247. 		t.Skip("skipping known-flaky test on the Go build dashboard; see golang.org/issue/15198")

  248. 	}

  249. 	config := &ClientConfig{

  250. 		User: "testuser",

  251. 		Auth: []AuthMethod{

  252. 			PublicKeys(),

  253. 		},

  254. 		Config: Config{

  255. 			KeyExchanges: []string{"diffie-hellman-group-exchange-sha256"}, // not currently supported

  256. 		},

  257. 	}

  258. 	if err := tryAuth(t, config); err == nil || !strings.Contains(err.Error(), "common algorithm") {

  259. 		t.Errorf("got %v, expected 'common algorithm'", err)

  260. 	}

  261. }

  262. 

  263. func TestClientLoginCert(t *testing.T) {

  264. 	cert := &Certificate{

  265. 		Key:         testPublicKeys["rsa"],

  266. 		ValidBefore: CertTimeInfinity,

  267. 		CertType:    UserCert,

  268. 	}

  269. 	cert.SignCert(rand.Reader, testSigners["ecdsa"])

  270. 	certSigner, err := NewCertSigner(cert, testSigners["rsa"])

  271. 	if err != nil {

  272. 		t.Fatalf("NewCertSigner: %v", err)

  273. 	}

  274. 

  275. 	clientConfig := &ClientConfig{

  276. 		User: "user",

  277. 	}

  278. 	clientConfig.Auth = append(clientConfig.Auth, PublicKeys(certSigner))

  279. 

  280. 	// should succeed

  281. 	if err := tryAuth(t, clientConfig); err != nil {

  282. 		t.Errorf("cert login failed: %v", err)

  283. 	}

  284. 

  285. 	// corrupted signature

  286. 	cert.Signature.Blob[0]++

  287. 	if err := tryAuth(t, clientConfig); err == nil {

  288. 		t.Errorf("cert login passed with corrupted sig")

  289. 	}

  290. 

  291. 	// revoked

  292. 	cert.Serial = 666

  293. 	cert.SignCert(rand.Reader, testSigners["ecdsa"])

  294. 	if err := tryAuth(t, clientConfig); err == nil {

  295. 		t.Errorf("revoked cert login succeeded")

  296. 	}

  297. 	cert.Serial = 1

  298. 

  299. 	// sign with wrong key

  300. 	cert.SignCert(rand.Reader, testSigners["dsa"])

  301. 	if err := tryAuth(t, clientConfig); err == nil {

  302. 		t.Errorf("cert login passed with non-authoritative key")

  303. 	}

  304. 

  305. 	// host cert

  306. 	cert.CertType = HostCert

  307. 	cert.SignCert(rand.Reader, testSigners["ecdsa"])

  308. 	if err := tryAuth(t, clientConfig); err == nil {

  309. 		t.Errorf("cert login passed with wrong type")

  310. 	}

  311. 	cert.CertType = UserCert

  312. 

  313. 	// principal specified

  314. 	cert.ValidPrincipals = []string{"user"}

  315. 	cert.SignCert(rand.Reader, testSigners["ecdsa"])

  316. 	if err := tryAuth(t, clientConfig); err != nil {

  317. 		t.Errorf("cert login failed: %v", err)

  318. 	}

  319. 

  320. 	// wrong principal specified

  321. 	cert.ValidPrincipals = []string{"fred"}

  322. 	cert.SignCert(rand.Reader, testSigners["ecdsa"])

  323. 	if err := tryAuth(t, clientConfig); err == nil {

  324. 		t.Errorf("cert login passed with wrong principal")

  325. 	}

  326. 	cert.ValidPrincipals = nil

  327. 

  328. 	// added critical option

  329. 	cert.CriticalOptions = map[string]string{"root-access": "yes"}

  330. 	cert.SignCert(rand.Reader, testSigners["ecdsa"])

  331. 	if err := tryAuth(t, clientConfig); err == nil {

  332. 		t.Errorf("cert login passed with unrecognized critical option")

  333. 	}

  334. 

  335. 	// allowed source address

  336. 	cert.CriticalOptions = map[string]string{"source-address": "127.0.0.42/24,::42/120"}

  337. 	cert.SignCert(rand.Reader, testSigners["ecdsa"])

  338. 	if err := tryAuth(t, clientConfig); err != nil {

  339. 		t.Errorf("cert login with source-address failed: %v", err)

  340. 	}

  341. 

  342. 	// disallowed source address

  343. 	cert.CriticalOptions = map[string]string{"source-address": "127.0.0.42,::42"}

  344. 	cert.SignCert(rand.Reader, testSigners["ecdsa"])

  345. 	if err := tryAuth(t, clientConfig); err == nil {

  346. 		t.Errorf("cert login with source-address succeeded")

  347. 	}

  348. }

  349. 

  350. func testPermissionsPassing(withPermissions bool, t *testing.T) {

  351. 	serverConfig := &ServerConfig{

  352. 		PublicKeyCallback: func(conn ConnMetadata, key PublicKey) (*Permissions, error) {

  353. 			if conn.User() == "nopermissions" {

  354. 				return nil, nil

  355. 			} else {

  356. 				return &Permissions{}, nil

  357. 			}

  358. 		},

  359. 	}

  360. 	serverConfig.AddHostKey(testSigners["rsa"])

  361. 

  362. 	clientConfig := &ClientConfig{

  363. 		Auth: []AuthMethod{

  364. 			PublicKeys(testSigners["rsa"]),

  365. 		},

  366. 	}

  367. 	if withPermissions {

  368. 		clientConfig.User = "permissions"

  369. 	} else {

  370. 		clientConfig.User = "nopermissions"

  371. 	}

  372. 

  373. 	c1, c2, err := netPipe()

  374. 	if err != nil {

  375. 		t.Fatalf("netPipe: %v", err)

  376. 	}

  377. 	defer c1.Close()

  378. 	defer c2.Close()

  379. 

  380. 	go NewClientConn(c2, "", clientConfig)

  381. 	serverConn, err := newServer(c1, serverConfig)

  382. 	if err != nil {

  383. 		t.Fatal(err)

  384. 	}

  385. 	if p := serverConn.Permissions; (p != nil) != withPermissions {

  386. 		t.Fatalf("withPermissions is %t, but Permissions object is %#v", withPermissions, p)

  387. 	}

  388. }

  389. 

  390. func TestPermissionsPassing(t *testing.T) {

  391. 	testPermissionsPassing(true, t)

  392. }

  393. 

  394. func TestNoPermissionsPassing(t *testing.T) {

  395. 	testPermissionsPassing(false, t)

  396. }

  397. 

  398. func TestRetryableAuth(t *testing.T) {

  399. 	n := 0

  400. 	passwords := []string{"WRONG1", "WRONG2"}

  401. 

  402. 	config := &ClientConfig{

  403. 		User: "testuser",

  404. 		Auth: []AuthMethod{

  405. 			RetryableAuthMethod(PasswordCallback(func() (string, error) {

  406. 				p := passwords[n]

  407. 				n++

  408. 				return p, nil

  409. 			}), 2),

  410. 			PublicKeys(testSigners["rsa"]),

  411. 		},

  412. 	}

  413. 

  414. 	if err := tryAuth(t, config); err != nil {

  415. 		t.Fatalf("unable to dial remote side: %s", err)

  416. 	}

  417. 	if n != 2 {

  418. 		t.Fatalf("Did not try all passwords")

  419. 	}

  420. }

  421. 

  422. func ExampleRetryableAuthMethod(t *testing.T) {

  423. 	user := "testuser"

  424. 	NumberOfPrompts := 3

  425. 

  426. 	// Normally this would be a callback that prompts the user to answer the

  427. 	// provided questions

  428. 	Cb := func(user, instruction string, questions []string, echos []bool) (answers []string, err error) {

  429. 		return []string{"answer1", "answer2"}, nil

  430. 	}

  431. 

  432. 	config := &ClientConfig{

  433. 		User: user,

  434. 		Auth: []AuthMethod{

  435. 			RetryableAuthMethod(KeyboardInteractiveChallenge(Cb), NumberOfPrompts),

  436. 		},

  437. 	}

  438. 

  439. 	if err := tryAuth(t, config); err != nil {

  440. 		t.Fatalf("unable to dial remote side: %s", err)

  441. 	}

  442. }

  443. 

  444. // Test if username is received on server side when NoClientAuth is used

  445. func TestClientAuthNone(t *testing.T) {

  446. 	user := "testuser"

  447. 	serverConfig := &ServerConfig{

  448. 		NoClientAuth: true,

  449. 	}

  450. 	serverConfig.AddHostKey(testSigners["rsa"])

  451. 

  452. 	clientConfig := &ClientConfig{

  453. 		User: user,

  454. 	}

  455. 

  456. 	c1, c2, err := netPipe()

  457. 	if err != nil {

  458. 		t.Fatalf("netPipe: %v", err)

  459. 	}

  460. 	defer c1.Close()

  461. 	defer c2.Close()

  462. 

  463. 	go NewClientConn(c2, "", clientConfig)

  464. 	serverConn, err := newServer(c1, serverConfig)

  465. 	if err != nil {

  466. 		t.Fatalf("newServer: %v", err)

  467. 	}

  468. 	if serverConn.User() != user {

  469. 		t.Fatalf("server: got %q, want %q", serverConn.User(), user)

  470. 	}

  471. }