1#!/usr/bin/env perl 2#*************************************************************************** 3# _ _ ____ _ 4# Project ___| | | | _ \| | 5# / __| | | | |_) | | 6# | (__| |_| | _ <| |___ 7# \___|\___/|_| \_\_____| 8# 9# Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. 10# 11# This software is licensed as described in the file COPYING, which 12# you should have received as part of this distribution. The terms 13# are also available at https://curl.se/docs/copyright.html. 14# 15# You may opt to use, copy, modify, merge, publish, distribute and/or sell 16# copies of the Software, and permit persons to whom the Software is 17# furnished to do so, under the terms of the COPYING file. 18# 19# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 20# KIND, either express or implied. 21# 22#*************************************************************************** 23 24# Starts sshd for use in the SCP and SFTP curl test harness tests. 25# Also creates the ssh configuration files needed for these tests. 26 27use strict; 28use warnings; 29use Cwd; 30use Cwd 'abs_path'; 31use Digest::MD5; 32use Digest::MD5 'md5_hex'; 33use Digest::SHA; 34use Digest::SHA 'sha256_base64'; 35use MIME::Base64; 36 37#*************************************************************************** 38# Variables and subs imported from sshhelp module 39# 40use sshhelp qw( 41 $sshdexe 42 $sshexe 43 $sftpsrvexe 44 $sftpexe 45 $sshkeygenexe 46 $sshdconfig 47 $sshconfig 48 $sftpconfig 49 $knownhosts 50 $sshdlog 51 $sshlog 52 $sftplog 53 $sftpcmds 54 $hstprvkeyf 55 $hstpubkeyf 56 $hstpubmd5f 57 $hstpubsha256f 58 $cliprvkeyf 59 $clipubkeyf 60 display_sshdconfig 61 display_sshconfig 62 display_sftpconfig 63 display_sshdlog 64 display_sshlog 65 display_sftplog 66 dump_array 67 find_sshd 68 find_ssh 69 find_sftpsrv 70 find_sftp 71 find_sshkeygen 72 logmsg 73 sshversioninfo 74 ); 75 76#*************************************************************************** 77# Subs imported from serverhelp module 78# 79use serverhelp qw( 80 server_pidfilename 81 server_logfilename 82 ); 83 84use pathhelp; 85 86#*************************************************************************** 87 88my $verbose = 0; # set to 1 for debugging 89my $debugprotocol = 0; # set to 1 for protocol debugging 90my $port = 8999; # our default SCP/SFTP server port 91my $listenaddr = '127.0.0.1'; # default address on which to listen 92my $ipvnum = 4; # default IP version of listener address 93my $idnum = 1; # default ssh daemon instance number 94my $proto = 'ssh'; # protocol the ssh daemon speaks 95my $path = getcwd(); # current working directory 96my $logdir = $path .'/log'; # directory for log files 97my $username = $ENV{USER}; # default user 98my $pidfile; # ssh daemon pid file 99my $identity = 'curl_client_key'; # default identity file 100 101my $error; 102my @cfgarr; 103 104 105#*************************************************************************** 106# Parse command line options 107# 108while(@ARGV) { 109 if($ARGV[0] eq '--verbose') { 110 $verbose = 1; 111 } 112 elsif($ARGV[0] eq '--debugprotocol') { 113 $verbose = 1; 114 $debugprotocol = 1; 115 } 116 elsif($ARGV[0] eq '--user') { 117 if($ARGV[1]) { 118 $username = $ARGV[1]; 119 shift @ARGV; 120 } 121 } 122 elsif($ARGV[0] eq '--id') { 123 if($ARGV[1]) { 124 if($ARGV[1] =~ /^(\d+)$/) { 125 $idnum = $1 if($1 > 0); 126 shift @ARGV; 127 } 128 } 129 } 130 elsif($ARGV[0] eq '--ipv4') { 131 $ipvnum = 4; 132 $listenaddr = '127.0.0.1' if($listenaddr eq '::1'); 133 } 134 elsif($ARGV[0] eq '--ipv6') { 135 $ipvnum = 6; 136 $listenaddr = '::1' if($listenaddr eq '127.0.0.1'); 137 } 138 elsif($ARGV[0] eq '--addr') { 139 if($ARGV[1]) { 140 my $tmpstr = $ARGV[1]; 141 if($tmpstr =~ /^(\d\d?\d?)\.(\d\d?\d?)\.(\d\d?\d?)\.(\d\d?\d?)$/) { 142 $listenaddr = "$1.$2.$3.$4" if($ipvnum == 4); 143 shift @ARGV; 144 } 145 elsif($ipvnum == 6) { 146 $listenaddr = $tmpstr; 147 $listenaddr =~ s/^\[(.*)\]$/$1/; 148 shift @ARGV; 149 } 150 } 151 } 152 elsif($ARGV[0] eq '--pidfile') { 153 if($ARGV[1]) { 154 $pidfile = "$path/". $ARGV[1]; 155 shift @ARGV; 156 } 157 } 158 elsif($ARGV[0] eq '--sshport') { 159 if($ARGV[1]) { 160 if($ARGV[1] =~ /^(\d+)$/) { 161 $port = $1; 162 shift @ARGV; 163 } 164 } 165 } 166 else { 167 print STDERR "\nWarning: sshserver.pl unknown parameter: $ARGV[0]\n"; 168 } 169 shift @ARGV; 170} 171 172 173#*************************************************************************** 174# Default ssh daemon pid file name 175# 176if(!$pidfile) { 177 $pidfile = "$path/". server_pidfilename($proto, $ipvnum, $idnum); 178} 179 180 181#*************************************************************************** 182# ssh and sftp server log file names 183# 184$sshdlog = server_logfilename($logdir, 'ssh', $ipvnum, $idnum); 185$sftplog = server_logfilename($logdir, 'sftp', $ipvnum, $idnum); 186 187 188#*************************************************************************** 189# Logging level for ssh server and client 190# 191my $loglevel = $debugprotocol?'DEBUG3':'DEBUG2'; 192 193 194#*************************************************************************** 195# Validate username 196# 197if(!$username) { 198 $error = 'Will not run ssh server without a user name'; 199} 200elsif($username eq 'root') { 201 $error = 'Will not run ssh server as root to mitigate security risks'; 202} 203if($error) { 204 logmsg $error; 205 exit 1; 206} 207 208 209#*************************************************************************** 210# Find out ssh daemon canonical file name 211# 212my $sshd = find_sshd(); 213if(!$sshd) { 214 logmsg "cannot find $sshdexe"; 215 exit 1; 216} 217 218 219#*************************************************************************** 220# Find out ssh daemon version info 221# 222my ($sshdid, $sshdvernum, $sshdverstr, $sshderror) = sshversioninfo($sshd); 223if(!$sshdid) { 224 # Not an OpenSSH or SunSSH ssh daemon 225 logmsg $sshderror if($verbose); 226 logmsg 'SCP and SFTP tests require OpenSSH 2.9.9 or later'; 227 exit 1; 228} 229logmsg "ssh server found $sshd is $sshdverstr" if($verbose); 230 231 232#*************************************************************************** 233# ssh daemon command line options we might use and version support 234# 235# -e: log stderr : OpenSSH 2.9.0 and later 236# -f: sshd config file : OpenSSH 1.2.1 and later 237# -D: no daemon forking : OpenSSH 2.5.0 and later 238# -o: command-line option : OpenSSH 3.1.0 and later 239# -t: test config file : OpenSSH 2.9.9 and later 240# -?: sshd version info : OpenSSH 1.2.1 and later 241# 242# -e: log stderr : SunSSH 1.0.0 and later 243# -f: sshd config file : SunSSH 1.0.0 and later 244# -D: no daemon forking : SunSSH 1.0.0 and later 245# -o: command-line option : SunSSH 1.0.0 and later 246# -t: test config file : SunSSH 1.0.0 and later 247# -?: sshd version info : SunSSH 1.0.0 and later 248 249 250#*************************************************************************** 251# Verify minimum ssh daemon version 252# 253if((($sshdid =~ /OpenSSH/) && ($sshdvernum < 299)) || 254 (($sshdid =~ /SunSSH/) && ($sshdvernum < 100))) { 255 logmsg 'SCP and SFTP tests require OpenSSH 2.9.9 or later'; 256 exit 1; 257} 258 259 260#*************************************************************************** 261# Find out sftp server plugin canonical file name 262# 263my $sftpsrv = find_sftpsrv(); 264if(!$sftpsrv) { 265 logmsg "cannot find $sftpsrvexe"; 266 exit 1; 267} 268logmsg "sftp server plugin found $sftpsrv" if($verbose); 269 270 271#*************************************************************************** 272# Find out sftp client canonical file name 273# 274my $sftp = find_sftp(); 275if(!$sftp) { 276 logmsg "cannot find $sftpexe"; 277 exit 1; 278} 279logmsg "sftp client found $sftp" if($verbose); 280 281 282#*************************************************************************** 283# Find out ssh keygen canonical file name 284# 285my $sshkeygen = find_sshkeygen(); 286if(!$sshkeygen) { 287 logmsg "cannot find $sshkeygenexe"; 288 exit 1; 289} 290logmsg "ssh keygen found $sshkeygen" if($verbose); 291 292 293#*************************************************************************** 294# Find out ssh client canonical file name 295# 296my $ssh = find_ssh(); 297if(!$ssh) { 298 logmsg "cannot find $sshexe"; 299 exit 1; 300} 301 302 303#*************************************************************************** 304# Find out ssh client version info 305# 306my ($sshid, $sshvernum, $sshverstr, $ssherror) = sshversioninfo($ssh); 307if(!$sshid) { 308 # Not an OpenSSH or SunSSH ssh client 309 logmsg $ssherror if($verbose); 310 logmsg 'SCP and SFTP tests require OpenSSH 2.9.9 or later'; 311 exit 1; 312} 313logmsg "ssh client found $ssh is $sshverstr" if($verbose); 314 315 316#*************************************************************************** 317# ssh client command line options we might use and version support 318# 319# -D: dynamic app port forwarding : OpenSSH 2.9.9 and later 320# -F: ssh config file : OpenSSH 2.9.9 and later 321# -N: no shell/command : OpenSSH 2.1.0 and later 322# -p: connection port : OpenSSH 1.2.1 and later 323# -v: verbose messages : OpenSSH 1.2.1 and later 324# -vv: increase verbosity : OpenSSH 2.3.0 and later 325# -V: ssh version info : OpenSSH 1.2.1 and later 326# 327# -D: dynamic app port forwarding : SunSSH 1.0.0 and later 328# -F: ssh config file : SunSSH 1.0.0 and later 329# -N: no shell/command : SunSSH 1.0.0 and later 330# -p: connection port : SunSSH 1.0.0 and later 331# -v: verbose messages : SunSSH 1.0.0 and later 332# -vv: increase verbosity : SunSSH 1.0.0 and later 333# -V: ssh version info : SunSSH 1.0.0 and later 334 335 336#*************************************************************************** 337# Verify minimum ssh client version 338# 339if((($sshid =~ /OpenSSH/) && ($sshvernum < 299)) || 340 (($sshid =~ /SunSSH/) && ($sshvernum < 100))) { 341 logmsg 'SCP and SFTP tests require OpenSSH 2.9.9 or later'; 342 exit 1; 343} 344 345 346#*************************************************************************** 347# ssh keygen command line options we actually use and version support 348# 349# -C: identity comment : OpenSSH 1.2.1 and later 350# -f: key filename : OpenSSH 1.2.1 and later 351# -N: new passphrase : OpenSSH 1.2.1 and later 352# -q: quiet keygen : OpenSSH 1.2.1 and later 353# -t: key type : OpenSSH 2.5.0 and later 354# 355# -C: identity comment : SunSSH 1.0.0 and later 356# -f: key filename : SunSSH 1.0.0 and later 357# -N: new passphrase : SunSSH 1.0.0 and later 358# -q: quiet keygen : SunSSH 1.0.0 and later 359# -t: key type : SunSSH 1.0.0 and later 360 361 362#*************************************************************************** 363# Generate host and client key files for curl's tests 364# 365if((! -e $hstprvkeyf) || (! -s $hstprvkeyf) || 366 (! -e $hstpubkeyf) || (! -s $hstpubkeyf) || 367 (! -e $hstpubmd5f) || (! -s $hstpubmd5f) || 368 (! -e $hstpubsha256f) || (! -s $hstpubsha256f) || 369 (! -e $cliprvkeyf) || (! -s $cliprvkeyf) || 370 (! -e $clipubkeyf) || (! -s $clipubkeyf)) { 371 # Make sure all files are gone so ssh-keygen doesn't complain 372 unlink($hstprvkeyf, $hstpubkeyf, $hstpubmd5f, $hstpubsha256f, 373 $cliprvkeyf, $clipubkeyf); 374 logmsg 'generating host keys...' if($verbose); 375 if(system "\"$sshkeygen\" -q -t rsa -f $hstprvkeyf -C 'curl test server' -N ''") { 376 logmsg 'Could not generate host key'; 377 exit 1; 378 } 379 logmsg 'generating client keys...' if($verbose); 380 if(system "\"$sshkeygen\" -q -t rsa -f $cliprvkeyf -C 'curl test client' -N ''") { 381 logmsg 'Could not generate client key'; 382 exit 1; 383 } 384 # Make sure that permissions are restricted so openssh doesn't complain 385 system "chmod 600 $hstprvkeyf"; 386 system "chmod 600 $cliprvkeyf"; 387 # Save md5 and sha256 hashes of public host key 388 open(RSAKEYFILE, "<$hstpubkeyf"); 389 my @rsahostkey = do { local $/ = ' '; <RSAKEYFILE> }; 390 close(RSAKEYFILE); 391 if(!$rsahostkey[1]) { 392 logmsg 'Failed parsing base64 encoded RSA host key'; 393 exit 1; 394 } 395 open(PUBMD5FILE, ">$hstpubmd5f"); 396 print PUBMD5FILE md5_hex(decode_base64($rsahostkey[1])); 397 close(PUBMD5FILE); 398 if((! -e $hstpubmd5f) || (! -s $hstpubmd5f)) { 399 logmsg 'Failed writing md5 hash of RSA host key'; 400 exit 1; 401 } 402 open(PUBSHA256FILE, ">$hstpubsha256f"); 403 print PUBSHA256FILE sha256_base64(decode_base64($rsahostkey[1])); 404 close(PUBSHA256FILE); 405 if((! -e $hstpubsha256f) || (! -s $hstpubsha256f)) { 406 logmsg 'Failed writing sha256 hash of RSA host key'; 407 exit 1; 408 } 409} 410 411 412#*************************************************************************** 413# Convert paths for curl's tests running on Windows with Cygwin/Msys OpenSSH 414# 415my $clipubkeyf_config = abs_path("$path/$clipubkeyf"); 416my $hstprvkeyf_config = abs_path("$path/$hstprvkeyf"); 417my $pidfile_config = $pidfile; 418my $sftpsrv_config = $sftpsrv; 419 420if (pathhelp::os_is_win()) { 421 # Ensure to use MinGW/Cygwin paths 422 $clipubkeyf_config = pathhelp::build_sys_abs_path($clipubkeyf_config); 423 $hstprvkeyf_config = pathhelp::build_sys_abs_path($hstprvkeyf_config); 424 $pidfile_config = pathhelp::build_sys_abs_path($pidfile_config); 425 $sftpsrv_config = "internal-sftp"; 426} 427if ($sshdid =~ /OpenSSH-Windows/) { 428 # Ensure to use native Windows paths with OpenSSH for Windows 429 $clipubkeyf_config = pathhelp::sys_native_abs_path($clipubkeyf); 430 $hstprvkeyf_config = pathhelp::sys_native_abs_path($hstprvkeyf); 431 $pidfile_config = pathhelp::sys_native_abs_path($pidfile); 432 $sftpsrv_config = pathhelp::sys_native_abs_path($sftpsrv); 433 434 $sshdconfig = pathhelp::sys_native_abs_path($sshdconfig); 435 $sshconfig = pathhelp::sys_native_abs_path($sshconfig); 436 $sftpconfig = pathhelp::sys_native_abs_path($sftpconfig); 437} 438 439#*************************************************************************** 440# ssh daemon configuration file options we might use and version support 441# 442# AFSTokenPassing : OpenSSH 1.2.1 and later [1] 443# AddressFamily : OpenSSH 4.0.0 and later 444# AllowTcpForwarding : OpenSSH 2.3.0 and later 445# AllowUsers : OpenSSH 1.2.1 and later 446# AuthorizedKeysFile : OpenSSH 2.9.9 and later 447# AuthorizedKeysFile2 : OpenSSH 2.9.9 and later 448# Banner : OpenSSH 2.5.0 and later 449# ChallengeResponseAuthentication : OpenSSH 2.5.0 and later 450# Ciphers : OpenSSH 2.1.0 and later [3] 451# ClientAliveCountMax : OpenSSH 2.9.0 and later 452# ClientAliveInterval : OpenSSH 2.9.0 and later 453# Compression : OpenSSH 3.3.0 and later 454# DenyUsers : OpenSSH 1.2.1 and later 455# ForceCommand : OpenSSH 4.4.0 and later [3] 456# GatewayPorts : OpenSSH 2.1.0 and later 457# GSSAPIAuthentication : OpenSSH 3.7.0 and later [1] 458# GSSAPICleanupCredentials : OpenSSH 3.8.0 and later [1] 459# GSSAPIKeyExchange : SunSSH 1.0.0 and later [1] 460# GSSAPIStoreDelegatedCredentials : SunSSH 1.0.0 and later [1] 461# GSSCleanupCreds : SunSSH 1.0.0 and later [1] 462# GSSUseSessionCredCache : SunSSH 1.0.0 and later [1] 463# HostbasedAuthentication : OpenSSH 2.9.0 and later 464# HostbasedUsesNameFromPacketOnly : OpenSSH 2.9.0 and later 465# HostKey : OpenSSH 1.2.1 and later 466# IgnoreRhosts : OpenSSH 1.2.1 and later 467# IgnoreUserKnownHosts : OpenSSH 1.2.1 and later 468# KbdInteractiveAuthentication : OpenSSH 2.3.0 and later 469# KeepAlive : OpenSSH 1.2.1 and later 470# KerberosAuthentication : OpenSSH 1.2.1 and later [1] 471# KerberosGetAFSToken : OpenSSH 3.8.0 and later [1] 472# KerberosOrLocalPasswd : OpenSSH 1.2.1 and later [1] 473# KerberosTgtPassing : OpenSSH 1.2.1 and later [1] 474# KerberosTicketCleanup : OpenSSH 1.2.1 and later [1] 475# KeyRegenerationInterval : OpenSSH 1.2.1 and later 476# ListenAddress : OpenSSH 1.2.1 and later 477# LoginGraceTime : OpenSSH 1.2.1 and later 478# LogLevel : OpenSSH 1.2.1 and later 479# LookupClientHostnames : SunSSH 1.0.0 and later 480# MACs : OpenSSH 2.5.0 and later [3] 481# Match : OpenSSH 4.4.0 and later [3] 482# MaxAuthTries : OpenSSH 3.9.0 and later 483# MaxStartups : OpenSSH 2.2.0 and later 484# PAMAuthenticationViaKbdInt : OpenSSH 2.9.0 and later [2] 485# PasswordAuthentication : OpenSSH 1.2.1 and later 486# PermitEmptyPasswords : OpenSSH 1.2.1 and later 487# PermitOpen : OpenSSH 4.4.0 and later [3] 488# PermitRootLogin : OpenSSH 1.2.1 and later 489# PermitTunnel : OpenSSH 4.3.0 and later 490# PermitUserEnvironment : OpenSSH 3.5.0 and later 491# PidFile : OpenSSH 2.1.0 and later 492# Port : OpenSSH 1.2.1 and later 493# PrintLastLog : OpenSSH 2.9.0 and later 494# PrintMotd : OpenSSH 1.2.1 and later 495# Protocol : OpenSSH 2.1.0 and later 496# PubkeyAuthentication : OpenSSH 2.5.0 and later 497# RhostsAuthentication : OpenSSH 1.2.1 and later 498# RhostsRSAAuthentication : OpenSSH 1.2.1 and later 499# RSAAuthentication : OpenSSH 1.2.1 and later 500# ServerKeyBits : OpenSSH 1.2.1 and later 501# SkeyAuthentication : OpenSSH 1.2.1 and later [1] 502# StrictModes : OpenSSH 1.2.1 and later 503# Subsystem : OpenSSH 2.2.0 and later 504# SyslogFacility : OpenSSH 1.2.1 and later 505# TCPKeepAlive : OpenSSH 3.8.0 and later 506# UseDNS : OpenSSH 3.7.0 and later 507# UseLogin : OpenSSH 1.2.1 and later 508# UsePAM : OpenSSH 3.7.0 and later [1][2] 509# UsePrivilegeSeparation : OpenSSH 3.2.2 and later 510# VerifyReverseMapping : OpenSSH 3.1.0 and later 511# X11DisplayOffset : OpenSSH 1.2.1 and later [3] 512# X11Forwarding : OpenSSH 1.2.1 and later 513# X11UseLocalhost : OpenSSH 3.1.0 and later 514# XAuthLocation : OpenSSH 2.1.1 and later [3] 515# 516# [1] Option only available if activated at compile time 517# [2] Option specific for portable versions 518# [3] Option not used in our ssh server config file 519 520 521#*************************************************************************** 522# Initialize sshd config with options actually supported in OpenSSH 2.9.9 523# 524logmsg 'generating ssh server config file...' if($verbose); 525@cfgarr = (); 526push @cfgarr, '# This is a generated file. Do not edit.'; 527push @cfgarr, "# $sshdverstr sshd configuration file for curl testing"; 528push @cfgarr, '#'; 529 530# AllowUsers and DenyUsers options should use lowercase on Windows 531# and do not support quotes around values for some unknown reason. 532if ($sshdid =~ /OpenSSH-Windows/) { 533 my $username_lc = lc $username; 534 if (exists $ENV{USERDOMAIN}) { 535 my $userdomain_lc = lc $ENV{USERDOMAIN}; 536 $username_lc = "$userdomain_lc\\$username_lc"; 537 } 538 $username_lc =~ s/ /\?/g; # replace space with ? 539 push @cfgarr, "DenyUsers !$username_lc"; 540 push @cfgarr, "AllowUsers $username_lc"; 541} else { 542 push @cfgarr, "DenyUsers !$username"; 543 push @cfgarr, "AllowUsers $username"; 544} 545 546push @cfgarr, "AuthorizedKeysFile $clipubkeyf_config"; 547push @cfgarr, "AuthorizedKeysFile2 $clipubkeyf_config"; 548push @cfgarr, "HostKey $hstprvkeyf_config"; 549if ($sshdid !~ /OpenSSH-Windows/) { 550 push @cfgarr, "PidFile $pidfile_config"; 551} 552push @cfgarr, '#'; 553push @cfgarr, "Port $port"; 554push @cfgarr, "ListenAddress $listenaddr"; 555push @cfgarr, 'Protocol 2'; 556push @cfgarr, '#'; 557push @cfgarr, 'AllowTcpForwarding yes'; 558push @cfgarr, 'Banner none'; 559push @cfgarr, 'ChallengeResponseAuthentication no'; 560push @cfgarr, 'ClientAliveCountMax 3'; 561push @cfgarr, 'ClientAliveInterval 0'; 562push @cfgarr, 'GatewayPorts no'; 563push @cfgarr, 'HostbasedAuthentication no'; 564push @cfgarr, 'HostbasedUsesNameFromPacketOnly no'; 565push @cfgarr, 'IgnoreRhosts yes'; 566push @cfgarr, 'IgnoreUserKnownHosts yes'; 567push @cfgarr, 'KeyRegenerationInterval 0'; 568push @cfgarr, 'LoginGraceTime 30'; 569push @cfgarr, "LogLevel $loglevel"; 570push @cfgarr, 'MaxStartups 5'; 571push @cfgarr, 'PasswordAuthentication no'; 572push @cfgarr, 'PermitEmptyPasswords no'; 573push @cfgarr, 'PermitRootLogin no'; 574push @cfgarr, 'PrintLastLog no'; 575push @cfgarr, 'PrintMotd no'; 576push @cfgarr, 'PubkeyAuthentication yes'; 577push @cfgarr, 'RhostsRSAAuthentication no'; 578push @cfgarr, 'RSAAuthentication no'; 579push @cfgarr, 'ServerKeyBits 768'; 580push @cfgarr, 'StrictModes no'; 581push @cfgarr, "Subsystem sftp \"$sftpsrv_config\""; 582push @cfgarr, 'SyslogFacility AUTH'; 583push @cfgarr, 'UseLogin no'; 584push @cfgarr, 'X11Forwarding no'; 585push @cfgarr, '#'; 586 587 588#*************************************************************************** 589# Write out initial sshd configuration file for curl's tests 590# 591$error = dump_array($sshdconfig, @cfgarr); 592if($error) { 593 logmsg $error; 594 exit 1; 595} 596 597 598#*************************************************************************** 599# Verifies at run time if sshd supports a given configuration file option 600# 601sub sshd_supports_opt { 602 my ($option, $value) = @_; 603 my $err; 604 # 605 if((($sshdid =~ /OpenSSH/) && ($sshdvernum >= 310)) || 606 ($sshdid =~ /SunSSH/)) { 607 # ssh daemon supports command line options -t -f and -o 608 $err = grep /((Unsupported)|(Bad configuration)|(Deprecated)) option.*$option/, 609 qx("$sshd" -t -f $sshdconfig -o "$option=$value" 2>&1); 610 return !$err; 611 } 612 if(($sshdid =~ /OpenSSH/) && ($sshdvernum >= 299)) { 613 # ssh daemon supports command line options -t and -f 614 $err = dump_array($sshdconfig, (@cfgarr, "$option $value")); 615 if($err) { 616 logmsg $err; 617 return 0; 618 } 619 $err = grep /((Unsupported)|(Bad configuration)|(Deprecated)) option.*$option/, 620 qx("$sshd" -t -f $sshdconfig 2>&1); 621 unlink $sshdconfig; 622 return !$err; 623 } 624 return 0; 625} 626 627 628#*************************************************************************** 629# Kerberos Authentication support may have not been built into sshd 630# 631if(sshd_supports_opt('KerberosAuthentication','no')) { 632 push @cfgarr, 'KerberosAuthentication no'; 633} 634if(sshd_supports_opt('KerberosGetAFSToken','no')) { 635 push @cfgarr, 'KerberosGetAFSToken no'; 636} 637if(sshd_supports_opt('KerberosOrLocalPasswd','no')) { 638 push @cfgarr, 'KerberosOrLocalPasswd no'; 639} 640if(sshd_supports_opt('KerberosTgtPassing','no')) { 641 push @cfgarr, 'KerberosTgtPassing no'; 642} 643if(sshd_supports_opt('KerberosTicketCleanup','yes')) { 644 push @cfgarr, 'KerberosTicketCleanup yes'; 645} 646 647 648#*************************************************************************** 649# Andrew File System support may have not been built into sshd 650# 651if(sshd_supports_opt('AFSTokenPassing','no')) { 652 push @cfgarr, 'AFSTokenPassing no'; 653} 654 655 656#*************************************************************************** 657# S/Key authentication support may have not been built into sshd 658# 659if(sshd_supports_opt('SkeyAuthentication','no')) { 660 push @cfgarr, 'SkeyAuthentication no'; 661} 662 663 664#*************************************************************************** 665# GSSAPI Authentication support may have not been built into sshd 666# 667my $sshd_builtwith_GSSAPI; 668if(sshd_supports_opt('GSSAPIAuthentication','no')) { 669 push @cfgarr, 'GSSAPIAuthentication no'; 670 $sshd_builtwith_GSSAPI = 1; 671} 672if(sshd_supports_opt('GSSAPICleanupCredentials','yes')) { 673 push @cfgarr, 'GSSAPICleanupCredentials yes'; 674} 675if(sshd_supports_opt('GSSAPIKeyExchange','no')) { 676 push @cfgarr, 'GSSAPIKeyExchange no'; 677} 678if(sshd_supports_opt('GSSAPIStoreDelegatedCredentials','no')) { 679 push @cfgarr, 'GSSAPIStoreDelegatedCredentials no'; 680} 681if(sshd_supports_opt('GSSCleanupCreds','yes')) { 682 push @cfgarr, 'GSSCleanupCreds yes'; 683} 684if(sshd_supports_opt('GSSUseSessionCredCache','no')) { 685 push @cfgarr, 'GSSUseSessionCredCache no'; 686} 687push @cfgarr, '#'; 688 689 690#*************************************************************************** 691# Options that might be supported or not in sshd OpenSSH 2.9.9 and later 692# 693if(sshd_supports_opt('AddressFamily','any')) { 694 # Address family must be specified before ListenAddress 695 splice @cfgarr, 14, 0, 'AddressFamily any'; 696} 697if(sshd_supports_opt('Compression','no')) { 698 push @cfgarr, 'Compression no'; 699} 700if(sshd_supports_opt('KbdInteractiveAuthentication','no')) { 701 push @cfgarr, 'KbdInteractiveAuthentication no'; 702} 703if(sshd_supports_opt('KeepAlive','no')) { 704 push @cfgarr, 'KeepAlive no'; 705} 706if(sshd_supports_opt('LookupClientHostnames','no')) { 707 push @cfgarr, 'LookupClientHostnames no'; 708} 709if(sshd_supports_opt('MaxAuthTries','10')) { 710 push @cfgarr, 'MaxAuthTries 10'; 711} 712if(sshd_supports_opt('PAMAuthenticationViaKbdInt','no')) { 713 push @cfgarr, 'PAMAuthenticationViaKbdInt no'; 714} 715if(sshd_supports_opt('PermitTunnel','no')) { 716 push @cfgarr, 'PermitTunnel no'; 717} 718if(sshd_supports_opt('PermitUserEnvironment','no')) { 719 push @cfgarr, 'PermitUserEnvironment no'; 720} 721if(sshd_supports_opt('RhostsAuthentication','no')) { 722 push @cfgarr, 'RhostsAuthentication no'; 723} 724if(sshd_supports_opt('TCPKeepAlive','no')) { 725 push @cfgarr, 'TCPKeepAlive no'; 726} 727if(sshd_supports_opt('UseDNS','no')) { 728 push @cfgarr, 'UseDNS no'; 729} 730if(sshd_supports_opt('UsePAM','no')) { 731 push @cfgarr, 'UsePAM no'; 732} 733 734if($sshdid =~ /OpenSSH/) { 735 # http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6492415 736 if(sshd_supports_opt('UsePrivilegeSeparation','no')) { 737 push @cfgarr, 'UsePrivilegeSeparation no'; 738 } 739} 740 741if(sshd_supports_opt('VerifyReverseMapping','no')) { 742 push @cfgarr, 'VerifyReverseMapping no'; 743} 744if(sshd_supports_opt('X11UseLocalhost','yes')) { 745 push @cfgarr, 'X11UseLocalhost yes'; 746} 747push @cfgarr, '#'; 748 749 750#*************************************************************************** 751# Write out resulting sshd configuration file for curl's tests 752# 753$error = dump_array($sshdconfig, @cfgarr); 754if($error) { 755 logmsg $error; 756 exit 1; 757} 758 759 760#*************************************************************************** 761# Verify that sshd actually supports our generated configuration file 762# 763if(system "\"$sshd\" -t -f $sshdconfig > $sshdlog 2>&1") { 764 logmsg "sshd configuration file $sshdconfig failed verification"; 765 display_sshdlog(); 766 display_sshdconfig(); 767 exit 1; 768} 769 770 771#*************************************************************************** 772# Generate ssh client host key database file for curl's tests 773# 774if((! -e $knownhosts) || (! -s $knownhosts)) { 775 logmsg 'generating ssh client known hosts file...' if($verbose); 776 unlink($knownhosts); 777 if(open(RSAKEYFILE, "<$hstpubkeyf")) { 778 my @rsahostkey = do { local $/ = ' '; <RSAKEYFILE> }; 779 if(close(RSAKEYFILE)) { 780 if(open(KNOWNHOSTS, ">$knownhosts")) { 781 print KNOWNHOSTS "$listenaddr ssh-rsa $rsahostkey[1]\n"; 782 if(!close(KNOWNHOSTS)) { 783 $error = "Error: cannot close file $knownhosts"; 784 } 785 } 786 else { 787 $error = "Error: cannot write file $knownhosts"; 788 } 789 } 790 else { 791 $error = "Error: cannot close file $hstpubkeyf"; 792 } 793 } 794 else { 795 $error = "Error: cannot read file $hstpubkeyf"; 796 } 797 if($error) { 798 logmsg $error; 799 exit 1; 800 } 801} 802 803 804#*************************************************************************** 805# Convert paths for curl's tests running on Windows using Cygwin OpenSSH 806# 807my $identity_config = abs_path("$path/$identity"); 808my $knownhosts_config = abs_path("$path/$knownhosts"); 809 810if (pathhelp::os_is_win()) { 811 # Ensure to use MinGW/Cygwin paths 812 $identity_config = pathhelp::build_sys_abs_path($identity_config); 813 $knownhosts_config = pathhelp::build_sys_abs_path($knownhosts_config); 814} 815if ($sshdid =~ /OpenSSH-Windows/) { 816 # Ensure to use native Windows paths with OpenSSH for Windows 817 $identity_config = pathhelp::sys_native_abs_path($identity); 818 $knownhosts_config = pathhelp::sys_native_abs_path($knownhosts); 819} 820 821#*************************************************************************** 822# ssh client configuration file options we might use and version support 823# 824# AddressFamily : OpenSSH 3.7.0 and later 825# BatchMode : OpenSSH 1.2.1 and later 826# BindAddress : OpenSSH 2.9.9 and later 827# ChallengeResponseAuthentication : OpenSSH 2.5.0 and later 828# CheckHostIP : OpenSSH 1.2.1 and later 829# Cipher : OpenSSH 1.2.1 and later [3] 830# Ciphers : OpenSSH 2.1.0 and later [3] 831# ClearAllForwardings : OpenSSH 2.9.9 and later 832# Compression : OpenSSH 1.2.1 and later 833# CompressionLevel : OpenSSH 1.2.1 and later [3] 834# ConnectionAttempts : OpenSSH 1.2.1 and later 835# ConnectTimeout : OpenSSH 3.7.0 and later 836# ControlMaster : OpenSSH 3.9.0 and later 837# ControlPath : OpenSSH 3.9.0 and later 838# DisableBanner : SunSSH 1.2.0 and later 839# DynamicForward : OpenSSH 2.9.0 and later 840# EnableSSHKeysign : OpenSSH 3.6.0 and later 841# EscapeChar : OpenSSH 1.2.1 and later [3] 842# ExitOnForwardFailure : OpenSSH 4.4.0 and later 843# ForwardAgent : OpenSSH 1.2.1 and later 844# ForwardX11 : OpenSSH 1.2.1 and later 845# ForwardX11Trusted : OpenSSH 3.8.0 and later 846# GatewayPorts : OpenSSH 1.2.1 and later 847# GlobalKnownHostsFile : OpenSSH 1.2.1 and later 848# GSSAPIAuthentication : OpenSSH 3.7.0 and later [1] 849# GSSAPIDelegateCredentials : OpenSSH 3.7.0 and later [1] 850# HashKnownHosts : OpenSSH 4.0.0 and later 851# Host : OpenSSH 1.2.1 and later 852# HostbasedAuthentication : OpenSSH 2.9.0 and later 853# HostKeyAlgorithms : OpenSSH 2.9.0 and later [3] 854# HostKeyAlias : OpenSSH 2.5.0 and later [3] 855# HostName : OpenSSH 1.2.1 and later 856# IdentitiesOnly : OpenSSH 3.9.0 and later 857# IdentityFile : OpenSSH 1.2.1 and later 858# IgnoreIfUnknown : SunSSH 1.2.0 and later 859# KeepAlive : OpenSSH 1.2.1 and later 860# KbdInteractiveAuthentication : OpenSSH 2.3.0 and later 861# KbdInteractiveDevices : OpenSSH 2.3.0 and later [3] 862# LocalCommand : OpenSSH 4.3.0 and later [3] 863# LocalForward : OpenSSH 1.2.1 and later [3] 864# LogLevel : OpenSSH 1.2.1 and later 865# MACs : OpenSSH 2.5.0 and later [3] 866# NoHostAuthenticationForLocalhost : OpenSSH 3.0.0 and later 867# NumberOfPasswordPrompts : OpenSSH 1.2.1 and later 868# PasswordAuthentication : OpenSSH 1.2.1 and later 869# PermitLocalCommand : OpenSSH 4.3.0 and later 870# Port : OpenSSH 1.2.1 and later 871# PreferredAuthentications : OpenSSH 2.5.2 and later 872# Protocol : OpenSSH 2.1.0 and later 873# ProxyCommand : OpenSSH 1.2.1 and later [3] 874# PubkeyAuthentication : OpenSSH 2.5.0 and later 875# RekeyLimit : OpenSSH 3.7.0 and later 876# RemoteForward : OpenSSH 1.2.1 and later [3] 877# RhostsRSAAuthentication : OpenSSH 1.2.1 and later 878# RSAAuthentication : OpenSSH 1.2.1 and later 879# ServerAliveCountMax : OpenSSH 3.8.0 and later 880# ServerAliveInterval : OpenSSH 3.8.0 and later 881# SmartcardDevice : OpenSSH 2.9.9 and later [1][3] 882# StrictHostKeyChecking : OpenSSH 1.2.1 and later 883# TCPKeepAlive : OpenSSH 3.8.0 and later 884# Tunnel : OpenSSH 4.3.0 and later 885# TunnelDevice : OpenSSH 4.3.0 and later [3] 886# UsePAM : OpenSSH 3.7.0 and later [1][2][3] 887# UsePrivilegedPort : OpenSSH 1.2.1 and later 888# User : OpenSSH 1.2.1 and later 889# UserKnownHostsFile : OpenSSH 1.2.1 and later 890# VerifyHostKeyDNS : OpenSSH 3.8.0 and later 891# XAuthLocation : OpenSSH 2.1.1 and later [3] 892# 893# [1] Option only available if activated at compile time 894# [2] Option specific for portable versions 895# [3] Option not used in our ssh client config file 896 897 898#*************************************************************************** 899# Initialize ssh config with options actually supported in OpenSSH 2.9.9 900# 901logmsg 'generating ssh client config file...' if($verbose); 902@cfgarr = (); 903push @cfgarr, '# This is a generated file. Do not edit.'; 904push @cfgarr, "# $sshverstr ssh client configuration file for curl testing"; 905push @cfgarr, '#'; 906push @cfgarr, 'Host *'; 907push @cfgarr, '#'; 908push @cfgarr, "Port $port"; 909push @cfgarr, "HostName $listenaddr"; 910push @cfgarr, "User $username"; 911push @cfgarr, 'Protocol 2'; 912push @cfgarr, '#'; 913 914# BindAddress option is not supported by OpenSSH for Windows 915if (!($sshdid =~ /OpenSSH-Windows/)) { 916 push @cfgarr, "BindAddress $listenaddr"; 917} 918 919push @cfgarr, '#'; 920push @cfgarr, "IdentityFile $identity_config"; 921push @cfgarr, "UserKnownHostsFile $knownhosts_config"; 922push @cfgarr, '#'; 923push @cfgarr, 'BatchMode yes'; 924push @cfgarr, 'ChallengeResponseAuthentication no'; 925push @cfgarr, 'CheckHostIP no'; 926push @cfgarr, 'ClearAllForwardings no'; 927push @cfgarr, 'Compression no'; 928push @cfgarr, 'ConnectionAttempts 3'; 929push @cfgarr, 'ForwardAgent no'; 930push @cfgarr, 'ForwardX11 no'; 931push @cfgarr, 'GatewayPorts no'; 932push @cfgarr, 'GlobalKnownHostsFile /dev/null'; 933push @cfgarr, 'HostbasedAuthentication no'; 934push @cfgarr, 'KbdInteractiveAuthentication no'; 935push @cfgarr, "LogLevel $loglevel"; 936push @cfgarr, 'NumberOfPasswordPrompts 0'; 937push @cfgarr, 'PasswordAuthentication no'; 938push @cfgarr, 'PreferredAuthentications publickey'; 939push @cfgarr, 'PubkeyAuthentication yes'; 940 941# RSA authentication options are not supported by OpenSSH for Windows 942if (!($sshdid =~ /OpenSSH-Windows/)) { 943 push @cfgarr, 'RhostsRSAAuthentication no'; 944 push @cfgarr, 'RSAAuthentication no'; 945} 946 947# Disabled StrictHostKeyChecking since it makes the tests fail on my 948# OpenSSH_6.0p1 on Debian Linux / Daniel 949push @cfgarr, 'StrictHostKeyChecking no'; 950push @cfgarr, 'UsePrivilegedPort no'; 951push @cfgarr, '#'; 952 953 954#*************************************************************************** 955# Options supported in ssh client newer than OpenSSH 2.9.9 956# 957 958if(($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) { 959 push @cfgarr, 'AddressFamily any'; 960} 961 962if((($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) || 963 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) { 964 push @cfgarr, 'ConnectTimeout 30'; 965} 966 967if(($sshid =~ /OpenSSH/) && ($sshvernum >= 390)) { 968 push @cfgarr, 'ControlMaster no'; 969} 970 971if(($sshid =~ /OpenSSH/) && ($sshvernum >= 420)) { 972 push @cfgarr, 'ControlPath none'; 973} 974 975if(($sshid =~ /SunSSH/) && ($sshvernum >= 120)) { 976 push @cfgarr, 'DisableBanner yes'; 977} 978 979if(($sshid =~ /OpenSSH/) && ($sshvernum >= 360)) { 980 push @cfgarr, 'EnableSSHKeysign no'; 981} 982 983if(($sshid =~ /OpenSSH/) && ($sshvernum >= 440)) { 984 push @cfgarr, 'ExitOnForwardFailure yes'; 985} 986 987if((($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) || 988 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) { 989 push @cfgarr, 'ForwardX11Trusted no'; 990} 991 992if(($sshd_builtwith_GSSAPI) && ($sshdid eq $sshid) && 993 ($sshdvernum == $sshvernum)) { 994 push @cfgarr, 'GSSAPIAuthentication no'; 995 push @cfgarr, 'GSSAPIDelegateCredentials no'; 996 if($sshid =~ /SunSSH/) { 997 push @cfgarr, 'GSSAPIKeyExchange no'; 998 } 999} 1000 1001if((($sshid =~ /OpenSSH/) && ($sshvernum >= 400)) || 1002 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) { 1003 push @cfgarr, 'HashKnownHosts no'; 1004} 1005 1006if(($sshid =~ /OpenSSH/) && ($sshvernum >= 390)) { 1007 push @cfgarr, 'IdentitiesOnly yes'; 1008} 1009 1010if(($sshid =~ /SunSSH/) && ($sshvernum >= 120)) { 1011 push @cfgarr, 'IgnoreIfUnknown no'; 1012} 1013 1014if((($sshid =~ /OpenSSH/) && ($sshvernum < 380)) || 1015 ($sshid =~ /SunSSH/)) { 1016 push @cfgarr, 'KeepAlive no'; 1017} 1018 1019if((($sshid =~ /OpenSSH/) && ($sshvernum >= 300)) || 1020 ($sshid =~ /SunSSH/)) { 1021 push @cfgarr, 'NoHostAuthenticationForLocalhost no'; 1022} 1023 1024if(($sshid =~ /OpenSSH/) && ($sshvernum >= 430)) { 1025 push @cfgarr, 'PermitLocalCommand no'; 1026} 1027 1028if((($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) || 1029 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) { 1030 push @cfgarr, 'RekeyLimit 1G'; 1031} 1032 1033if((($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) || 1034 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) { 1035 push @cfgarr, 'ServerAliveCountMax 3'; 1036 push @cfgarr, 'ServerAliveInterval 0'; 1037} 1038 1039if(($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) { 1040 push @cfgarr, 'TCPKeepAlive no'; 1041} 1042 1043if(($sshid =~ /OpenSSH/) && ($sshvernum >= 430)) { 1044 push @cfgarr, 'Tunnel no'; 1045} 1046 1047if(($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) { 1048 push @cfgarr, 'VerifyHostKeyDNS no'; 1049} 1050 1051push @cfgarr, '#'; 1052 1053 1054#*************************************************************************** 1055# Write out resulting ssh client configuration file for curl's tests 1056# 1057$error = dump_array($sshconfig, @cfgarr); 1058if($error) { 1059 logmsg $error; 1060 exit 1; 1061} 1062 1063 1064#*************************************************************************** 1065# Initialize client sftp config with options actually supported. 1066# 1067logmsg 'generating sftp client config file...' if($verbose); 1068splice @cfgarr, 1, 1, "# $sshverstr sftp client configuration file for curl testing"; 1069# 1070for(my $i = scalar(@cfgarr) - 1; $i > 0; $i--) { 1071 if($cfgarr[$i] =~ /^DynamicForward/) { 1072 splice @cfgarr, $i, 1; 1073 next; 1074 } 1075 if($cfgarr[$i] =~ /^ClearAllForwardings/) { 1076 splice @cfgarr, $i, 1, "ClearAllForwardings yes"; 1077 next; 1078 } 1079} 1080 1081 1082#*************************************************************************** 1083# Write out resulting sftp client configuration file for curl's tests 1084# 1085$error = dump_array($sftpconfig, @cfgarr); 1086if($error) { 1087 logmsg $error; 1088 exit 1; 1089} 1090@cfgarr = (); 1091 1092 1093#*************************************************************************** 1094# Generate client sftp commands batch file for sftp server verification 1095# 1096logmsg 'generating sftp client commands file...' if($verbose); 1097push @cfgarr, 'pwd'; 1098push @cfgarr, 'quit'; 1099$error = dump_array($sftpcmds, @cfgarr); 1100if($error) { 1101 logmsg $error; 1102 exit 1; 1103} 1104@cfgarr = (); 1105 1106#*************************************************************************** 1107# Prepare command line of ssh server daemon 1108# 1109my $cmd = "\"$sshd\" -e -D -f $sshdconfig > $sshdlog 2>&1"; 1110logmsg "SCP/SFTP server listening on port $port" if($verbose); 1111logmsg "RUN: $cmd" if($verbose); 1112 1113#*************************************************************************** 1114# Start the ssh server daemon on Windows without forking it 1115# 1116if ($sshdid =~ /OpenSSH-Windows/) { 1117 # Fake pidfile for ssh server on Windows. 1118 if(open(OUT, ">$pidfile")) { 1119 print OUT $$ . "\n"; 1120 close(OUT); 1121 } 1122 1123 # Flush output. 1124 $| = 1; 1125 1126 # Put an "exec" in front of the command so that the child process 1127 # keeps this child's process ID by being tied to the spawned shell. 1128 exec("exec $cmd") || die "Can't exec() $cmd: $!"; 1129 # exec() will create a new process, but ties the existence of the 1130 # new process to the parent waiting perl.exe and sh.exe processes. 1131 1132 # exec() should never return back here to this process. We protect 1133 # ourselves by calling die() just in case something goes really bad. 1134 die "error: exec() has returned"; 1135} 1136 1137#*************************************************************************** 1138# Start the ssh server daemon without forking it 1139# 1140my $rc = system($cmd); 1141if($rc == -1) { 1142 logmsg "\"$sshd\" failed with: $!"; 1143} 1144elsif($rc & 127) { 1145 logmsg sprintf("\"$sshd\" died with signal %d, and %s coredump", 1146 ($rc & 127), ($rc & 128)?'a':'no'); 1147} 1148elsif($verbose && ($rc >> 8)) { 1149 logmsg sprintf("\"$sshd\" exited with %d", $rc >> 8); 1150} 1151 1152 1153#*************************************************************************** 1154# Clean up once the server has stopped 1155# 1156unlink($hstprvkeyf, $hstpubkeyf, $hstpubmd5f, $hstpubsha256f, 1157 $cliprvkeyf, $clipubkeyf, $knownhosts, 1158 $sshdconfig, $sshconfig, $sftpconfig); 1159 1160exit 0; 1161