1#!/usr/bin/env perl 2#*************************************************************************** 3# _ _ ____ _ 4# Project ___| | | | _ \| | 5# / __| | | | |_) | | 6# | (__| |_| | _ <| |___ 7# \___|\___/|_| \_\_____| 8# 9# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. 10# 11# This software is licensed as described in the file COPYING, which 12# you should have received as part of this distribution. The terms 13# are also available at https://curl.haxx.se/docs/copyright.html. 14# 15# You may opt to use, copy, modify, merge, publish, distribute and/or sell 16# copies of the Software, and permit persons to whom the Software is 17# furnished to do so, under the terms of the COPYING file. 18# 19# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 20# KIND, either express or implied. 21# 22#*************************************************************************** 23 24# Starts sshd for use in the SCP and SFTP curl test harness tests. 25# Also creates the ssh configuration files needed for these tests. 26 27use strict; 28use warnings; 29use Cwd; 30use Cwd 'abs_path'; 31use Digest::MD5; 32use Digest::MD5 'md5_hex'; 33use MIME::Base64; 34 35#*************************************************************************** 36# Variables and subs imported from sshhelp module 37# 38use sshhelp qw( 39 $sshdexe 40 $sshexe 41 $sftpsrvexe 42 $sftpexe 43 $sshkeygenexe 44 $sshdconfig 45 $sshconfig 46 $sftpconfig 47 $knownhosts 48 $sshdlog 49 $sshlog 50 $sftplog 51 $sftpcmds 52 $hstprvkeyf 53 $hstpubkeyf 54 $hstpubmd5f 55 $cliprvkeyf 56 $clipubkeyf 57 display_sshdconfig 58 display_sshconfig 59 display_sftpconfig 60 display_sshdlog 61 display_sshlog 62 display_sftplog 63 dump_array 64 find_sshd 65 find_ssh 66 find_sftpsrv 67 find_sftp 68 find_sshkeygen 69 logmsg 70 sshversioninfo 71 ); 72 73#*************************************************************************** 74# Subs imported from serverhelp module 75# 76use serverhelp qw( 77 server_pidfilename 78 server_logfilename 79 ); 80 81use pathhelp; 82 83#*************************************************************************** 84 85my $verbose = 0; # set to 1 for debugging 86my $debugprotocol = 0; # set to 1 for protocol debugging 87my $port = 8999; # our default SCP/SFTP server port 88my $listenaddr = '127.0.0.1'; # default address on which to listen 89my $ipvnum = 4; # default IP version of listener address 90my $idnum = 1; # default ssh daemon instance number 91my $proto = 'ssh'; # protocol the ssh daemon speaks 92my $path = getcwd(); # current working directory 93my $logdir = $path .'/log'; # directory for log files 94my $username = $ENV{USER}; # default user 95my $pidfile; # ssh daemon pid file 96my $identity = 'curl_client_key'; # default identity file 97 98my $error; 99my @cfgarr; 100 101 102#*************************************************************************** 103# Parse command line options 104# 105while(@ARGV) { 106 if($ARGV[0] eq '--verbose') { 107 $verbose = 1; 108 } 109 elsif($ARGV[0] eq '--debugprotocol') { 110 $verbose = 1; 111 $debugprotocol = 1; 112 } 113 elsif($ARGV[0] eq '--user') { 114 if($ARGV[1]) { 115 $username = $ARGV[1]; 116 shift @ARGV; 117 } 118 } 119 elsif($ARGV[0] eq '--id') { 120 if($ARGV[1]) { 121 if($ARGV[1] =~ /^(\d+)$/) { 122 $idnum = $1 if($1 > 0); 123 shift @ARGV; 124 } 125 } 126 } 127 elsif($ARGV[0] eq '--ipv4') { 128 $ipvnum = 4; 129 $listenaddr = '127.0.0.1' if($listenaddr eq '::1'); 130 } 131 elsif($ARGV[0] eq '--ipv6') { 132 $ipvnum = 6; 133 $listenaddr = '::1' if($listenaddr eq '127.0.0.1'); 134 } 135 elsif($ARGV[0] eq '--addr') { 136 if($ARGV[1]) { 137 my $tmpstr = $ARGV[1]; 138 if($tmpstr =~ /^(\d\d?\d?)\.(\d\d?\d?)\.(\d\d?\d?)\.(\d\d?\d?)$/) { 139 $listenaddr = "$1.$2.$3.$4" if($ipvnum == 4); 140 shift @ARGV; 141 } 142 elsif($ipvnum == 6) { 143 $listenaddr = $tmpstr; 144 $listenaddr =~ s/^\[(.*)\]$/$1/; 145 shift @ARGV; 146 } 147 } 148 } 149 elsif($ARGV[0] eq '--pidfile') { 150 if($ARGV[1]) { 151 $pidfile = "$path/". $ARGV[1]; 152 shift @ARGV; 153 } 154 } 155 elsif($ARGV[0] eq '--sshport') { 156 if($ARGV[1]) { 157 if($ARGV[1] =~ /^(\d+)$/) { 158 $port = $1; 159 shift @ARGV; 160 } 161 } 162 } 163 else { 164 print STDERR "\nWarning: sshserver.pl unknown parameter: $ARGV[0]\n"; 165 } 166 shift @ARGV; 167} 168 169 170#*************************************************************************** 171# Default ssh daemon pid file name 172# 173if(!$pidfile) { 174 $pidfile = "$path/". server_pidfilename($proto, $ipvnum, $idnum); 175} 176 177 178#*************************************************************************** 179# ssh and sftp server log file names 180# 181$sshdlog = server_logfilename($logdir, 'ssh', $ipvnum, $idnum); 182$sftplog = server_logfilename($logdir, 'sftp', $ipvnum, $idnum); 183 184 185#*************************************************************************** 186# Logging level for ssh server and client 187# 188my $loglevel = $debugprotocol?'DEBUG3':'DEBUG2'; 189 190 191#*************************************************************************** 192# Validate username 193# 194if(!$username) { 195 $error = 'Will not run ssh server without a user name'; 196} 197elsif($username eq 'root') { 198 $error = 'Will not run ssh server as root to mitigate security risks'; 199} 200if($error) { 201 logmsg $error; 202 exit 1; 203} 204 205 206#*************************************************************************** 207# Find out ssh daemon canonical file name 208# 209my $sshd = find_sshd(); 210if(!$sshd) { 211 logmsg "cannot find $sshdexe"; 212 exit 1; 213} 214 215 216#*************************************************************************** 217# Find out ssh daemon version info 218# 219my ($sshdid, $sshdvernum, $sshdverstr, $sshderror) = sshversioninfo($sshd); 220if(!$sshdid) { 221 # Not an OpenSSH or SunSSH ssh daemon 222 logmsg $sshderror if($verbose); 223 logmsg 'SCP and SFTP tests require OpenSSH 2.9.9 or later'; 224 exit 1; 225} 226logmsg "ssh server found $sshd is $sshdverstr" if($verbose); 227 228 229#*************************************************************************** 230# ssh daemon command line options we might use and version support 231# 232# -e: log stderr : OpenSSH 2.9.0 and later 233# -f: sshd config file : OpenSSH 1.2.1 and later 234# -D: no daemon forking : OpenSSH 2.5.0 and later 235# -o: command-line option : OpenSSH 3.1.0 and later 236# -t: test config file : OpenSSH 2.9.9 and later 237# -?: sshd version info : OpenSSH 1.2.1 and later 238# 239# -e: log stderr : SunSSH 1.0.0 and later 240# -f: sshd config file : SunSSH 1.0.0 and later 241# -D: no daemon forking : SunSSH 1.0.0 and later 242# -o: command-line option : SunSSH 1.0.0 and later 243# -t: test config file : SunSSH 1.0.0 and later 244# -?: sshd version info : SunSSH 1.0.0 and later 245 246 247#*************************************************************************** 248# Verify minimum ssh daemon version 249# 250if((($sshdid =~ /OpenSSH/) && ($sshdvernum < 299)) || 251 (($sshdid =~ /SunSSH/) && ($sshdvernum < 100))) { 252 logmsg 'SCP and SFTP tests require OpenSSH 2.9.9 or later'; 253 exit 1; 254} 255 256 257#*************************************************************************** 258# Find out sftp server plugin canonical file name 259# 260my $sftpsrv = find_sftpsrv(); 261if(!$sftpsrv) { 262 logmsg "cannot find $sftpsrvexe"; 263 exit 1; 264} 265logmsg "sftp server plugin found $sftpsrv" if($verbose); 266 267 268#*************************************************************************** 269# Find out sftp client canonical file name 270# 271my $sftp = find_sftp(); 272if(!$sftp) { 273 logmsg "cannot find $sftpexe"; 274 exit 1; 275} 276logmsg "sftp client found $sftp" if($verbose); 277 278 279#*************************************************************************** 280# Find out ssh keygen canonical file name 281# 282my $sshkeygen = find_sshkeygen(); 283if(!$sshkeygen) { 284 logmsg "cannot find $sshkeygenexe"; 285 exit 1; 286} 287logmsg "ssh keygen found $sshkeygen" if($verbose); 288 289 290#*************************************************************************** 291# Find out ssh client canonical file name 292# 293my $ssh = find_ssh(); 294if(!$ssh) { 295 logmsg "cannot find $sshexe"; 296 exit 1; 297} 298 299 300#*************************************************************************** 301# Find out ssh client version info 302# 303my ($sshid, $sshvernum, $sshverstr, $ssherror) = sshversioninfo($ssh); 304if(!$sshid) { 305 # Not an OpenSSH or SunSSH ssh client 306 logmsg $ssherror if($verbose); 307 logmsg 'SCP and SFTP tests require OpenSSH 2.9.9 or later'; 308 exit 1; 309} 310logmsg "ssh client found $ssh is $sshverstr" if($verbose); 311 312 313#*************************************************************************** 314# ssh client command line options we might use and version support 315# 316# -D: dynamic app port forwarding : OpenSSH 2.9.9 and later 317# -F: ssh config file : OpenSSH 2.9.9 and later 318# -N: no shell/command : OpenSSH 2.1.0 and later 319# -p: connection port : OpenSSH 1.2.1 and later 320# -v: verbose messages : OpenSSH 1.2.1 and later 321# -vv: increase verbosity : OpenSSH 2.3.0 and later 322# -V: ssh version info : OpenSSH 1.2.1 and later 323# 324# -D: dynamic app port forwarding : SunSSH 1.0.0 and later 325# -F: ssh config file : SunSSH 1.0.0 and later 326# -N: no shell/command : SunSSH 1.0.0 and later 327# -p: connection port : SunSSH 1.0.0 and later 328# -v: verbose messages : SunSSH 1.0.0 and later 329# -vv: increase verbosity : SunSSH 1.0.0 and later 330# -V: ssh version info : SunSSH 1.0.0 and later 331 332 333#*************************************************************************** 334# Verify minimum ssh client version 335# 336if((($sshid =~ /OpenSSH/) && ($sshvernum < 299)) || 337 (($sshid =~ /SunSSH/) && ($sshvernum < 100))) { 338 logmsg 'SCP and SFTP tests require OpenSSH 2.9.9 or later'; 339 exit 1; 340} 341 342 343#*************************************************************************** 344# ssh keygen command line options we actually use and version support 345# 346# -C: identity comment : OpenSSH 1.2.1 and later 347# -f: key filename : OpenSSH 1.2.1 and later 348# -N: new passphrase : OpenSSH 1.2.1 and later 349# -q: quiet keygen : OpenSSH 1.2.1 and later 350# -t: key type : OpenSSH 2.5.0 and later 351# 352# -C: identity comment : SunSSH 1.0.0 and later 353# -f: key filename : SunSSH 1.0.0 and later 354# -N: new passphrase : SunSSH 1.0.0 and later 355# -q: quiet keygen : SunSSH 1.0.0 and later 356# -t: key type : SunSSH 1.0.0 and later 357 358 359#*************************************************************************** 360# Generate host and client key files for curl's tests 361# 362if((! -e $hstprvkeyf) || (! -s $hstprvkeyf) || 363 (! -e $hstpubkeyf) || (! -s $hstpubkeyf) || 364 (! -e $hstpubmd5f) || (! -s $hstpubmd5f) || 365 (! -e $cliprvkeyf) || (! -s $cliprvkeyf) || 366 (! -e $clipubkeyf) || (! -s $clipubkeyf)) { 367 # Make sure all files are gone so ssh-keygen doesn't complain 368 unlink($hstprvkeyf, $hstpubkeyf, $hstpubmd5f, $cliprvkeyf, $clipubkeyf); 369 logmsg 'generating host keys...' if($verbose); 370 if(system "\"$sshkeygen\" -q -t rsa -f $hstprvkeyf -C 'curl test server' -N ''") { 371 logmsg 'Could not generate host key'; 372 exit 1; 373 } 374 logmsg 'generating client keys...' if($verbose); 375 if(system "\"$sshkeygen\" -q -t rsa -f $cliprvkeyf -C 'curl test client' -N ''") { 376 logmsg 'Could not generate client key'; 377 exit 1; 378 } 379 # Make sure that permissions are restricted so openssh doesn't complain 380 system "chmod 600 $hstprvkeyf"; 381 system "chmod 600 $cliprvkeyf"; 382 # Save md5 hash of public host key 383 open(RSAKEYFILE, "<$hstpubkeyf"); 384 my @rsahostkey = do { local $/ = ' '; <RSAKEYFILE> }; 385 close(RSAKEYFILE); 386 if(!$rsahostkey[1]) { 387 logmsg 'Failed parsing base64 encoded RSA host key'; 388 exit 1; 389 } 390 open(PUBMD5FILE, ">$hstpubmd5f"); 391 print PUBMD5FILE md5_hex(decode_base64($rsahostkey[1])); 392 close(PUBMD5FILE); 393 if((! -e $hstpubmd5f) || (! -s $hstpubmd5f)) { 394 logmsg 'Failed writing md5 hash of RSA host key'; 395 exit 1; 396 } 397} 398 399 400#*************************************************************************** 401# Convert paths for curl's tests running on Windows with Cygwin/Msys OpenSSH 402# 403my $clipubkeyf_config = abs_path("$path/$clipubkeyf"); 404my $hstprvkeyf_config = abs_path("$path/$hstprvkeyf"); 405my $pidfile_config = $pidfile; 406my $sftpsrv_config = $sftpsrv; 407 408if (pathhelp::os_is_win()) { 409 # Ensure to use MinGW/Cygwin paths 410 $clipubkeyf_config = pathhelp::build_sys_abs_path($clipubkeyf_config); 411 $hstprvkeyf_config = pathhelp::build_sys_abs_path($hstprvkeyf_config); 412 $pidfile_config = pathhelp::build_sys_abs_path($pidfile_config); 413 $sftpsrv_config = "internal-sftp"; 414} 415if ($sshdid =~ /OpenSSH-Windows/) { 416 # Ensure to use native Windows paths with OpenSSH for Windows 417 $clipubkeyf_config = pathhelp::sys_native_abs_path($clipubkeyf); 418 $hstprvkeyf_config = pathhelp::sys_native_abs_path($hstprvkeyf); 419 $pidfile_config = pathhelp::sys_native_abs_path($pidfile); 420 $sftpsrv_config = pathhelp::sys_native_abs_path($sftpsrv); 421 422 $sshdconfig = pathhelp::sys_native_abs_path($sshdconfig); 423 $sshconfig = pathhelp::sys_native_abs_path($sshconfig); 424 $sftpconfig = pathhelp::sys_native_abs_path($sftpconfig); 425} 426 427#*************************************************************************** 428# ssh daemon configuration file options we might use and version support 429# 430# AFSTokenPassing : OpenSSH 1.2.1 and later [1] 431# AcceptEnv : OpenSSH 3.9.0 and later 432# AddressFamily : OpenSSH 4.0.0 and later 433# AllowGroups : OpenSSH 1.2.1 and later 434# AllowTcpForwarding : OpenSSH 2.3.0 and later 435# AllowUsers : OpenSSH 1.2.1 and later 436# AuthorizedKeysFile : OpenSSH 2.9.9 and later 437# AuthorizedKeysFile2 : OpenSSH 2.9.9 and later 438# Banner : OpenSSH 2.5.0 and later 439# ChallengeResponseAuthentication : OpenSSH 2.5.0 and later 440# Ciphers : OpenSSH 2.1.0 and later [3] 441# ClientAliveCountMax : OpenSSH 2.9.0 and later 442# ClientAliveInterval : OpenSSH 2.9.0 and later 443# Compression : OpenSSH 3.3.0 and later 444# DenyGroups : OpenSSH 1.2.1 and later 445# DenyUsers : OpenSSH 1.2.1 and later 446# ForceCommand : OpenSSH 4.4.0 and later [3] 447# GatewayPorts : OpenSSH 2.1.0 and later 448# GSSAPIAuthentication : OpenSSH 3.7.0 and later [1] 449# GSSAPICleanupCredentials : OpenSSH 3.8.0 and later [1] 450# GSSAPIKeyExchange : SunSSH 1.0.0 and later [1] 451# GSSAPIStoreDelegatedCredentials : SunSSH 1.0.0 and later [1] 452# GSSCleanupCreds : SunSSH 1.0.0 and later [1] 453# GSSUseSessionCredCache : SunSSH 1.0.0 and later [1] 454# HostbasedAuthentication : OpenSSH 2.9.0 and later 455# HostbasedUsesNameFromPacketOnly : OpenSSH 2.9.0 and later 456# HostKey : OpenSSH 1.2.1 and later 457# IgnoreRhosts : OpenSSH 1.2.1 and later 458# IgnoreUserKnownHosts : OpenSSH 1.2.1 and later 459# KbdInteractiveAuthentication : OpenSSH 2.3.0 and later 460# KeepAlive : OpenSSH 1.2.1 and later 461# KerberosAuthentication : OpenSSH 1.2.1 and later [1] 462# KerberosGetAFSToken : OpenSSH 3.8.0 and later [1] 463# KerberosOrLocalPasswd : OpenSSH 1.2.1 and later [1] 464# KerberosTgtPassing : OpenSSH 1.2.1 and later [1] 465# KerberosTicketCleanup : OpenSSH 1.2.1 and later [1] 466# KeyRegenerationInterval : OpenSSH 1.2.1 and later 467# ListenAddress : OpenSSH 1.2.1 and later 468# LoginGraceTime : OpenSSH 1.2.1 and later 469# LogLevel : OpenSSH 1.2.1 and later 470# LookupClientHostnames : SunSSH 1.0.0 and later 471# MACs : OpenSSH 2.5.0 and later [3] 472# Match : OpenSSH 4.4.0 and later [3] 473# MaxAuthTries : OpenSSH 3.9.0 and later 474# MaxStartups : OpenSSH 2.2.0 and later 475# PAMAuthenticationViaKbdInt : OpenSSH 2.9.0 and later [2] 476# PasswordAuthentication : OpenSSH 1.2.1 and later 477# PermitEmptyPasswords : OpenSSH 1.2.1 and later 478# PermitOpen : OpenSSH 4.4.0 and later [3] 479# PermitRootLogin : OpenSSH 1.2.1 and later 480# PermitTunnel : OpenSSH 4.3.0 and later 481# PermitUserEnvironment : OpenSSH 3.5.0 and later 482# PidFile : OpenSSH 2.1.0 and later 483# Port : OpenSSH 1.2.1 and later 484# PrintLastLog : OpenSSH 2.9.0 and later 485# PrintMotd : OpenSSH 1.2.1 and later 486# Protocol : OpenSSH 2.1.0 and later 487# PubkeyAuthentication : OpenSSH 2.5.0 and later 488# RhostsAuthentication : OpenSSH 1.2.1 and later 489# RhostsRSAAuthentication : OpenSSH 1.2.1 and later 490# RSAAuthentication : OpenSSH 1.2.1 and later 491# ServerKeyBits : OpenSSH 1.2.1 and later 492# SkeyAuthentication : OpenSSH 1.2.1 and later [1] 493# StrictModes : OpenSSH 1.2.1 and later 494# Subsystem : OpenSSH 2.2.0 and later 495# SyslogFacility : OpenSSH 1.2.1 and later 496# TCPKeepAlive : OpenSSH 3.8.0 and later 497# UseDNS : OpenSSH 3.7.0 and later 498# UseLogin : OpenSSH 1.2.1 and later 499# UsePAM : OpenSSH 3.7.0 and later [1][2] 500# UsePrivilegeSeparation : OpenSSH 3.2.2 and later 501# VerifyReverseMapping : OpenSSH 3.1.0 and later 502# X11DisplayOffset : OpenSSH 1.2.1 and later [3] 503# X11Forwarding : OpenSSH 1.2.1 and later 504# X11UseLocalhost : OpenSSH 3.1.0 and later 505# XAuthLocation : OpenSSH 2.1.1 and later [3] 506# 507# [1] Option only available if activated at compile time 508# [2] Option specific for portable versions 509# [3] Option not used in our ssh server config file 510 511 512#*************************************************************************** 513# Initialize sshd config with options actually supported in OpenSSH 2.9.9 514# 515logmsg 'generating ssh server config file...' if($verbose); 516@cfgarr = (); 517push @cfgarr, '# This is a generated file. Do not edit.'; 518push @cfgarr, "# $sshdverstr sshd configuration file for curl testing"; 519push @cfgarr, '#'; 520 521# AllowUsers and DenyUsers options should use lowercase on Windows 522# and do not support quotes around values for some unknown reason. 523if ($sshdid =~ /OpenSSH-Windows/) { 524 my $username_lc = lc $username; 525 push @cfgarr, "DenyUsers !$username_lc"; 526 push @cfgarr, "AllowUsers $username_lc"; 527} else { 528 push @cfgarr, "DenyUsers !$username"; 529 push @cfgarr, "AllowUsers $username"; 530} 531 532push @cfgarr, 'DenyGroups'; 533push @cfgarr, 'AllowGroups'; 534push @cfgarr, '#'; 535push @cfgarr, "AuthorizedKeysFile $clipubkeyf_config"; 536push @cfgarr, "AuthorizedKeysFile2 $clipubkeyf_config"; 537push @cfgarr, "HostKey $hstprvkeyf_config"; 538if ($sshdid !~ /OpenSSH-Windows/) { 539 push @cfgarr, "PidFile $pidfile_config"; 540} 541push @cfgarr, '#'; 542push @cfgarr, "Port $port"; 543push @cfgarr, "ListenAddress $listenaddr"; 544push @cfgarr, 'Protocol 2'; 545push @cfgarr, '#'; 546push @cfgarr, 'AllowTcpForwarding yes'; 547push @cfgarr, 'Banner none'; 548push @cfgarr, 'ChallengeResponseAuthentication no'; 549push @cfgarr, 'ClientAliveCountMax 3'; 550push @cfgarr, 'ClientAliveInterval 0'; 551push @cfgarr, 'GatewayPorts no'; 552push @cfgarr, 'HostbasedAuthentication no'; 553push @cfgarr, 'HostbasedUsesNameFromPacketOnly no'; 554push @cfgarr, 'IgnoreRhosts yes'; 555push @cfgarr, 'IgnoreUserKnownHosts yes'; 556push @cfgarr, 'KeyRegenerationInterval 0'; 557push @cfgarr, 'LoginGraceTime 30'; 558push @cfgarr, "LogLevel $loglevel"; 559push @cfgarr, 'MaxStartups 5'; 560push @cfgarr, 'PasswordAuthentication no'; 561push @cfgarr, 'PermitEmptyPasswords no'; 562push @cfgarr, 'PermitRootLogin no'; 563push @cfgarr, 'PrintLastLog no'; 564push @cfgarr, 'PrintMotd no'; 565push @cfgarr, 'PubkeyAuthentication yes'; 566push @cfgarr, 'RhostsRSAAuthentication no'; 567push @cfgarr, 'RSAAuthentication no'; 568push @cfgarr, 'ServerKeyBits 768'; 569push @cfgarr, 'StrictModes no'; 570push @cfgarr, "Subsystem sftp \"$sftpsrv_config\""; 571push @cfgarr, 'SyslogFacility AUTH'; 572push @cfgarr, 'UseLogin no'; 573push @cfgarr, 'X11Forwarding no'; 574push @cfgarr, '#'; 575 576 577#*************************************************************************** 578# Write out initial sshd configuration file for curl's tests 579# 580$error = dump_array($sshdconfig, @cfgarr); 581if($error) { 582 logmsg $error; 583 exit 1; 584} 585 586 587#*************************************************************************** 588# Verifies at run time if sshd supports a given configuration file option 589# 590sub sshd_supports_opt { 591 my ($option, $value) = @_; 592 my $err; 593 # 594 if((($sshdid =~ /OpenSSH/) && ($sshdvernum >= 310)) || 595 ($sshdid =~ /SunSSH/)) { 596 # ssh daemon supports command line options -t -f and -o 597 $err = grep /((Unsupported)|(Bad configuration)|(Deprecated)) option.*$option/, 598 qx("$sshd" -t -f $sshdconfig -o "$option=$value" 2>&1); 599 return !$err; 600 } 601 if(($sshdid =~ /OpenSSH/) && ($sshdvernum >= 299)) { 602 # ssh daemon supports command line options -t and -f 603 $err = dump_array($sshdconfig, (@cfgarr, "$option $value")); 604 if($err) { 605 logmsg $err; 606 return 0; 607 } 608 $err = grep /((Unsupported)|(Bad configuration)|(Deprecated)) option.*$option/, 609 qx("$sshd" -t -f $sshdconfig 2>&1); 610 unlink $sshdconfig; 611 return !$err; 612 } 613 return 0; 614} 615 616 617#*************************************************************************** 618# Kerberos Authentication support may have not been built into sshd 619# 620if(sshd_supports_opt('KerberosAuthentication','no')) { 621 push @cfgarr, 'KerberosAuthentication no'; 622} 623if(sshd_supports_opt('KerberosGetAFSToken','no')) { 624 push @cfgarr, 'KerberosGetAFSToken no'; 625} 626if(sshd_supports_opt('KerberosOrLocalPasswd','no')) { 627 push @cfgarr, 'KerberosOrLocalPasswd no'; 628} 629if(sshd_supports_opt('KerberosTgtPassing','no')) { 630 push @cfgarr, 'KerberosTgtPassing no'; 631} 632if(sshd_supports_opt('KerberosTicketCleanup','yes')) { 633 push @cfgarr, 'KerberosTicketCleanup yes'; 634} 635 636 637#*************************************************************************** 638# Andrew File System support may have not been built into sshd 639# 640if(sshd_supports_opt('AFSTokenPassing','no')) { 641 push @cfgarr, 'AFSTokenPassing no'; 642} 643 644 645#*************************************************************************** 646# S/Key authentication support may have not been built into sshd 647# 648if(sshd_supports_opt('SkeyAuthentication','no')) { 649 push @cfgarr, 'SkeyAuthentication no'; 650} 651 652 653#*************************************************************************** 654# GSSAPI Authentication support may have not been built into sshd 655# 656my $sshd_builtwith_GSSAPI; 657if(sshd_supports_opt('GSSAPIAuthentication','no')) { 658 push @cfgarr, 'GSSAPIAuthentication no'; 659 $sshd_builtwith_GSSAPI = 1; 660} 661if(sshd_supports_opt('GSSAPICleanupCredentials','yes')) { 662 push @cfgarr, 'GSSAPICleanupCredentials yes'; 663} 664if(sshd_supports_opt('GSSAPIKeyExchange','no')) { 665 push @cfgarr, 'GSSAPIKeyExchange no'; 666} 667if(sshd_supports_opt('GSSAPIStoreDelegatedCredentials','no')) { 668 push @cfgarr, 'GSSAPIStoreDelegatedCredentials no'; 669} 670if(sshd_supports_opt('GSSCleanupCreds','yes')) { 671 push @cfgarr, 'GSSCleanupCreds yes'; 672} 673if(sshd_supports_opt('GSSUseSessionCredCache','no')) { 674 push @cfgarr, 'GSSUseSessionCredCache no'; 675} 676push @cfgarr, '#'; 677 678 679#*************************************************************************** 680# Options that might be supported or not in sshd OpenSSH 2.9.9 and later 681# 682if(sshd_supports_opt('AcceptEnv','')) { 683 push @cfgarr, 'AcceptEnv'; 684} 685if(sshd_supports_opt('AddressFamily','any')) { 686 # Address family must be specified before ListenAddress 687 splice @cfgarr, 14, 0, 'AddressFamily any'; 688} 689if(sshd_supports_opt('Compression','no')) { 690 push @cfgarr, 'Compression no'; 691} 692if(sshd_supports_opt('KbdInteractiveAuthentication','no')) { 693 push @cfgarr, 'KbdInteractiveAuthentication no'; 694} 695if(sshd_supports_opt('KeepAlive','no')) { 696 push @cfgarr, 'KeepAlive no'; 697} 698if(sshd_supports_opt('LookupClientHostnames','no')) { 699 push @cfgarr, 'LookupClientHostnames no'; 700} 701if(sshd_supports_opt('MaxAuthTries','10')) { 702 push @cfgarr, 'MaxAuthTries 10'; 703} 704if(sshd_supports_opt('PAMAuthenticationViaKbdInt','no')) { 705 push @cfgarr, 'PAMAuthenticationViaKbdInt no'; 706} 707if(sshd_supports_opt('PermitTunnel','no')) { 708 push @cfgarr, 'PermitTunnel no'; 709} 710if(sshd_supports_opt('PermitUserEnvironment','no')) { 711 push @cfgarr, 'PermitUserEnvironment no'; 712} 713if(sshd_supports_opt('RhostsAuthentication','no')) { 714 push @cfgarr, 'RhostsAuthentication no'; 715} 716if(sshd_supports_opt('TCPKeepAlive','no')) { 717 push @cfgarr, 'TCPKeepAlive no'; 718} 719if(sshd_supports_opt('UseDNS','no')) { 720 push @cfgarr, 'UseDNS no'; 721} 722if(sshd_supports_opt('UsePAM','no')) { 723 push @cfgarr, 'UsePAM no'; 724} 725 726if($sshdid =~ /OpenSSH/) { 727 # http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6492415 728 if(sshd_supports_opt('UsePrivilegeSeparation','no')) { 729 push @cfgarr, 'UsePrivilegeSeparation no'; 730 } 731} 732 733if(sshd_supports_opt('VerifyReverseMapping','no')) { 734 push @cfgarr, 'VerifyReverseMapping no'; 735} 736if(sshd_supports_opt('X11UseLocalhost','yes')) { 737 push @cfgarr, 'X11UseLocalhost yes'; 738} 739push @cfgarr, '#'; 740 741 742#*************************************************************************** 743# Write out resulting sshd configuration file for curl's tests 744# 745$error = dump_array($sshdconfig, @cfgarr); 746if($error) { 747 logmsg $error; 748 exit 1; 749} 750 751 752#*************************************************************************** 753# Verify that sshd actually supports our generated configuration file 754# 755if(system "\"$sshd\" -t -f $sshdconfig > $sshdlog 2>&1") { 756 logmsg "sshd configuration file $sshdconfig failed verification"; 757 display_sshdlog(); 758 display_sshdconfig(); 759 exit 1; 760} 761 762 763#*************************************************************************** 764# Generate ssh client host key database file for curl's tests 765# 766if((! -e $knownhosts) || (! -s $knownhosts)) { 767 logmsg 'generating ssh client known hosts file...' if($verbose); 768 unlink($knownhosts); 769 if(open(RSAKEYFILE, "<$hstpubkeyf")) { 770 my @rsahostkey = do { local $/ = ' '; <RSAKEYFILE> }; 771 if(close(RSAKEYFILE)) { 772 if(open(KNOWNHOSTS, ">$knownhosts")) { 773 print KNOWNHOSTS "$listenaddr ssh-rsa $rsahostkey[1]\n"; 774 if(!close(KNOWNHOSTS)) { 775 $error = "Error: cannot close file $knownhosts"; 776 } 777 } 778 else { 779 $error = "Error: cannot write file $knownhosts"; 780 } 781 } 782 else { 783 $error = "Error: cannot close file $hstpubkeyf"; 784 } 785 } 786 else { 787 $error = "Error: cannot read file $hstpubkeyf"; 788 } 789 if($error) { 790 logmsg $error; 791 exit 1; 792 } 793} 794 795 796#*************************************************************************** 797# Convert paths for curl's tests running on Windows using Cygwin OpenSSH 798# 799my $identity_config = abs_path("$path/$identity"); 800my $knownhosts_config = abs_path("$path/$knownhosts"); 801 802if (pathhelp::os_is_win()) { 803 # Ensure to use MinGW/Cygwin paths 804 $identity_config = pathhelp::build_sys_abs_path($identity_config); 805 $knownhosts_config = pathhelp::build_sys_abs_path($knownhosts_config); 806} 807if ($sshdid =~ /OpenSSH-Windows/) { 808 # Ensure to use native Windows paths with OpenSSH for Windows 809 $identity_config = pathhelp::sys_native_abs_path($identity); 810 $knownhosts_config = pathhelp::sys_native_abs_path($knownhosts); 811} 812 813#*************************************************************************** 814# ssh client configuration file options we might use and version support 815# 816# AddressFamily : OpenSSH 3.7.0 and later 817# BatchMode : OpenSSH 1.2.1 and later 818# BindAddress : OpenSSH 2.9.9 and later 819# ChallengeResponseAuthentication : OpenSSH 2.5.0 and later 820# CheckHostIP : OpenSSH 1.2.1 and later 821# Cipher : OpenSSH 1.2.1 and later [3] 822# Ciphers : OpenSSH 2.1.0 and later [3] 823# ClearAllForwardings : OpenSSH 2.9.9 and later 824# Compression : OpenSSH 1.2.1 and later 825# CompressionLevel : OpenSSH 1.2.1 and later [3] 826# ConnectionAttempts : OpenSSH 1.2.1 and later 827# ConnectTimeout : OpenSSH 3.7.0 and later 828# ControlMaster : OpenSSH 3.9.0 and later 829# ControlPath : OpenSSH 3.9.0 and later 830# DisableBanner : SunSSH 1.2.0 and later 831# DynamicForward : OpenSSH 2.9.0 and later 832# EnableSSHKeysign : OpenSSH 3.6.0 and later 833# EscapeChar : OpenSSH 1.2.1 and later [3] 834# ExitOnForwardFailure : OpenSSH 4.4.0 and later 835# ForwardAgent : OpenSSH 1.2.1 and later 836# ForwardX11 : OpenSSH 1.2.1 and later 837# ForwardX11Trusted : OpenSSH 3.8.0 and later 838# GatewayPorts : OpenSSH 1.2.1 and later 839# GlobalKnownHostsFile : OpenSSH 1.2.1 and later 840# GSSAPIAuthentication : OpenSSH 3.7.0 and later [1] 841# GSSAPIDelegateCredentials : OpenSSH 3.7.0 and later [1] 842# HashKnownHosts : OpenSSH 4.0.0 and later 843# Host : OpenSSH 1.2.1 and later 844# HostbasedAuthentication : OpenSSH 2.9.0 and later 845# HostKeyAlgorithms : OpenSSH 2.9.0 and later [3] 846# HostKeyAlias : OpenSSH 2.5.0 and later [3] 847# HostName : OpenSSH 1.2.1 and later 848# IdentitiesOnly : OpenSSH 3.9.0 and later 849# IdentityFile : OpenSSH 1.2.1 and later 850# IgnoreIfUnknown : SunSSH 1.2.0 and later 851# KeepAlive : OpenSSH 1.2.1 and later 852# KbdInteractiveAuthentication : OpenSSH 2.3.0 and later 853# KbdInteractiveDevices : OpenSSH 2.3.0 and later [3] 854# LocalCommand : OpenSSH 4.3.0 and later [3] 855# LocalForward : OpenSSH 1.2.1 and later [3] 856# LogLevel : OpenSSH 1.2.1 and later 857# MACs : OpenSSH 2.5.0 and later [3] 858# NoHostAuthenticationForLocalhost : OpenSSH 3.0.0 and later 859# NumberOfPasswordPrompts : OpenSSH 1.2.1 and later 860# PasswordAuthentication : OpenSSH 1.2.1 and later 861# PermitLocalCommand : OpenSSH 4.3.0 and later 862# Port : OpenSSH 1.2.1 and later 863# PreferredAuthentications : OpenSSH 2.5.2 and later 864# Protocol : OpenSSH 2.1.0 and later 865# ProxyCommand : OpenSSH 1.2.1 and later [3] 866# PubkeyAuthentication : OpenSSH 2.5.0 and later 867# RekeyLimit : OpenSSH 3.7.0 and later 868# RemoteForward : OpenSSH 1.2.1 and later [3] 869# RhostsRSAAuthentication : OpenSSH 1.2.1 and later 870# RSAAuthentication : OpenSSH 1.2.1 and later 871# SendEnv : OpenSSH 3.9.0 and later 872# ServerAliveCountMax : OpenSSH 3.8.0 and later 873# ServerAliveInterval : OpenSSH 3.8.0 and later 874# SmartcardDevice : OpenSSH 2.9.9 and later [1][3] 875# StrictHostKeyChecking : OpenSSH 1.2.1 and later 876# TCPKeepAlive : OpenSSH 3.8.0 and later 877# Tunnel : OpenSSH 4.3.0 and later 878# TunnelDevice : OpenSSH 4.3.0 and later [3] 879# UsePAM : OpenSSH 3.7.0 and later [1][2][3] 880# UsePrivilegedPort : OpenSSH 1.2.1 and later 881# User : OpenSSH 1.2.1 and later 882# UserKnownHostsFile : OpenSSH 1.2.1 and later 883# VerifyHostKeyDNS : OpenSSH 3.8.0 and later 884# XAuthLocation : OpenSSH 2.1.1 and later [3] 885# 886# [1] Option only available if activated at compile time 887# [2] Option specific for portable versions 888# [3] Option not used in our ssh client config file 889 890 891#*************************************************************************** 892# Initialize ssh config with options actually supported in OpenSSH 2.9.9 893# 894logmsg 'generating ssh client config file...' if($verbose); 895@cfgarr = (); 896push @cfgarr, '# This is a generated file. Do not edit.'; 897push @cfgarr, "# $sshverstr ssh client configuration file for curl testing"; 898push @cfgarr, '#'; 899push @cfgarr, 'Host *'; 900push @cfgarr, '#'; 901push @cfgarr, "Port $port"; 902push @cfgarr, "HostName $listenaddr"; 903push @cfgarr, "User $username"; 904push @cfgarr, 'Protocol 2'; 905push @cfgarr, '#'; 906 907# BindAddress option is not supported by OpenSSH for Windows 908if (!($sshdid =~ /OpenSSH-Windows/)) { 909 push @cfgarr, "BindAddress $listenaddr"; 910} 911 912push @cfgarr, '#'; 913push @cfgarr, "IdentityFile $identity_config"; 914push @cfgarr, "UserKnownHostsFile $knownhosts_config"; 915push @cfgarr, '#'; 916push @cfgarr, 'BatchMode yes'; 917push @cfgarr, 'ChallengeResponseAuthentication no'; 918push @cfgarr, 'CheckHostIP no'; 919push @cfgarr, 'ClearAllForwardings no'; 920push @cfgarr, 'Compression no'; 921push @cfgarr, 'ConnectionAttempts 3'; 922push @cfgarr, 'ForwardAgent no'; 923push @cfgarr, 'ForwardX11 no'; 924push @cfgarr, 'GatewayPorts no'; 925push @cfgarr, 'GlobalKnownHostsFile /dev/null'; 926push @cfgarr, 'HostbasedAuthentication no'; 927push @cfgarr, 'KbdInteractiveAuthentication no'; 928push @cfgarr, "LogLevel $loglevel"; 929push @cfgarr, 'NumberOfPasswordPrompts 0'; 930push @cfgarr, 'PasswordAuthentication no'; 931push @cfgarr, 'PreferredAuthentications publickey'; 932push @cfgarr, 'PubkeyAuthentication yes'; 933 934# RSA authentication options are not supported by OpenSSH for Windows 935if (!($sshdid =~ /OpenSSH-Windows/)) { 936 push @cfgarr, 'RhostsRSAAuthentication no'; 937 push @cfgarr, 'RSAAuthentication no'; 938} 939 940# Disabled StrictHostKeyChecking since it makes the tests fail on my 941# OpenSSH_6.0p1 on Debian Linux / Daniel 942push @cfgarr, 'StrictHostKeyChecking no'; 943push @cfgarr, 'UsePrivilegedPort no'; 944push @cfgarr, '#'; 945 946 947#*************************************************************************** 948# Options supported in ssh client newer than OpenSSH 2.9.9 949# 950 951if(($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) { 952 push @cfgarr, 'AddressFamily any'; 953} 954 955if((($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) || 956 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) { 957 push @cfgarr, 'ConnectTimeout 30'; 958} 959 960if(($sshid =~ /OpenSSH/) && ($sshvernum >= 390)) { 961 push @cfgarr, 'ControlMaster no'; 962} 963 964if(($sshid =~ /OpenSSH/) && ($sshvernum >= 420)) { 965 push @cfgarr, 'ControlPath none'; 966} 967 968if(($sshid =~ /SunSSH/) && ($sshvernum >= 120)) { 969 push @cfgarr, 'DisableBanner yes'; 970} 971 972if(($sshid =~ /OpenSSH/) && ($sshvernum >= 360)) { 973 push @cfgarr, 'EnableSSHKeysign no'; 974} 975 976if(($sshid =~ /OpenSSH/) && ($sshvernum >= 440)) { 977 push @cfgarr, 'ExitOnForwardFailure yes'; 978} 979 980if((($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) || 981 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) { 982 push @cfgarr, 'ForwardX11Trusted no'; 983} 984 985if(($sshd_builtwith_GSSAPI) && ($sshdid eq $sshid) && 986 ($sshdvernum == $sshvernum)) { 987 push @cfgarr, 'GSSAPIAuthentication no'; 988 push @cfgarr, 'GSSAPIDelegateCredentials no'; 989 if($sshid =~ /SunSSH/) { 990 push @cfgarr, 'GSSAPIKeyExchange no'; 991 } 992} 993 994if((($sshid =~ /OpenSSH/) && ($sshvernum >= 400)) || 995 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) { 996 push @cfgarr, 'HashKnownHosts no'; 997} 998 999if(($sshid =~ /OpenSSH/) && ($sshvernum >= 390)) { 1000 push @cfgarr, 'IdentitiesOnly yes'; 1001} 1002 1003if(($sshid =~ /SunSSH/) && ($sshvernum >= 120)) { 1004 push @cfgarr, 'IgnoreIfUnknown no'; 1005} 1006 1007if((($sshid =~ /OpenSSH/) && ($sshvernum < 380)) || 1008 ($sshid =~ /SunSSH/)) { 1009 push @cfgarr, 'KeepAlive no'; 1010} 1011 1012if((($sshid =~ /OpenSSH/) && ($sshvernum >= 300)) || 1013 ($sshid =~ /SunSSH/)) { 1014 push @cfgarr, 'NoHostAuthenticationForLocalhost no'; 1015} 1016 1017if(($sshid =~ /OpenSSH/) && ($sshvernum >= 430)) { 1018 push @cfgarr, 'PermitLocalCommand no'; 1019} 1020 1021if((($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) || 1022 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) { 1023 push @cfgarr, 'RekeyLimit 1G'; 1024} 1025 1026if(($sshid =~ /OpenSSH/) && ($sshvernum >= 390)) { 1027 push @cfgarr, 'SendEnv'; 1028} 1029 1030if((($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) || 1031 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) { 1032 push @cfgarr, 'ServerAliveCountMax 3'; 1033 push @cfgarr, 'ServerAliveInterval 0'; 1034} 1035 1036if(($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) { 1037 push @cfgarr, 'TCPKeepAlive no'; 1038} 1039 1040if(($sshid =~ /OpenSSH/) && ($sshvernum >= 430)) { 1041 push @cfgarr, 'Tunnel no'; 1042} 1043 1044if(($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) { 1045 push @cfgarr, 'VerifyHostKeyDNS no'; 1046} 1047 1048push @cfgarr, '#'; 1049 1050 1051#*************************************************************************** 1052# Write out resulting ssh client configuration file for curl's tests 1053# 1054$error = dump_array($sshconfig, @cfgarr); 1055if($error) { 1056 logmsg $error; 1057 exit 1; 1058} 1059 1060 1061#*************************************************************************** 1062# Initialize client sftp config with options actually supported. 1063# 1064logmsg 'generating sftp client config file...' if($verbose); 1065splice @cfgarr, 1, 1, "# $sshverstr sftp client configuration file for curl testing"; 1066# 1067for(my $i = scalar(@cfgarr) - 1; $i > 0; $i--) { 1068 if($cfgarr[$i] =~ /^DynamicForward/) { 1069 splice @cfgarr, $i, 1; 1070 next; 1071 } 1072 if($cfgarr[$i] =~ /^ClearAllForwardings/) { 1073 splice @cfgarr, $i, 1, "ClearAllForwardings yes"; 1074 next; 1075 } 1076} 1077 1078 1079#*************************************************************************** 1080# Write out resulting sftp client configuration file for curl's tests 1081# 1082$error = dump_array($sftpconfig, @cfgarr); 1083if($error) { 1084 logmsg $error; 1085 exit 1; 1086} 1087@cfgarr = (); 1088 1089 1090#*************************************************************************** 1091# Generate client sftp commands batch file for sftp server verification 1092# 1093logmsg 'generating sftp client commands file...' if($verbose); 1094push @cfgarr, 'pwd'; 1095push @cfgarr, 'quit'; 1096$error = dump_array($sftpcmds, @cfgarr); 1097if($error) { 1098 logmsg $error; 1099 exit 1; 1100} 1101@cfgarr = (); 1102 1103#*************************************************************************** 1104# Prepare command line of ssh server daemon 1105# 1106my $cmd = "\"$sshd\" -e -D -f $sshdconfig > $sshdlog 2>&1"; 1107logmsg "SCP/SFTP server listening on port $port" if($verbose); 1108logmsg "RUN: $cmd" if($verbose); 1109 1110#*************************************************************************** 1111# Start the ssh server daemon on Windows without forking it 1112# 1113if ($sshdid =~ /OpenSSH-Windows/) { 1114 # Fake pidfile for ssh server on Windows. 1115 if(open(OUT, ">$pidfile")) { 1116 print OUT $$ . "\n"; 1117 close(OUT); 1118 } 1119 1120 # Put an "exec" in front of the command so that the child process 1121 # keeps this child's process ID by being tied to the spawned shell. 1122 exec("exec $cmd") || die "Can't exec() $cmd: $!"; 1123 # exec() will create a new process, but ties the existence of the 1124 # new process to the parent waiting perl.exe and sh.exe processes. 1125 1126 # exec() should never return back here to this process. We protect 1127 # ourselves by calling die() just in case something goes really bad. 1128 die "error: exec() has returned"; 1129} 1130 1131#*************************************************************************** 1132# Start the ssh server daemon without forking it 1133# 1134my $rc = system($cmd); 1135if($rc == -1) { 1136 logmsg "\"$sshd\" failed with: $!"; 1137} 1138elsif($rc & 127) { 1139 logmsg sprintf("\"$sshd\" died with signal %d, and %s coredump", 1140 ($rc & 127), ($rc & 128)?'a':'no'); 1141} 1142elsif($verbose && ($rc >> 8)) { 1143 logmsg sprintf("\"$sshd\" exited with %d", $rc >> 8); 1144} 1145 1146 1147#*************************************************************************** 1148# Clean up once the server has stopped 1149# 1150unlink($hstprvkeyf, $hstpubkeyf, $hstpubmd5f, 1151 $cliprvkeyf, $clipubkeyf, $knownhosts, 1152 $sshdconfig, $sshconfig, $sftpconfig); 1153 1154exit 0; 1155